1
00:00:00,450 --> 00:00:08,040
‫Hydra is a free and open source command line tool to crack valid login password pairs online.

2
00:00:09,090 --> 00:00:12,600
‫It's very fast and flexible, and new modules are easy to add.

3
00:00:13,290 --> 00:00:15,540
‫Hydra is embedded in Cali.

4
00:00:15,900 --> 00:00:20,400
‫But before using it, we'd better have a look at some of the parameters.

5
00:00:22,000 --> 00:00:23,860
‫You can specify the username list.

6
00:00:24,550 --> 00:00:29,050
‫Let's say the user dictionary with uppercase L as the parameter.

7
00:00:30,070 --> 00:00:36,310
‫If you'd like to find the password of a valid user, you can specify a single user with lowercase l

8
00:00:36,430 --> 00:00:37,180
‫instead.

9
00:00:38,540 --> 00:00:40,370
‫You can specify the password list.

10
00:00:41,180 --> 00:00:45,620
‫Let's say the password dictionary with uppercase p as a parameter.

11
00:00:46,650 --> 00:00:52,650
‫If you find a password, for example, while dumpster diving and don't know the user, you can specify

12
00:00:52,650 --> 00:00:56,220
‫a single password with lowercase p as a parameter.

13
00:00:58,400 --> 00:01:05,210
‫If one valid username, password pair is enough for us, we can use the f parameter and that makes it

14
00:01:05,210 --> 00:01:08,840
‫to exit when it finds a valid username, password pair.

15
00:01:10,340 --> 00:01:15,950
‫Now, server is another required parameter of the tool, which stands for the target server.

16
00:01:17,250 --> 00:01:21,480
‫Finally, we have to specify the service that we want to attack.

17
00:01:22,020 --> 00:01:23,970
‫And some supported services are.

18
00:01:24,930 --> 00:01:32,940
‫And a sequel, my sequel, Oracle listener, as I say, age Cisco and the list goes on.

19
00:01:34,290 --> 00:01:40,320
‫So let's see how we can perform a dictionary attack on S.H. service using Hydra.

20
00:01:41,830 --> 00:01:43,900
‫So want to open a terminal screening collie?

21
00:01:45,280 --> 00:01:50,230
‫Now, I want to test a network connection first between Cali and the target system, which is one nine

22
00:01:50,240 --> 00:01:53,560
‫two one six eight one zero two one one for me at the moment.

23
00:01:55,230 --> 00:02:00,240
‫Now I want to learn whether the state service is running on the target and to achieve this.

24
00:02:00,810 --> 00:02:02,610
‫I'm going to use the map tool.

25
00:02:03,450 --> 00:02:04,980
‫I know you're already a step ahead of me.

26
00:02:05,220 --> 00:02:05,730
‫That's good.

27
00:02:07,520 --> 00:02:11,000
‫The first parameter is the IP address of the target machine.

28
00:02:12,170 --> 00:02:19,910
‫So it scanned the most common 100 words, which will cover the default associated port, which is 22.

29
00:02:21,490 --> 00:02:27,460
‫Now, the last parameter is to detect the versions of the services if you don't use version detection

30
00:02:27,460 --> 00:02:34,270
‫and map labels of ports, according to the default services, for example, if SSA is running on, let's

31
00:02:34,270 --> 00:02:42,070
‫say, Port 80 and you don't use the version detection option and map labels the services HTTP, which

32
00:02:42,070 --> 00:02:43,570
‫is not correct.

33
00:02:45,830 --> 00:02:48,470
‫So now we've got the results in 12 seconds.

34
00:02:48,680 --> 00:02:53,750
‫And as you'll see, the SSA service is running on Port 22.

35
00:02:55,240 --> 00:02:59,890
‫Next up is try to establish an S-H connection to the target.

36
00:03:01,290 --> 00:03:07,440
‫Well, I'm feeling pretty lucky today, and I want to try for the root user first, so.

37
00:03:08,830 --> 00:03:14,560
‫Type SRH route at the target IP and hit enter.

38
00:03:16,370 --> 00:03:21,900
‫It's asking for the password, so we can suppose that the target system is open to connect with a root

39
00:03:21,920 --> 00:03:22,310
‫user.

40
00:03:23,360 --> 00:03:30,920
‫We don't know the password as of yet, so I'll just press Control C to cancel the login period.

41
00:03:32,860 --> 00:03:39,490
‫OK, now, is it time to use Hydra to perform a password cracking attack on to that target machine?

42
00:03:41,200 --> 00:03:48,880
‫So if you type hydro and press, enter the help page appears explanation what hydro is and here are

43
00:03:48,880 --> 00:03:49,600
‫the options.

44
00:03:50,600 --> 00:03:54,980
‫Now, these are the supported devices, including the Secret Service.

45
00:03:56,340 --> 00:03:58,980
‫So let's go ahead and build the command together.

