Hydra

Hydra is a tool that can guess/crack valid login/password pairs extremely quickly. It supports a great deal of protocols.  Variant exist both for Windows and Unix.

Currently Hydra supports attack against the following services:

TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, RSH, RLOGIN, CVS, 

SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP2, LDAP3, Postgres, 

Teamspeak, Cisco auth, Cisco enable, LDAP2, Cisco AAA 

Installation:

./configure

make

make install

Pre-requisites:

libssh2

libssh2.so may need to be linked from its installed location to /lib so Hydra detects it when trying to crack ssh.

It is available from here.

Usage:

hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV] server service [OPT]

Options:

-R             Restore a previous aborted/crashed session

-S             Connect via SSL

-s              PORT if the service is on a different default port, define it here

-l               LOGIN or -L FILE login with LOGIN name, or load several logins from FILE

-p              PASS or -P FILE try password PASS, or load several passwords from FILE

-e ns          Additional checks, "n" for null password, "s" try login as pass

-C FILE    Colon seperated "login:pass" format, instead of -L/-P options

-M FILE   Server list for parallel attacks, one entry per line

-o FILE     Write found login/password pairs to FILE instead of stdout

-f               Exit after the first found login/password pair (per host if -M)

-t TASKS  Run TASKS number of connects in parallel (default: 16)

-w TIME    Defines the max wait time in seconds for responses (default: 30)

-v / -V        Verbose mode / show login+pass combination for each attempt

server         The target server (use either this OR the -M option)

service        The service to crack.

Supported protocols: telnet ftp pop3[-ntlm] imap[-ntlm] smb smbnt http[s]-{head|get} http-{get|post}-form http-proxy cisco cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5 rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh2 smtp-auth[-ntlm] pcanywhere teamspeak sip vmauthd

OPT some service modules need special input (see README!)

Use HYDRA_PROXY_HTTP/HYDRA_PROXY_CONNECT and HYDRA_PROXY_AUTH env for a proxy.

Example Output:

[root@fc6 wordlists]# hydra -l root -P pass.txt -s 22 -f 200.100.100.2 ssh2

Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.

Hydra (http://www.thc.org) starting at 2007-05-15 20:28:39

[DATA] 16 tasks, 1 servers, 234844 login tries (l:1/p:234844), ~14677 tries per task

[DATA] attacking service ssh2 on port 22

[22][ssh2] host: 200.100.100.2 login: root password: difficult

[STATUS] attack finished for 200.100.100.2 (valid pair found)

Hydra (http://www.thc.org) finished at 2007-05-15 20:28:49