1
00:00:00,330 --> 00:00:06,490
‫Hydra is a free and open source command line tool to crack valid login password pairs online.

2
00:00:06,930 --> 00:00:10,860
‫It's very fast and flexible and new modules are easy to add.

3
00:00:11,370 --> 00:00:18,150
‫Hydra is embedded in Colly, but before using it, we'd better see some of its parameters.

4
00:00:19,100 --> 00:00:27,170
‫You can specify the username list, let's say the user directory with uppercase L parameter, if you'd

5
00:00:27,170 --> 00:00:33,170
‫like to find a password of a valid user, you can specify a single user with lowercase L parameter.

6
00:00:33,170 --> 00:00:37,190
‫Instead, you can also specify the password list.

7
00:00:37,640 --> 00:00:42,710
‫Let's call it the password dictionary with uppercase P parameter.

8
00:00:43,520 --> 00:00:49,700
‫If you find a password, for example, while dumpster diving and don't know the user, you can specify

9
00:00:49,700 --> 00:00:52,250
‫a single password with lowercase P.

10
00:00:53,340 --> 00:01:00,120
‫If one valid username and password pair is enough for us, we can use the F parameter and that makes

11
00:01:00,120 --> 00:01:03,750
‫a tool exit when it finds a valid username password Perre.

12
00:01:04,850 --> 00:01:09,920
‫Server is another required parameter of the tool which stands for the target server.

13
00:01:11,030 --> 00:01:18,590
‫And finally, we have to specify the service that we want to attack some supported services are http

14
00:01:18,590 --> 00:01:29,510
‫post form, https post form htp get form, https get form http proxy MSFC.

15
00:01:29,540 --> 00:01:36,260
‫Well, my Uncle Oracle listener, S.H., Cisco, etc.

16
00:01:37,390 --> 00:01:41,530
‫Every protocol has its own unique options to set.

17
00:01:42,710 --> 00:01:47,540
‫We'll see the options for HTTP post form in the following demonstration.

18
00:01:50,280 --> 00:01:53,430
‫So now go to Collie and run a Web browser.

19
00:01:54,360 --> 00:01:59,730
‫Do you remember Oos broken web applications, abbreviated BBWAA server?

20
00:02:00,570 --> 00:02:04,350
‫Well, it's on my network with the IP number of one three nine.

21
00:02:06,030 --> 00:02:10,230
‫Right in the IP address, in the address bar of the browser and hit Enter.

22
00:02:10,890 --> 00:02:13,950
‫Now here's the homepage of the WASP BWP.

23
00:02:14,640 --> 00:02:18,630
‫I'll scroll down a bit and click down vulnerable web application link.

24
00:02:19,990 --> 00:02:24,040
‫Now, we arrived at a login page that asks for the username and the password.

25
00:02:24,730 --> 00:02:31,840
‫Now we don't know any credential and we'll try to find a valid username, password, pabai online password

26
00:02:31,840 --> 00:02:32,680
‫tracking attack.

27
00:02:33,970 --> 00:02:41,380
‫To open a terminal screen, Hydra is embedded in Cali, so you can start to use it simply by typing

28
00:02:41,380 --> 00:02:46,570
‫its name if you type Hydra with no parameter, the help page appears.

29
00:02:47,670 --> 00:02:51,030
‫Here is the list of options and supported services.

30
00:02:52,220 --> 00:02:54,530
‫So let's start to build her attack.

31
00:02:55,700 --> 00:03:02,390
‫Elle is the first parameter to keep the attacks simple and fast, I suppose that we'll know a valid

32
00:03:02,390 --> 00:03:05,090
‫user, which is going to probably be admen.

33
00:03:05,420 --> 00:03:08,410
‫So I'll use the lowercase L parameter.

34
00:03:09,380 --> 00:03:13,700
‫Now we specify the password dictionary with uppercase P.

35
00:03:15,150 --> 00:03:22,950
‫Well, there are some dictionaries in Colly, let me find them and I'll use one, so I open a new terminal

36
00:03:22,950 --> 00:03:27,540
‫screen and search for the dictionaries using the Find Lennix command.

37
00:03:28,510 --> 00:03:32,950
‫So I'm looking for the files that start with pass and have.

38
00:03:33,960 --> 00:03:35,850
‫That NIST extension.

39
00:03:37,210 --> 00:03:38,140
‫I found a few.

40
00:03:38,710 --> 00:03:42,700
‫So let's look at the contents of one of them using the less Lennix command.

41
00:03:43,710 --> 00:03:49,350
‫You can search a phrase with forward slash indicator within the last command.

42
00:03:49,920 --> 00:03:54,330
‫So I look for admin if the word exists in the dictionary.

43
00:03:55,380 --> 00:04:02,100
‫Well, because I know the password of the admin user is admin, and I want to show you a successful

44
00:04:02,100 --> 00:04:02,700
‫attack.

45
00:04:11,730 --> 00:04:20,330
‫OK, now this is the target server, oos BBWAA one three nine, I have to specify the service we attack.

46
00:04:21,030 --> 00:04:24,540
‫So to learn the service, let's go to the browser again.

47
00:04:25,140 --> 00:04:27,480
‫But before trying to log in, I run berp.

48
00:04:27,480 --> 00:04:27,840
‫Sweet.

49
00:04:28,760 --> 00:04:36,740
‫Now, I think I should tell you a little bit about Sweet, Sweet is used in Web application penetration

50
00:04:36,740 --> 00:04:43,520
‫tests and I've explained and used it extensively in hacking Web applications and penetration testing.

51
00:04:44,030 --> 00:04:47,150
‫That's the course that fully lays it out in detail.

52
00:04:47,570 --> 00:04:51,740
‫But I'll just give you a little introduction to it now if you haven't done that course.

