LabEx
Log InJoin Free

Attack with Colon-Separated Credentials

HydraBeginner
Practice Now

Introduction

In this lab, you will learn how to perform a credential-based attack using Hydra. The lab focuses on utilizing a colon-separated credentials file containing username/password combinations to crack the login credentials of a target service.

You will begin by creating a credentials.txt file with username:password pairs, using a text editor like nano. Then, you'll learn how to load this file into Hydra using the -C option, enabling Hydra to efficiently attempt multiple login combinations against the target. Finally, you'll verify that the output matches the credentials used in the attack.

Create a login:pass Credentials File

In this step, you will create a file containing usernames and passwords, one combination per line, separated by a colon. This file will be used later with Hydra to attempt to crack the login credentials of a target service.

First, let's understand the format required for the credentials file. Each line should contain a username, a colon (:), and the corresponding password. For example:

username1:password1
username2:password2

Now, let's create the file. We'll use the nano text editor, which is simple and easy to use. Open your terminal and navigate to the ~/project directory if you are not already there:

cd ~/project

  1. Open a new file named credentials.txt in the ~/project directory using nano:

    nano credentials.txt

  2. In the nano editor, add the following username/password combinations. These are the credentials Hydra will attempt to use.

    admin:password
user1:123456
test:test
root:toor

  3. To save the file, press Ctrl+O (Write Out). Nano will prompt you for the filename. Just press Enter to accept the default filename (credentials.txt).

  4. To exit nano, press Ctrl+X.

Now, let's verify that the file has been created and contains the correct content. Use the cat command to display the contents of the credentials.txt file:

cat credentials.txt

You should see the username/password combinations you entered earlier:

admin:password
user1:123456
test:test
root:toor

You have now successfully created a credentials file that can be used with Hydra. This file contains a list of potential usernames and passwords that Hydra will try against the target service.

Set Up a Basic HTTP Server with Authentication

In this step, you will set up a simple HTTP server that requires basic authentication. This server will serve as our target for the Hydra attack in the next step. We will use a Python script for this.

First, ensure you are in the ~/project directory:

cd ~/project

Now, create a new Python file named webserver.py using nano:

nano webserver.py

Paste the following Python code into the editor:

import http.server
import socketserver
import base64

PORT = 8000

class AuthHandler(http.server.SimpleHTTPRequestHandler):
    def do_HEAD(self):
        self.send_response(200)
        self.send_header('Content-type', 'text/html')
        self.end_headers()

    def do_AUTHHEAD(self):
        self.send_response(401)
        self.send_header('WWW-Authenticate', 'Basic realm="My Realm"')
        self.send_header('Content-type', 'text/html')
        self.end_headers()

    def do_GET(self):
        auth = self.headers.get('Authorization')
        if auth == None:
            self.do_AUTHHEAD()
            self.wfile.write(b"Authentication Required")
        elif auth == 'Basic YWRtaW46cGFzc3dvcmQ=': ## admin:password base64 encoded
            http.server.SimpleHTTPRequestHandler.do_GET(self)
        else:
            self.do_AUTHHEAD()
            self.wfile.write(b"Authentication Failed")

Handler = AuthHandler

with socketserver.TCPServer(("", PORT), Handler) as httpd:
    print("serving at port", PORT)
    httpd.serve_forever()

This script creates a basic HTTP server on port 8000. It requires basic authentication. The correct username is admin and the password is password. The base64 encoded string YWRtaW46cGFzc3dvcmQ= represents admin:password.

Save the file (Ctrl+O, then Enter) and exit nano (Ctrl+X).

Now, run the Python script to start the HTTP server. We will run it in the background so you can continue using the terminal:

nohup python3 webserver.py > /dev/null 2>&1 &

The nohup command allows the process to continue running even if you close the terminal. > /dev/null 2>&1 redirects standard output and standard error to /dev/null, preventing the server's output from cluttering your terminal. The & at the end runs the command in the background.

To confirm the server is running, you can check if a process is listening on port 8000:

ss -ltn | grep ':8000'

You should see output similar to this, indicating a process is listening on port 8000:

LISTEN 0      4096   0.0.0.0:8000      0.0.0.0:*

Keep this server running for the next step.

Attack HTTP with Credentials File using Hydra

In this step, you will use Hydra to attack the HTTP service you set up in the previous step. You will use the -C option to load the credentials file you created in Step 1, allowing Hydra to efficiently attempt multiple username/password combinations.