46
00:04:00,050 --> 00:04:06,530
‫Since we know the root user is enabled for the state service of the target machine, we can give a single

47
00:04:06,530 --> 00:04:11,510
‫user route as the username with lowercase L as a parameter.

48
00:04:12,840 --> 00:04:16,980
‫The uppercase case is to define the dictionary, which will be used in the attack.

49
00:04:17,920 --> 00:04:21,760
‫Well, we're going to need a dictionary, so let search Carly to find one.

50
00:04:22,600 --> 00:04:25,330
‫I'll just use the Find Lennox command for this purpose.

51
00:04:26,450 --> 00:04:29,510
‫The first parameter is where it's going to start to search.

52
00:04:30,080 --> 00:04:37,790
‫Slash means that it will start searching from the root folder name means that we want to find the files

53
00:04:37,790 --> 00:04:39,440
‫according to their file names.

54
00:04:40,190 --> 00:04:43,970
‫Now I want to find the files where the name starts with password.

55
00:04:45,100 --> 00:04:49,990
‫Star here represent that the rest of the name might be, well, anything.

56
00:04:50,770 --> 00:04:52,000
‫So it's OK to hit enter.

57
00:04:53,390 --> 00:04:55,280
‫Well, now there are a lot of files.

58
00:04:55,730 --> 00:04:57,560
‫I did not expect that, did you?

59
00:04:59,770 --> 00:05:00,880
‫So let's scroll up a bit.

60
00:05:01,730 --> 00:05:06,200
‫OK, here I found a folder with the name word lists.

61
00:05:06,530 --> 00:05:09,680
‫So let's go to the folder and look at those word lists.

62
00:05:14,520 --> 00:05:16,350
‫Else to list the files.

63
00:05:17,250 --> 00:05:20,580
‫Well, look at that there are a lot of word lists for different purposes.

64
00:05:23,750 --> 00:05:30,620
‫Here there's a word list, unique passwords, and it's not a big file, in fact, but I don't want to

65
00:05:30,620 --> 00:05:36,230
‫waste time while waiting to run a long dictionary, so this would be enough for us to start anyway.

66
00:05:36,620 --> 00:05:42,560
‫And of course, I'll choose a simple password for the same service to succeed the attack, but don't

67
00:05:42,560 --> 00:05:43,460
‫tell anybody else.

68
00:05:45,410 --> 00:05:52,010
‫The W c Linux Command is used to count letters, words and lines of a text file.

69
00:05:53,120 --> 00:06:05,210
‫The result means that Unix passwords file has 1009 lines, 1009 words and 7000 883 characters inside

70
00:06:05,990 --> 00:06:06,980
‫useful information.

71
00:06:08,450 --> 00:06:11,720
‫So let's continue to build a Hydra command HYDRA.

72
00:06:11,800 --> 00:06:15,080
‫Dash L Root Dash Uppercase P.

73
00:06:15,110 --> 00:06:17,930
‫Password file Unix passwords.

74
00:06:17,930 --> 00:06:18,850
‫Dot DST.

75
00:06:21,140 --> 00:06:23,780
‫After you exit as soon as finding a valid credential.

76
00:06:25,170 --> 00:06:29,460
‫Dash Capital V is to show the log in and password pairs of each attempt.

77
00:06:30,410 --> 00:06:32,960
‫And that's used to increase the verbosity level.

78
00:06:34,960 --> 00:06:39,100
‫Target IP address and finally, the service to attack assess each.

79
00:06:39,850 --> 00:06:41,380
‫And time to run the command.

80
00:06:42,160 --> 00:06:46,030
‫OK, so I'll the attack by pressing the control c keys.

81
00:06:46,300 --> 00:06:48,070
‫But please look at the first lines.

82
00:06:48,520 --> 00:06:54,520
‫There's a warning here which says many sage configurations limit the number of parallel tasks.

83
00:06:55,150 --> 00:07:00,220
‫And it recommends us to reduce the tasks using the T four parameter value pair.

84
00:07:00,880 --> 00:07:07,420
‫OK, I recall the command by pressing the up arrow and add T five at the end and run the command again.

85
00:07:08,990 --> 00:07:14,030
‫Now it warns me that it will override the restore file of the previous session.

86
00:07:14,240 --> 00:07:18,230
‫If we do not abort the command in 10 seconds, the countdown starts.

87
00:07:20,150 --> 00:07:27,440
‫Now the attacks started, so as you see here, Hydra pauses the attack and every fifth try.

88
00:07:29,400 --> 00:07:31,350
‫Now we've got the results in seconds.

89
00:07:31,590 --> 00:07:38,310
‫We found the password of the user of the SSA servers running on the target system, Hydra says the password

90
00:07:38,310 --> 00:07:39,300
‫is password one.

91
00:07:39,960 --> 00:07:41,030
‫Never seen that before.

92
00:07:52,980 --> 00:07:55,680
‫Now I have an SS Age connection on the target system.

93
00:07:56,010 --> 00:07:56,460
‫Ha ha.

94
00:07:56,760 --> 00:07:57,300
‫Well done.