LabEx
Log InJoin For Free

Use Additional Hydra Password Checks

HydraHydraBeginner
Practice Now

Introduction

In this lab, we will explore the use of additional password checks in Hydra, a popular password cracking tool. The lab focuses on demonstrating how to set up a Telnet service on the LabEx VM and then use Hydra with the -e nsr option to perform password cracking attempts, leveraging null, username, and reversed username as potential passwords.

The lab involves installing and configuring the Telnet service, modifying the /etc/inetd.conf file to disable authentication for demonstration purposes, and then running Hydra with the -e nsr flag. Finally, we will review the output to observe successful checks and compare the results with the -e ns option, highlighting the effectiveness of incorporating additional password checks in password cracking attempts.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL hydra(("Hydra")) -.-> hydra/HydraGroup(["Hydra"]) hydra/HydraGroup -.-> hydra/installation("Installation and Setup") hydra/HydraGroup -.-> hydra/single_username("Single Username Attack") hydra/HydraGroup -.-> hydra/single_password("Single Password Attack") hydra/HydraGroup -.-> hydra/verbose_mode("Verbose Mode Usage") hydra/HydraGroup -.-> hydra/success_detection("Login Success Detection") hydra/HydraGroup -.-> hydra/service_options("Service-Specific Options") subgraph Lab Skills hydra/installation -.-> lab-550776{{"Use Additional Hydra Password Checks"}} hydra/single_username -.-> lab-550776{{"Use Additional Hydra Password Checks"}} hydra/single_password -.-> lab-550776{{"Use Additional Hydra Password Checks"}} hydra/verbose_mode -.-> lab-550776{{"Use Additional Hydra Password Checks"}} hydra/success_detection -.-> lab-550776{{"Use Additional Hydra Password Checks"}} hydra/service_options -.-> lab-550776{{"Use Additional Hydra Password Checks"}} end

Set Up Telnet Service

In this step, we will set up the Telnet service on the LabEx VM. Telnet is a network protocol used to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. While Telnet is generally considered insecure due to its lack of encryption, it's useful for demonstration and testing purposes in a controlled environment like our LabEx VM.

First, we need to install the Telnet server. Since the LabEx VM uses a Docker container, we cannot use systemctl to manage services directly. Instead, we'll use a workaround to start the Telnet service within the container.

  1. Install the Telnet server:

    Open your terminal in the ~/project directory and execute the following command:

    sudo apt update
sudo apt install -y telnetd

    This command updates the package list and installs the telnetd package, which provides the Telnet server functionality. You should see output indicating the installation process.

    ...
Setting up openbsd-inetd (0.20180617-1) ...
...
Processing triggers for systemd (247.3-7ubuntu3.9) ...
Processing triggers for man-db (2.9.1-1) ...

  2. Configure Telnet to run without authentication (for demonstration purposes only - NEVER do this in a production environment):

    Edit the /etc/inetd.conf file to disable authentication. Use nano to edit the file:

    sudo nano /etc/inetd.conf

    Find the line that starts with telnet and comment it out by adding a # at the beginning of the line. Then, add a new line below it that disables authentication.

    #telnet  stream  tcp nowait telnetd /usr/sbin/tcpd  /usr/sbin/telnetd
telnet  stream  tcp nowait telnetd /usr/sbin/in.telnetd -i

    Press Ctrl+S to save the changes and Ctrl+X to exit nano.

  3. Restart the inetd service:

    Since we can't use systemctl, we'll use the /etc/init.d script to restart the inetd service, which manages Telnet.

    sudo /etc/init.d/openbsd-inetd restart

    You should see output similar to this:

     * Restarting internet superserver inetd

Run Hydra with -e nsr Checks

In this step, we will use Hydra to perform a brute-force attack against the Telnet service we set up in the previous step. We'll use the -e nsr option, which tells Hydra to try null passwords, the username as the password, and reversed usernames as passwords. This is a common technique for quickly identifying weak or default credentials.

  1. Run Hydra with the -e nsr option:

    Open your terminal in the ~/project directory and execute the following command:

    hydra -l labex -P /usr/share/wordlists/metasploit/unix_passwords.txt -vV -e nsr telnet://localhost

    Let's break down this command:

    • hydra: The command to run the Hydra tool.
    • -l labex: Specifies the username to try. We're using labex, the default user on the LabEx VM.
    • -P /usr/share/wordlists/metasploit/unix_passwords.txt: Specifies a password list file. This file contains a list of common passwords.
    • -vV: Enables verbose mode, showing each login attempt.
    • -e nsr: This is the key option for this step. It tells Hydra to try:
      • n: Null password (empty string).
      • s: Username as password.
      • r: Reversed username as password.
    • telnet://localhost: Specifies the target service and address. telnet indicates the Telnet protocol, and localhost refers to the local machine.

