Attack Multiple Targets with Hydra

Introduction

In this lab, you will learn how to attack multiple targets simultaneously using Hydra. The lab focuses on utilizing Hydra's capabilities to perform password cracking attempts against a list of target hosts.

The lab guides you through creating a target list file containing IP addresses or hostnames, loading this file into Hydra using the -M option, running a parallel SSH attack against the targets, and finally, checking the output to identify successful logins across multiple hosts. This hands-on experience will provide you with practical skills in using Hydra for penetration testing and security auditing scenarios.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL hydra(("Hydra")) -.-> hydra/HydraGroup(["Hydra"]) hydra/HydraGroup -.-> hydra/target_ip("Target IP Specification") hydra/HydraGroup -.-> hydra/target_service("Target Service Selection") hydra/HydraGroup -.-> hydra/ssh_attack("SSH Brute Force") hydra/HydraGroup -.-> hydra/task_limit("Task Limit Configuration") hydra/HydraGroup -.-> hydra/multiple_targets("Multiple Targets Attack") hydra/HydraGroup -.-> hydra/success_detection("Login Success Detection") subgraph Lab Skills hydra/target_ip -.-> lab-550760{{"Attack Multiple Targets with Hydra"}} hydra/target_service -.-> lab-550760{{"Attack Multiple Targets with Hydra"}} hydra/ssh_attack -.-> lab-550760{{"Attack Multiple Targets with Hydra"}} hydra/task_limit -.-> lab-550760{{"Attack Multiple Targets with Hydra"}} hydra/multiple_targets -.-> lab-550760{{"Attack Multiple Targets with Hydra"}} hydra/success_detection -.-> lab-550760{{"Attack Multiple Targets with Hydra"}} end

Create a Target List File

In this step, you will create a target list file. This file will contain a list of IP addresses or hostnames that Hydra will attempt to connect to and crack passwords for. This is a crucial step in any penetration testing or security auditing scenario.

First, let's understand what a target list file is. It's simply a text file where each line represents a target host. A target host can be an IP address (e.g., 192.168.1.100) or a hostname (e.g., example.com).

Now, let's create the target list file. We'll use the nano text editor, which is already installed in your LabEx VM.

Open the nano editor:
```
nano ~/project/targets.txt
```
This command opens a new file named targets.txt in the ~/project directory. If the file doesn't exist, nano will create it.
Add the following IP addresses to the targets.txt file. Each IP address should be on a new line:
```
192.168.1.100
192.168.1.101
192.168.1.102
```
Feel free to use any IP addresses you want. These are just examples. In a real-world scenario, you would replace these with the actual IP addresses of the systems you are authorized to test.
Save the file and exit nano. To do this, press Ctrl+X, then Y to confirm saving, and finally Enter to accept the filename.
Verify that the file has been created and contains the correct content. You can use the cat command to display the contents of the file:
```
cat ~/project/targets.txt
```
You should see the list of IP addresses you entered.
```
192.168.1.100
192.168.1.101
192.168.1.102
```

You have now successfully created a target list file named targets.txt in your ~/project directory. This file will be used in the next step to load the targets into Hydra.

Load Targets with -M Option

In this step, you will learn how to load the target list file you created in the previous step into Hydra using the -M option. The -M option tells Hydra to read the list of target hosts from a file. This is particularly useful when you have a large number of targets to test.

Before we proceed, let's briefly discuss the syntax of the Hydra command with the -M option. The basic syntax is:

hydra -M <target_file> <service> <options>

Where:

<target_file> is the path to the file containing the list of target hosts.
<service> is the service you want to attack (e.g., ssh, ftp, http).
<options> are any other options you want to use, such as username, password list, etc.

Now, let's construct a basic Hydra command to load the targets from the targets.txt file we created earlier. For this example, we'll use the ssh service. We'll also specify a username and a password list (we'll create a dummy password list for demonstration purposes).

Create a dummy password list file:
```
echo "password" > ~/project/passwords.txt
```
This command creates a file named passwords.txt in the ~/project directory and adds the word "password" to it. In a real-world scenario, you would use a more comprehensive password list.
Now, execute the Hydra command to load the targets from the targets.txt file and attempt to crack the SSH password for the user root using the passwords.txt file:
```
hydra -L ~/project/users.txt -P ~/project/passwords.txt -M ~/project/targets.txt ssh
```
Note: This command will likely fail because you probably don't have SSH servers running on the IP addresses in your targets.txt file, and even if you did, you likely wouldn't have the correct credentials. This step is primarily for demonstrating how to load targets from a file.

To avoid errors, let's create a users.txt file with a username that is likely to exist on most systems.
```
echo "root" > ~/project/users.txt
```
Now, re-run the Hydra command:
```
hydra -L ~/project/users.txt -P ~/project/passwords.txt -M ~/project/targets.txt ssh
```
You will likely see errors related to connection refused or incorrect credentials. This is expected. The important thing is that Hydra is attempting to connect to the targets listed in the targets.txt file.

The output will show Hydra attempting to connect to each IP address in your targets.txt file. It will try the username "root" and the password "password" against each target. Since these are likely incorrect, the attempts will fail.

In this step, you have successfully learned how to load targets from a file using the -M option in Hydra. This is a fundamental skill for performing large-scale password cracking attacks.

