There is an excellent tool for cracking online passwords and it is called THC-Hydra. Fortunately, it is built on our Kali distribution, so we don't need to download, install, or integrate anything in order to use it.
Step 1: Download and install the Temper data
Before we start with THC-Hydra, let's add another THC-Hydra supplement. This tool is known as "Tamper Data", and is the Mozilla Firefox plug-in. Since our IceWeasel browser in Kali is built on open source Firefox, it connects equally to Iceweasel.
Don't Miss: How to Hack Facebook Without Phishing SOP
Tamper data enables us to capture and view HTTP and HTTPS GET data and POST data. In a nutshell, Tamper Data is a web proxy like the Burp Suite, but it's simple and built directly into our browser.
Disruption data helps us retrieve data from the browser on the way to the server and modify it. In addition, once we have entered into a complex web attack, it is important to know what fields and methods are used by the web form, and Tamper Data can also help us with that.
Let's download it from here and install it in Iceweasel or FireFox.
Step 2: Check Temper data
Now that we have Tamper Data installed in our browser, let's see what we can do. Use Tamper Data and navigate to any website. Below you can see that I have roamed Bank of America and Tamper Data provides each HTTPS GET and POST request between my browser and server.
When I try to sign in to a site with the username "hacker", Tamper Data returns to me all the sensitive information in the form. This information will be useful when we start using Hydra to crack online passwords.
Step 3: Turn on THC Hydra
Now that we have Tamper Data in place and working properly, let’s turn on Hydra. You can get it from Kali Linux -> Password -> Internet Attack -> Hydra. You can see it in the middle of the list of tools for cracking passwords online.
Step 4: Understand Hydra Basics
When we open Hydra, we are greeted with this help screen. Note the sample syntax at the bottom of the screen. Hydra's syntax is simple and similar to other password-breaking tools.
Let's look at it further.
hydra -l -p username passwordlist.txt
The username can be a single username, such as "admin" or a username list, a password list usually exists in any text file containing passwords, and the target can be an IP and port address, or it can be a specific web form field.
Don't Miss: Turn Your Phone Into Hacking Device
Although you can use any password text file in Hydra, Kali has a few built-in areas. Let's convert indexes into /usr/share/word list:
kali> cd /usr/share/wordlist
Then List the contents of that Directory:
kali> ls
You can see below, Kali has a lot of word lists built-in. You can use any of these or a list of words you download from the web as long as they are created in Linux and in .txt format.
Step 5 : Use Hydra to crack passwords
In the example below, I use Hydra to attempt to crack the "administrator" password using the "rockyou.txt" password list at 192.168.89.190 port 80.
Using Hydra for Web Forms
Using Hydra on web forms can increase the level of complexity, but the format is the same except that you need information on the web form parameters that can be provided by Tamper Data.
The syntax for using Hydra and web form is to use <url>: <formparameters>: <failure string> where we previously used the targeted IP. We still need a username list and a password list.
Perhaps the most serious of these password hacking restrictions on the web form is the "failure thread". This is a thread that returns the form when the username or password is incorrect. We need to scan this and provide it to Hydra so that Hydra knows where the password you tried is incorrect and then go to the next attempt.
0 Comments