    Hydra will now attempt to log in to the Telnet service using the specified username and password list, as well as the null password, username, and reversed username. The output will show each login attempt and whether it was successful.

    Example output (may vary depending on the password list):

    Hydra v9.1 (c) 2020 by van Hauser/THC - use allowed only for legal purposes.

Hydra is starting...

[DATA] 1 task, 1 server, 1337 service(s)
[DATA] attacking service telnet on port 23
[DATA] attacking target localhost
[ATTEMPT] target localhost - login: 'labex' - pass: ''
[23][telnet] host: localhost   login: labex   password:
[ATTEMPT] target localhost - login: 'labex' - pass: 'labex'
[23][telnet] host: localhost   login: labex   password: labex
[ATTEMPT] target localhost - login: 'labex' - pass: 'xebal'
[23][telnet] host: localhost   login: labex   password: xebal
...

    Because we configured Telnet to allow login without authentication, Hydra will likely find a successful login with a null password.

Review Output for Successful Checks

In this step, we will analyze the output from the Hydra command we ran in the previous step to identify any successful login attempts.

  1. Examine the Hydra output:

    Scroll back through the terminal output from the previous step. Look for lines that indicate a successful login. These lines will typically contain the word [23][telnet] host: localhost login: labex password: followed by the successful password.

    Because we disabled authentication for Telnet, you should see a line similar to this:

    [23][telnet] host: localhost   login: labex   password:

    This indicates that Hydra was able to log in to the Telnet service on localhost as the user labex with a null password (an empty password).

  2. Understanding the Output:

    The output from Hydra provides valuable information about the security of the target service. In this case, the successful login with a null password highlights a significant vulnerability. An attacker could potentially gain access to the system without providing any credentials.

    If you see other successful logins with passwords from the wordlist, it indicates that the user is using a weak password that is easily guessed.

    The -vV option in the Hydra command provides verbose output, showing each login attempt. This can be helpful for understanding the progress of the attack and identifying any patterns or issues.

Compare with -e ns Checks

In this step, we will run Hydra again, but this time using the -e ns option. This option tells Hydra to try null passwords and the username as the password. We will then compare the results with the previous run using -e nsr to understand the difference.

  1. Run Hydra with the -e ns option:

    Open your terminal in the ~/project directory and execute the following command:

    hydra -l labex -P /usr/share/wordlists/metasploit/unix_passwords.txt -vV -e ns telnet://localhost

    As before, let's break down this command:

    • hydra: The command to run the Hydra tool.
    • -l labex: Specifies the username to try. We're using labex, the default user on the LabEx VM.
    • -P /usr/share/wordlists/metasploit/unix_passwords.txt: Specifies a password list file. This file contains a list of common passwords.
    • -vV: Enables verbose mode, showing each login attempt.
    • -e ns: This option tells Hydra to try:
      • n: Null password (empty string).
      • s: Username as password.
    • telnet://localhost: Specifies the target service and address. telnet indicates the Telnet protocol, and localhost refers to the local machine.

    Hydra will now attempt to log in to the Telnet service using the specified username and password list, as well as the null password and username. The output will show each login attempt and whether it was successful.

    Example output (may vary depending on the password list):

    Hydra v9.1 (c) 2020 by van Hauser/THC - use allowed only for legal purposes.

Hydra is starting...

[DATA] 1 task, 1 server, 1337 service(s)
[DATA] attacking service telnet on port 23
[DATA] attacking target localhost
[ATTEMPT] target localhost - login: 'labex' - pass: ''
[23][telnet] host: localhost   login: labex   password:
[ATTEMPT] target localhost - login: 'labex' - pass: 'labex'
[23][telnet] host: localhost   login: labex   password: labex
...

  2. Compare the results:

    Compare the output of this command with the output from the previous step (using -e nsr). You should observe the following:

    • Both commands will likely find a successful login with a null password because we configured Telnet to allow this.
    • Both commands will try the username as the password.
    • The -e nsr command also tried the reversed username as the password, which -e ns did not.

    This comparison demonstrates how different options in Hydra can affect the scope and effectiveness of the attack. In this case, -e nsr includes an additional check (reversed username), which might be useful in certain scenarios.

Summary

In this lab, we set up a Telnet service on the LabEx VM for demonstration and testing purposes. This involved installing the telnetd package using apt and configuring the /etc/inetd.conf file to disable authentication, which is crucial for showcasing Hydra's password cracking capabilities in a controlled environment.

Due to the LabEx VM using a Docker container, we bypassed the standard systemctl commands and instead modified the inetd.conf file and used the /etc/init.d script to restart the inetd service. This configuration, while insecure for production environments, allows us to proceed with demonstrating Hydra's password cracking capabilities in subsequent steps.