Loop Passwords in Hydra Attacks

Introduction

In this lab, we will explore how Hydra iterates through usernames and passwords during an SSH attack. We will create username and password lists, then run a default SSH attack to observe Hydra's default behavior.

The lab involves preparing usernames.txt and passwords.txt files containing lists of usernames and passwords, respectively. We will then execute a basic Hydra SSH attack using these lists to demonstrate how Hydra attempts different combinations. Finally, we will explore the impact of the -u option on the order in which Hydra attempts username and password combinations.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL hydra(("Hydra")) -.-> hydra/HydraGroup(["Hydra"]) hydra/HydraGroup -.-> hydra/password_creation("Password List Creation") hydra/HydraGroup -.-> hydra/username_creation("Username List Creation") hydra/HydraGroup -.-> hydra/single_username("Single Username Attack") hydra/HydraGroup -.-> hydra/single_password("Single Password Attack") hydra/HydraGroup -.-> hydra/target_ip("Target IP Specification") hydra/HydraGroup -.-> hydra/target_service("Target Service Selection") hydra/HydraGroup -.-> hydra/ssh_attack("SSH Brute Force") subgraph Lab Skills hydra/password_creation -.-> lab-550771{{"Loop Passwords in Hydra Attacks"}} hydra/username_creation -.-> lab-550771{{"Loop Passwords in Hydra Attacks"}} hydra/single_username -.-> lab-550771{{"Loop Passwords in Hydra Attacks"}} hydra/single_password -.-> lab-550771{{"Loop Passwords in Hydra Attacks"}} hydra/target_ip -.-> lab-550771{{"Loop Passwords in Hydra Attacks"}} hydra/target_service -.-> lab-550771{{"Loop Passwords in Hydra Attacks"}} hydra/ssh_attack -.-> lab-550771{{"Loop Passwords in Hydra Attacks"}} end

Prepare Username and Password Lists

In this step, we will create two essential files: a username list and a password list. These lists will be used by Hydra to attempt SSH logins. Creating these lists allows us to systematically test various username and password combinations against our target.

First, let's create the username list. We'll use the nano text editor to create a file named usernames.txt in the ~/project directory.

nano ~/project/usernames.txt

Now, add the following usernames to the file. These are just examples; you can customize them as needed.

root
admin
test
user
ubuntu

Press Ctrl+O to save the file, then press Enter to confirm the filename, and finally press Ctrl+X to exit nano.

Next, we'll create the password list. Again, we'll use nano to create a file named passwords.txt in the ~/project directory.

nano ~/project/passwords.txt

Add the following passwords to the file. Remember, these are just examples.

password
123456
qwerty
secret
ubuntu

Press Ctrl+O to save the file, then press Enter to confirm the filename, and finally press Ctrl+X to exit nano.

To verify that the files have been created correctly, you can use the cat command to display their contents.

cat ~/project/usernames.txt

You should see the list of usernames you entered.

root
admin
test
user
ubuntu

Similarly, check the password list:

cat ~/project/passwords.txt

You should see the list of passwords you entered.

password
123456
qwerty
secret
ubuntu

These files, usernames.txt and passwords.txt, are now ready to be used with Hydra in the subsequent steps.

Run Default SSH Attack

In this step, we will execute a basic SSH attack using Hydra with the username and password lists we created in the previous step. This will demonstrate Hydra's default behavior of iterating through usernames and passwords.

Before running the attack, it's important to understand the basic syntax of the Hydra command:

hydra [options] <target> <service> [additional options]

hydra: The command to invoke the Hydra tool.
[options]: Various options to customize the attack, such as specifying username and password lists.
<target>: The IP address or hostname of the target SSH server. For this lab, we will use 127.0.0.1 (localhost) as the target. Note: In a real-world scenario, you would replace this with the actual IP address of the server you are testing. Attacking systems without authorization is illegal.
<service>: The service to attack (e.g., ssh, ftp, http). In our case, it's ssh.
[additional options]: Service-specific options.

Now, let's run the default SSH attack. We'll use the -L option to specify the username list and the -P option to specify the password list.

hydra -L ~/project/usernames.txt -P ~/project/passwords.txt 127.0.0.1 ssh

This command tells Hydra to:

-L ~/project/usernames.txt: Use the usernames.txt file in the ~/project directory as the list of usernames.
-P ~/project/passwords.txt: Use the passwords.txt file in the ~/project directory as the list of passwords.
127.0.0.1: Target the SSH service running on localhost.
ssh: Specify that we are attacking the SSH service.

