WEBVTT

0
00:00.870 --> 00:02.700
Hello and welcome!

1
00:02.820 --> 00:09.810
In this video we'll talk about the brute forcing passwords of remote services using Hydra, which is a

2
00:09.820 --> 00:18.600
parallelized login cracker that can perform fast dictionary attacks against more than 50 Protocols, including

3
00:18.660 --> 00:30.000
Telnet, SSH, FTP, HTTP, HTTPS, SMB, Cisco AAA, several databases and many more. Hydra is 

4
00:30.000 --> 00:38.830
very fast and flexible and the new modules are easy to add. This tool makes it possible for researchers

5
00:38.970 --> 00:47.280
and security consultants to audit remote systems. Just for the record, other online crackers are Medusa


6
00:47.500 --> 00:52.130
and Ncrack. If you are running Kali Linux

7
00:52.230 --> 01:00.690
you will have a version of Hydra already installed. For all other Debian based Linux operating systems 


8
01:00.840 --> 01:08.970
install it from  the official repository using:  apt install hydra.

9
01:12.080 --> 01:18.560
There is also a graphical interface available that's already shipped with Kali Linux.

10
01:23.450 --> 01:26.220
This is the graphical interface of Hydra.

11
01:29.870 --> 01:38.690
On other distributions you can install the GUI by running:  apt install hydra-gtk.


12
01:42.480 --> 01:48.840
In this lecture will use the command line because it's easier and most of the time you execute a

13
01:48.840 --> 01:54.430
security audit from a remote server, without a graphical interface installed.

14
01:54.480 --> 01:58.530
Let's get started! In the first example

15
01:58.620 --> 02:01.380
I'll try a dictionary attack on ssh.

16
02:02.890 --> 02:05.400
This is the ssh server.

17
02:05.440 --> 02:09.900
This is its IP address and listens on the default port

18
02:09.910 --> 02:18.320
22. There is a user called Mark that has a weak password. As root

19
02:18.350 --> 02:26.330
I'm starting Hydra: hydra -l  the user whose password I want to crack

20
02:26.410 --> 02:35.650
mark - P and to the path to a dictionary file /usr/share/wordlists and I'll use a password

21
02:35.650 --> 02:44.630
file that comes with metasploit and contains some of the worst passwords. The password file is called

22
02:44.630 --> 02:52.040
the Unix passwords.txt then -t the number of threds

23
02:52.060 --> 03:01.210
to start,  let's say 10, ssh, the service colon :// and the IP of the server

24
03:03.520 --> 03:07.120
192.168.0

25
03:07.140 --> 03:08.260
.19

26
03:08.410 --> 03:15.910
:22 If you change the default port you'll use here the correct number.

27
03:17.600 --> 03:25.550
Before hitting enter I want to see the authentication logs on the server and I'll use tale - f.

28
03:25.880 --> 03:27.980
I want to see them in real time.

29
03:28.960 --> 03:37.260
Here on the server tail -f 
and the path to the file where the ssh logs are saved

30
03:37.330 --> 03:41.150
/var/log/auth.log

31
03:45.450 --> 03:53.020
And I'm starting Hydra by hitting enter. And we notice how the password was already found.

32
03:54.290 --> 04:00.060
One valid password found! On the ssh server

33
04:00.120 --> 04:06.200
we notice how it has tried different passwords until it has found the good one.

34
04:08.100 --> 04:16.790
Let's try another brute force attack this time on FTP on the same server. On the victim machine

35
04:16.800 --> 04:27.420
I am installing an ftp server: apt install proftpd;  this is a well known ftp server; it's installing

36
04:27.720 --> 04:30.810
proftpd - professional ftp daemon

37
04:33.550 --> 04:34.100
Okay!

38
04:34.160 --> 04:36.040
It was installed.

39
04:36.050 --> 04:45.410
Next I'm executing tail -f on the ftp server logs. I want to see in real time the attack: tail 

40
04:45.410 --> 04:59.900
-f /var/log/ proftpd/ proftpd.log and back to Kali I am executing Hydra again; this

41
04:59.900 --> 05:00.310
time

42
05:00.320 --> 05:10.370
the service is ftp; it  listens to Port 21 and I want to find out the password of user

43
05:10.430 --> 05:14.450
Tor. I've already created the user: Tor

44
05:17.550 --> 05:21.220
and we see how it tries password after password.

45
05:28.900 --> 05:35.810
In a few seconds, or tens of seconds the user’s password will be found.


46
05:35.910 --> 05:42.140
It has been found. The password of user Tor is tinkerbell. 

47
05:42.160 --> 05:49.440
This is also a very weak password; it's a dictionary word. To mitigate these attacks

48
05:49.450 --> 05:56.500
the first thing you can do is to enforce strong passwords to each user then configure for each service

49
05:56.620 --> 05:58.510
that permits authentication

50
05:58.600 --> 06:07.120
the maximum number of authentication attempts permitted per connection. If possible, at least for ssh,

51
06:07.140 --> 06:13.900
disable password authentication and enable public key authentication.

52
06:13.900 --> 06:15.690
This is much more secure!