53
00:04:54,040 --> 00:05:00,790
‫Berp Suite is a Web application penetration testing framework, it has become an industry standard suite

54
00:05:00,790 --> 00:05:07,720
‫of tools used by information security professionals to identify vulnerabilities and verify attack vectors

55
00:05:07,720 --> 00:05:09,250
‫for Web based applications.

56
00:05:10,480 --> 00:05:18,070
‫I suppose in its simplest form groups, we can be classified as a personal proxy or interception proxy,

57
00:05:18,970 --> 00:05:24,760
‫a penetration test configures their Internet browser to route traffic through the proxy, which then

58
00:05:24,760 --> 00:05:31,840
‫acts as a sort of men in the middle by capturing and analyzing each request and response to and from

59
00:05:31,840 --> 00:05:32,980
‫the target web app.

60
00:05:34,320 --> 00:05:42,630
‫Individual HTTP requests can be paused, manipulated and replayed back to the Web server for targeted

61
00:05:42,630 --> 00:05:46,200
‫analysis of parameter specific injection points.

62
00:05:47,130 --> 00:05:54,060
‫The injection points can be then specified for Manuell, as well as automated fuzzing attacks to discover

63
00:05:54,240 --> 00:05:59,810
‫potentially unintended application behaviours, crashes and error messages.

64
00:06:00,660 --> 00:06:01,380
‫You got all that?

65
00:06:02,910 --> 00:06:06,750
‫So now we can continue to the online cracking session with Hydra.

66
00:06:09,030 --> 00:06:11,010
‫Suite is started.

67
00:06:11,950 --> 00:06:17,620
‫We have to route traffic through berp suite to be able to listen to the requests and responses and analyze

68
00:06:17,620 --> 00:06:17,740
‫them.

69
00:06:18,760 --> 00:06:25,660
‫So to do this, we should change the proxy settings of the browser to listen to the port AT&T of the

70
00:06:25,660 --> 00:06:30,450
‫localhost, you can change the proxy of the browser from the preferences menu.

71
00:06:31,240 --> 00:06:33,360
‫I just use Foxe proxy.

72
00:06:33,900 --> 00:06:37,360
‫It's a plug in to change the proxy of the browser easily.

73
00:06:37,870 --> 00:06:40,960
‫This little Fox icon is Foxe proxy.

74
00:06:40,960 --> 00:06:41,740
‫I'll click on it.

75
00:06:42,130 --> 00:06:46,720
‫And here there's proxy settings for the port AT&T of the localhost.

76
00:06:48,680 --> 00:06:53,480
‫Now you can use the proxy from your browser's network setting as seen in the picture here.

77
00:06:56,040 --> 00:07:03,770
‫So I'll choose the proxy localhost 80 and now my browser's traffic is routed through the sweet.

78
00:07:04,630 --> 00:07:06,940
‫So now I'll make a logging attempt.

79
00:07:11,780 --> 00:07:17,630
‫So intercepted the login request, it's a post, so we find the service to attack.

80
00:07:18,750 --> 00:07:23,520
‫Back to the Heidrick query, the next parameter is http post form.

81
00:07:25,080 --> 00:07:31,530
‫Now is the most critical part of building a Hydra attack, setting the options of the service.

82
00:07:32,470 --> 00:07:39,160
‫There are three parts of the options of the service, HDP post form separated by the calling character.

83
00:07:40,270 --> 00:07:43,120
‫The first part is the address of the authentication forum.

84
00:07:53,610 --> 00:08:01,160
‫The second part is the form parameters, and here they are, I'll copy them and paste them as the second

85
00:08:01,160 --> 00:08:02,390
‫part of the service options.

86
00:08:03,140 --> 00:08:04,570
‫Now, this is an important point.

87
00:08:04,580 --> 00:08:12,200
‫Again, the place that the password's will be set for online tracking attacks are labeled as pass between

88
00:08:12,200 --> 00:08:14,420
‫two carried signs.

89
00:08:15,470 --> 00:08:22,910
‫Same as a password feel the place of the username is signed as user between two correct characters as

90
00:08:22,910 --> 00:08:23,260
‫well.

91
00:08:24,380 --> 00:08:30,560
‫The third part of the service option is a unique part from the response message of a failed logging

92
00:08:30,560 --> 00:08:30,950
‫attempt.

93
00:08:36,570 --> 00:08:43,590
‫So I go to the browser, copy the login, failed message and paste, that is a third part of the option.

94
00:08:44,990 --> 00:08:46,810
‫I think the service options are ready.

95
00:08:47,890 --> 00:08:54,220
‫So at last, I put a F parameter to make the dual exit when it finds a valid credential.

96
00:08:54,930 --> 00:08:56,560
‫So we're ready to run the command now.

97
00:08:56,920 --> 00:09:01,210
‫Just hit enter and online password cracking attack starts.

98
00:09:02,700 --> 00:09:07,260
‫Now, we'll wait as much as it takes it reports every minute.

99
00:09:08,640 --> 00:09:15,960
‫And this is the first minutes report, 933 TREIS per minute, that's pretty good, and it says it has

100
00:09:15,960 --> 00:09:18,900
‫2600, 26 tries to do.

101
00:09:34,800 --> 00:09:41,670
‫Now, he had found a valid username password Perre, just after the second minutes report username was

102
00:09:41,670 --> 00:09:46,370
‫already fixed admin and it found that the password is admen for the user.

103
00:09:47,010 --> 00:09:51,810
‫And since we use the F parameter, it stopped working as soon as it found a valid credential.

104
00:09:52,680 --> 00:09:59,490
‫Now we can go to the app and enter admen for the username and again admen for the password to log in.