Run Parallel SSH Attack

In this step, you will learn how to run a parallel SSH attack using Hydra. Running attacks in parallel significantly speeds up the cracking process, especially when dealing with multiple targets. Hydra allows you to specify the number of parallel tasks to run using the -t option.

The -t option controls the number of parallel connections Hydra will make. A higher number of threads can speed up the attack, but it can also put more strain on the target systems and your own system. It's important to find a balance that works for your specific situation.

Let's modify the previous Hydra command to run the SSH attack with a specified number of threads.

Execute the following Hydra command to run the SSH attack with 4 threads:
```
hydra -L ~/project/users.txt -P ~/project/passwords.txt -t 4 -M ~/project/targets.txt ssh
```
In this command, the -t 4 option tells Hydra to use 4 parallel threads. This means that Hydra will attempt to connect to 4 different targets simultaneously.

Again, you will likely see errors related to connection refused or incorrect credentials. This is expected. The purpose of this step is to demonstrate how to use the -t option to run attacks in parallel.

The output will show Hydra attempting to connect to the IP addresses in your targets.txt file, but now it will be doing so with 4 concurrent connections.
Experiment with different values for the -t option. Try increasing the number of threads to see how it affects the speed of the attack. Be mindful of the resources on your system and the target systems. A good starting point is to double the number of threads:
```
hydra -L ~/project/users.txt -P ~/project/passwords.txt -t 8 -M ~/project/targets.txt ssh
```
Observe the output and note any changes in performance.

Important Considerations:

Resource Usage: Increasing the number of threads increases the CPU and network usage on your system. Monitor your system's resources to ensure that you are not overloading it.
Target System Load: Running too many threads can overwhelm the target systems, potentially causing them to crash or become unresponsive. Be respectful of the target systems and avoid using excessive threads.
Detection: Running attacks with a high number of threads can make you more easily detectable by intrusion detection systems (IDS).

In this step, you have successfully learned how to run parallel SSH attacks using Hydra with the -t option. This is a crucial technique for speeding up password cracking attacks.

Check Output for Multiple Hosts

In this step, you will learn how to interpret the output from Hydra when attacking multiple hosts. Hydra's output provides valuable information about the success or failure of the attack attempts.

When Hydra successfully cracks a password, it will display the credentials in the following format:

[<service>] host: <host>  login: <username>   password: <password>

For example:

[ssh] 192.168.1.100:22 login: root   password: password

This indicates that Hydra successfully cracked the SSH password for the user root on the host 192.168.1.100, and the password is password.

When Hydra fails to crack a password, it will typically display an error message such as "Login failed" or "Invalid credentials".

Let's analyze the output from the previous steps.

Re-run the Hydra command from the previous step:

hydra -L ~/project/users.txt -P ~/project/passwords.txt -t 4 -M ~/project/targets.txt ssh

Examine the output. You will likely see a series of "Login failed" or "Invalid credentials" messages for each target host. This is because the username and password you are using are likely incorrect.

The output might look something like this:

Hydra v9.6 (c) 2024 by van Hauser/THC - use freely but only for legal purposes.
Hydra starting at 2024-10-27 10:00:00
[DATA] 1 task, 3 servers, 1 userfiles, 1 passfiles -> max 1 task per 1 server, overall 1 task per attack
[DATA] attacking ssh://192.168.1.100:22
[STATUS][ssh] 192.168.1.100:22 - Login failed for user 'root'
[DATA] attacking ssh://192.168.1.101:22
[STATUS][ssh] 192.168.1.101:22 - Login failed for user 'root'
[DATA] attacking ssh://192.168.1.102:22
[STATUS][ssh] 192.168.1.102:22 - Login failed for user 'root'
Hydra finished.

If Hydra were to successfully crack a password, you would see a line similar to the example shown above, indicating the successful credentials.

To better illustrate a successful login, let's create a scenario where Hydra is more likely to succeed. This requires a vulnerable SSH server. Since we don't have one readily available, we'll modify the targets.txt file to point to localhost and attempt to log in as the current user. This will still likely fail, but it's the closest we can get to a "successful" scenario without a dedicated vulnerable target.

First, add 127.0.0.1 to your targets.txt file:
```
echo "127.0.0.1" >> ~/project/targets.txt
```
Now, try to crack the SSH password for the current user (labex) on localhost. You'll need to know the password for the labex user. If you haven't set one, you can try leaving the password list empty, which will attempt a null password.
```
hydra -l labex -P ~/project/passwords.txt -t 4 -M ~/project/targets.txt ssh
```
Note: This will likely still fail unless you have a very simple password for the labex user or have allowed passwordless SSH login.

Even if the attack fails, the key takeaway is understanding how to interpret Hydra's output. Look for the lines that indicate successful logins, and pay attention to the error messages to understand why attacks are failing.

In this step, you have learned how to check the output from Hydra when attacking multiple hosts and how to interpret the results. This is a crucial skill for understanding the success or failure of your password cracking attempts.

Summary

In this lab, you learned how to create a target list file containing IP addresses or hostnames, which is essential for penetration testing and security auditing. You used the nano text editor to create a targets.txt file in the ~/project directory, adding multiple target IP addresses, each on a new line. The cat command was then used to verify the file's contents.

The lab also covered how to load the created target list file into Hydra using the -M option. This allows Hydra to efficiently target multiple hosts simultaneously, streamlining the password cracking process.