Execute the command. Hydra will now attempt to log in to the SSH service on 127.0.0.1 using each username in usernames.txt and each password in passwords.txt. By default, Hydra iterates through the usernames first, trying each password for a single username before moving to the next username.

The output will show the attempts being made. It will likely show many "login failed" messages. If a successful login is found, it will display the username and password combination. Since we are using weak passwords and targeting localhost, it is possible a login will succeed.

Important: This command might take some time to complete, depending on the size of your username and password lists. Also, be aware that repeated failed login attempts can trigger security measures on the target system, such as account lockouts or IP address blocking.

Run with -u to Loop Passwords First

In this step, we will use the -u option with Hydra to change the order in which it attempts logins. By default, Hydra iterates through usernames first, trying all passwords for each username before moving on. The -u option reverses this behavior, causing Hydra to iterate through passwords first, trying each password for all usernames before moving on to the next password.

This can be useful in situations where you suspect that a common password is being used across multiple accounts.

To use the -u option, we simply add it to our Hydra command.

hydra -u -L ~/project/usernames.txt -P ~/project/passwords.txt 127.0.0.1 ssh

This command tells Hydra to:

-u: Loop passwords first.
-L ~/project/usernames.txt: Use the usernames.txt file in the ~/project directory as the list of usernames.
-P ~/project/passwords.txt: Use the passwords.txt file in the ~/project directory as the list of passwords.
127.0.0.1: Target the SSH service running on localhost.
ssh: Specify that we are attacking the SSH service.

Execute the command. Hydra will now attempt to log in to the SSH service on 127.0.0.1. This time, it will try the first password in passwords.txt against every username in usernames.txt before moving on to the next password.

Observe the output. You should notice that the order of attempts is different from the previous step. Hydra will now be trying the same password against multiple usernames in sequence.

As before, the output will show the attempts being made. It will likely show many "login failed" messages. If a successful login is found, it will display the username and password combination.

By comparing the output of this command with the output of the command in the previous step, you can see the difference in the order of login attempts. This can be helpful in understanding how Hydra works and in choosing the most effective attack strategy for a given situation.

Compare Attempt Order

In this step, we will analyze and compare the order of login attempts made by Hydra in the previous two steps. This will help us understand the impact of the -u option on the attack strategy.

To effectively compare the attempt order, we can use the script command to capture the output of both Hydra commands and then analyze the captured output.

First, let's capture the output of the default Hydra command (without the -u option) to a file named default_attack.log in the ~/project directory.

script -c "hydra -L ~/project/usernames.txt -P ~/project/passwords.txt 127.0.0.1 ssh" ~/project/default_attack.log

This command will start a new shell session using script, execute the Hydra command within that session, and save all the output to the specified log file. Type exit to end the script session after Hydra completes.

Next, let's capture the output of the Hydra command with the -u option to a file named u_attack.log in the ~/project directory.

script -c "hydra -u -L ~/project/usernames.txt -P ~/project/passwords.txt 127.0.0.1 ssh" ~/project/u_attack.log

Similarly, this command will capture the output of the Hydra command with the -u option to the u_attack.log file. Type exit to end the script session after Hydra completes.

Now that we have captured the output of both commands, we can use the head command to view the first few lines of each log file and compare the order of attempts.

head ~/project/default_attack.log

Examine the output. You should see the usernames being iterated through, with each password being tried for a single username before moving to the next username.

Next, view the first few lines of the u_attack.log file:

head ~/project/u_attack.log

Examine this output. You should see the passwords being iterated through, with each password being tried for all usernames before moving to the next password.

By comparing the two log files, you can clearly see the difference in the order of login attempts. The default attack strategy iterates through usernames, while the attack with the -u option iterates through passwords.

This comparison highlights the importance of understanding the different options available in Hydra and how they can be used to tailor the attack strategy to a specific situation.

Summary

In this lab, we began by preparing the necessary files for a Hydra SSH attack. Specifically, we created usernames.txt and passwords.txt in the ~/project directory using the nano text editor. These files contain lists of potential usernames and passwords that Hydra will use to attempt SSH logins. The cat command was then used to verify the contents of both files, ensuring they were created correctly and contained the intended lists.

The next step involved running a default SSH attack using Hydra with the created username and password lists. This demonstrated Hydra's default iteration behavior when attempting to crack SSH logins.