If you have never used this tool, you should
. Whether you are testing your own network or doing penetration testing, constantly identifying weak passwords is a must. There are so many breaches, and so many are successful because someone had a weak password. Weak passwords hide, and so many technologies and services have crept into our environments, it’s tough to keep up. Nice patches can be added that will generate passwords and support for all kinds of auth methods, TLS support for more protocols, SASL, and more!
We also thought it would be fun to go through our archives and share some of the cool things we have done with Hydra in the past.
Waaay Back in Episode 20
Using Hydra was one of our first technical segments
For the record, the text is special "hidden" text. You need to highlight it to see it…. Yeah, that was intentional.
Then, Paul and I were working on a penetration test and we wanted to share how to use Hydra in such a way that you would not lock out accounts.
This pen test was awesome. We were dealing with an environment that was using LDAP for Linux authentication and we wanted to take a list of passwords that we had cracked from a Windows 2K3 server and try them each individually against a number of user accounts. The goal was to try one password with multiple accounts, and restrict specific passwords to default accounts like root.
Worked like a champ.
Just a couple of quick tips on using Hydra:
1. Don't use the GUI. It has issues from time to time.
2. Slow down. This is not password cracking. You need to take your time. Throttle back the number of threads and make sweet, slow password love to a service.
3. Practice on test systems first. Create a series of accounts that should be guessable with Hydra. Then run it. If it is working "yeah!" If not, find out why.
I was also thinking that this is a great opportunity to say to the guys at THC "Thanks." I don't think we do that enough in this industry. Take a few moments and write an email thanking an author or authors of a free/Open Source tool that makes your life easier.
So, here is to the fine developers of Hydra:
and John Strand
Originally discussed during episode 238
John Strand will be teaching SANS 660 Advanced Network Penetration Testing and Metasploit for Penetration testers This April in Reston, VA April 15 - 23