THC Hydra$1$

is software written to brute$-$force attack online$/$networking services. In contrast, software

like John the Ripper works offline. Because Hydra works online, system administrators often know that it

is running and can actively block it$.$ For this reason Pen$-$Testers are careful in using this software $($even

though the THC part of the name is The Hackers Choice.$)$ Hydra checks combinations of userids and

passwords very quickly by trying to connect$/$login with each combination of userid and password.

Our lab: Brute Force attack on SSH using HYDRA

Before we can get started, we need to find our target. Start both Metasploitable and Kali virtual

machines. The items below in bold are the ones you need to answer in a word document submitted on

Blackboard.

What is the IP of your metasploitable target?

On which port is SSH running?

If we let hydra just run it can turn into a form of DOS because it tries to login so many times so quickly,

the server might not be able to handle it$.$ This would likely happen if we used a password list like

rockyou along with a list of userids. So let$$s just make our own lists to use:

nano users.txt

enter the following users in the file

root

msfadmin

apache

user

tomcat

save the file. Create a new text file for the password list

nano pwd$.$txt

enter the following passwords:

toor

password

p@$$word

user

ralph

msfadmin

bugsbunny

save the file.

Now let$$s run Hydra against SSH using that list of users and passwords. Hydra will test each user with

each password.

run the following command:

hydra $-$L users.txt $-$P pwd$.$txt TARGET$\_$IP $-$t $4$ ssh

Let$$s break down what$$s happening in that command: after telling Kali we want to run hydra, the $-$L

switch tells hydra to find the list of users in the file users.txt$.$ Similarly $-$P tells hydra to find the

passwords in the file pwd$.$txt$.$ Next we give it the IP of our target. $-$t $4$ is telling hydra how many threads

to run and ssh tells hydra that we want it to target the ssh service.

Which valid combination$($s$)$ of userid and password did Hydra find?

Show the output of hydra $($take a screenshot$)$

We now have a method to remote connect to the server. You can connect with SSH with the following

command $($replace USERID with the actual userid you want to use and remote$\_$ip with the ip of

metasploitable$2)$:

ssh USERID@remote$\_$ip

You will then be prompted for the password.

use ssh to connect to metasploitable using credentials discovered by Hydra.

Take a screenshot of your SSH connection.

Metasploitable$2$ also has VNC running. Lookup how to setup hydra to attack

VNC$.$

On which port is VNC running?

Use Hydra to find a valid password for VNC using the rockyou text list.

What is the command you used to run hydra?

What is the password to connect with VNC$?$