Hydra 简介:

​ hydra是著名黑客组织thc的一款开源的暴力密码破解工具，可以在线破解多种密码。官网，可支持AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP等类型密码。

参数说明:

hydra

[[[-l LOGIN|-L FILE] [-p PASS|-P FILE|-x OPT -y]] | [-C FILE]]

[-e nsr] [-u] [-f|-F] [-M FILE] [-o FILE] [-b FORMAT]

[-t TASKS] [-T TASKS] [-w TIME] [-W TIME] [-m OPTIONS] [-s PORT]

[-c TIME] [-S] [-O] [-4|6] [-I] [-vV] [-d]

server service [OPTIONS]

    -R    restore  a  previously aborted session. Requires a hydra.restore file was written. Options are restored, but can be changed by

          setting them after -R on the command line

            继续从上一次进度接着破解。

    -S    connect via SSL

            采用SSL链接。

    -O    use old SSL v2 and v3

    -s PORT

          if the service is on a different default port, define it here

          PORT 可通过这个参数指定非默认端口

    -l LOGIN

          or -L FILE login with LOGIN name, or load several logins from FILE

          LOGIN 指定破解的用户，对特定用户破解。

    -p PASS

          or -P FILE try password PASS, or load several passwords from FILE

          指定特定密码

    -x min:max:charset

          generate passwords from min to max length. charset can contain 1

            for numbers, a for lowcase and A for upcase characters.

            Any other character is added is put to the list.

              Example: 1:2:a1%.

              The generated passwords will be of length 1 to 2 and contain

              lowcase letters, numbers and/or percent signs and dots.

    -y    disable use of symbols in -x bruteforce, see above

    -e nsr additional checks, "n" for null password, "s" try login as pass, "r" try the reverse login as pass

        -e ns 可选选项，n：空密码试探，s：使用指定用户和密码试探

    -C FILE

          colon separated "login:pass" format, instead of -L/-P options

          FILE 使用冒号分割格式，例如“登录名:密码”来代替-L/-P参数

    -u    by default Hydra checks all passwords for one login and then tries the next login. This option loops around  the  pass-

          words, so the first password is tried on all logins, then the next password.

    -f    exit after the first found login/password pair (per host if -M)

          在使用-M参数以后，找到第一对登录名或者密码的时候中止破解

    -F    exit after the first found login/password pair for any host (for usage with -M)

    -M FILE

          server list for parallel attacks, one entry per line

    -o FILE

          write found login/password pairs to FILE instead of stdout

    -b FORMAT

          specify the format for the -o FILE: text(default), json, jsonv1

    -t TASKS

          run TASKS number of connects in parallel (default: 16)

    -m OPTIONS

          module specific options. See hydra -U <module> what options are available.

    -w TIME

          defines the max wait time in seconds for responses (default: 32)

          -w TIME 设置最大超时的时间，单位秒，默认是32s。

    -W TIME

          defines  a  wait  time  between  each connection a task performs. This usually only makes sense if a low task number is

          used, .e.g -t 1

    -c TIME

          the wait time in seconds per login attempt over all threads (-t 1 is recommended) This usually only makes  sense  if  a

          low task number is used, .e.g -t 1

    -4 / -6

          prefer IPv4 (default) or IPv6 addresses

    -v / -V

          verbose mode / show login+pass combination for each attempt

    -d    debug mode

    -I    ignore an existing restore file (dont wait 10 seconds)

    -h, --help

          Show summary of options.    

破解示例：

1、破解ssh:

hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns ip sshhydra -l 用户名 -p 密码字典 -t 线程 -o save.log -vV ip ssh

2、破解ftp:

hydra ip ftp -l 用户名 -P 密码字典 -t 线程(默认16) -vVhydra ip ftp -l 用户名 -P 密码字典 -e ns -vV

3、get方式提交，破解web登录:

hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns ip http-get /admin/hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns -f ip http-get /admin/index.php

4、post方式提交，破解web登录:

hydra -l 用户名 -P 密码字典 -s 80 ip http-post-form "/admin/login.php:username=^USER^&password=^PASS^&submit=login:sorry password"

hydra -t 3 -l admin -P pass.txt -o out.txt -f 192.168.1.1 http-post-form "login.php:id=^USER^&passwd=^PASS^:<title>wrong username or password</title>"

（参数说明：-t同时线程数3，-l用户名是admin，字典pass.txt，保存为out.txt，-f 当破解了一个密码就停止， 192.168.1.1 目标ip，http-post-form表示破解是采用http的post方式提交的表单密码破解,中的内容是表示错误猜解的返回信息提示。）

破解https:

hydra -m /index.php -l muts -P pwd.txt 192.168.1.1 https

破解teamspeak

hydra -l 用户名 -P 密码字典 -s 端口号 -vV ip teamspeak

破解cisco:

hydra -P pass.txt 192.168.1.1  ciscohydra -m cloud -P pass.txt 192.168.1.1  cisco-enable

破解smb:

hydra -l administrator -P pass.txt 192.168.1.1  smb

破解pop3:

hydra -l muts -P pass.txt my.pop3.mail pop3

破解rdp:

hydra ip rdp -l administrator -P pass.txt -V

破解http-proxy:

hydra -l admin -P pass.txt http-proxy://10.36.16.1

破解imap:

hydra -L user.txt -p secret 192.168.1.1  imap PLAINhydra -C defaults.txt -6 imap://[fe80::2c:31ff:fe12:ac12]:143/PLAIN