Ensure you are in the ~/project directory:

cd ~/project

Now, execute the following Hydra command to attack the HTTP server running on 127.0.0.1 on port 8000:

hydra -C credentials.txt 127.0.0.1 http-get / -s 8000 -vV

Let's break down this command:

  • hydra: The command to run the Hydra tool.
  • -C credentials.txt: This option specifies the path to the credentials file you created. Hydra will read username/password combinations from this file.
  • 127.0.0.1: The target IP address. This is the loopback address, referring to your local machine.
  • http-get /: Specifies the service to attack (HTTP) and the path to request (/). http-get is a module that performs HTTP GET requests.
  • -s 8000: Specifies the port number of the target service. Our HTTP server is running on port 8000.
  • -vV: Enables verbose mode, which displays the login attempts and any found credentials.

Hydra will now attempt to brute-force the HTTP server using the username/password combinations from the credentials.txt file. It will try each combination against the target service.

You should see output from Hydra indicating that it is trying different username/password combinations. If Hydra successfully finds the correct credentials (admin:password), it will display them in the output.

Example Output (Successful Attack):

Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at ...
[DATA] max 16 tasks per 1 server, overall 16 tasks, 4 login tries (l:4/p:1), ~1 try per task
[DATA] attacking http-gets://127.0.0.1:8000/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "password" - 1 of 4 [child 0] (0/0)
[ATTEMPT] target 127.0.0.1 - login "user1" - pass "123456" - 2 of 4 [child 1] (0/0)
[ATTEMPT] target 127.0.0.1 - login "test" - pass "test" - 3 of 4 [child 2] (0/0)
[ATTEMPT] target 127.0.0.1 - login "root" - pass "toor" - 4 of 4 [child 3] (0/0)
[8000][http-get] host: 127.0.0.1   login: admin   password: password
[STATUS] attack finished for 127.0.0.1 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at ...

If the attack is successful, Hydra will print the correct username and password.

Confirm Found Credentials

In this step, you will confirm that the credentials Hydra found during the attack in the previous step match the expected credentials in the credentials.txt file and the webserver.py script. This verifies that Hydra correctly identified the valid login combination.

In the previous step, Hydra's output should have shown the following line (or similar):

[8000][http-get] host: 127.0.0.1   login: admin   password: password

This line indicates that Hydra successfully found the username admin and the password password for the target service.

Now, let's verify that these credentials are indeed present in the files we created.

  1. Verify credentials in credentials.txt:

    Use the cat command to display the contents of the credentials.txt file:

    cat credentials.txt

    Confirm that the file contains the line admin:password. This is one of the combinations Hydra attempted.

  2. Verify credentials in webserver.py:

    Use the cat command to display the contents of the webserver.py file:

    cat webserver.py

    Look for the line that checks for the base64 encoded authentication header. You should find a line similar to this:

    elif auth == 'Basic YWRtaW46cGFzc3dvcmQ=': ## admin:password base64 encoded

    The string YWRtaW46cGFzc3dvcmQ= is the base64 encoding of admin:password. This confirms that the server is configured to accept admin as the username and password as the password.

By verifying that the credentials found by Hydra match the credentials configured in the server script and present in your credentials file, you confirm the success of the brute-force attack using the -C option.

Finally, let's stop the background HTTP server process. You can find the process ID (PID) using the ss command again:

ss -ltn | grep ':8000'

The output will show the PID in the second column. For example:

LISTEN 0      4096   0.0.0.0:8000      0.0.0.0:*    users:(("python3",pid=12345,fd=3))

In this example, the PID is 12345. Use the kill command to stop the process, replacing [PID] with the actual PID you found:

kill [PID]

For example, if the PID was 12345:

kill 12345

You can verify the server has stopped by running ss -ltn | grep ':8000' again. There should be no output.

Summary

In this lab, you learned how to create a credentials file named credentials.txt containing username and password combinations separated by colons, with each combination on a new line. This file is stored in the ~/project directory and prepared for use with Hydra.

You also learned how to set up a basic HTTP server with authentication using a Python script, which served as the target for the attack.

Finally, you successfully used Hydra with the -C option to load the credentials file and perform a brute-force attack against the HTTP server, demonstrating how to efficiently test multiple login combinations. You confirmed the found credentials matched the expected values, verifying the success of the attack.

Related Hydra Courses
Hydra for Beginners

Hydra for Beginners

cybersecurityhydrakali
Hydra Cybersecurity Attack Labs

Hydra Cybersecurity Attack Labs

cybersecurityhydrakali