August 25, 2005

Detect weak network passwords with Hydra

Author: Paul Virijevich

Security experts always advise you to use only strong alphanumeric passwords for network applications, and change them often, but you know that not everyone on your network is security-conscious. Starting to worry that weak passwords may be slipping through your defenses? Then it's time to unleash Hydra, a network login cracker for more than 30 network services.

Hydra comes from The Hacker's Choice (THC), a group that has written more than 60 open source network security tools and research papers. Hydra receives frequent updates and is the group's second most downloaded project.

I ran Hydra against a MySQL server on my local machine. The simplest way to run Hydra is to specify a user name and password combination for it to try. This is useful only when you know what the username or password of the service is likely to be. To get a feel for Hydra, use a login and password that you know will succeed. I did so by running:

hydra localhost mysql -l root -p rootpass

This runs Hydra against MySQL on the local machine with a login of root and a password of rootpass. By default, Hydra spawns 16 concurrent processes. Adding more processes with the -t option can speed things up a bit at the risk locking yourself out of a network service if the administrator restricts the number of connection attempts. Here, Hydra reports it succeeded in connecting with this combination and outputs:

[3306][mysql] host: login: root password: rootpass

To run Hydra against a machine on a network, just substitute localhost with an IP address or hostname.

Specifying a login and password combination for every attempt is not very efficient. The login part of the equation is the easy one. Typical logins for most network services are words like root or admin. The password part is where the difficulty lies. That is what makes Hydra's ability to use dictionary files for both logins and passwords so useful. A dictionary file contains a list of words (one word per line) that Hydra can cycle through for logins or passwords.

You can specify a dictionary file with the following syntax:

hydra localhost mysql -L login.txt -P pass.txt

Hydra does not come with any dictionary files -- you must create your own or download one. One option is to use something like an English language thesaurus from Project Gutenberg. This list contains commas and does not have only one word per line. You can clean up this list with the following Sed command:

sed -e 's/,/ /g' -e 's/[ ]/\n/g' mthesaur.txt | sort | uniq > pass.txt

This removes the commas, places each word on its own line, and removes duplicate entries. This gives you a dictionary file with 74,618 words.

One way to test Hydra with a file this size is to create a small login dictionary file with usernames and use a large dictionary file for passwords. Next, add a MySQL account with a username and password combination from these files. For example, using a login dictionary file with 10 entries and pass.txt gives Hydra 746,180 combinations to cycle through.

If you know the service you're testing against has a minimum password length -- say, passwords must be at least 10 characters long -- then testing passwords with fewer than 10 characters would be a waste of time and resources. Hydra comes with pw-inspector, a utility that sorts passwords based on criteria you pass to it. You can sort pass.txt to words with 10 or more characters, by running:

cat pass.txt | pw-inspector -m 10 > sortedpass.txt

This trims the list down to 28,571 words. The final command to run is:

hydra localhost mysql -L logins.txt -P sortedpass.txt

This brings down the number of combinations to a slimmer 285,710.

The amount of time this takes depends on the speed of your machine and the placement of the login and password in the files. Hydra updates you as the process goes on. My 1.2GHz AMD Duron processor can crunch approximately 4,000 combinations per minute with an estimated time of one hour 10 minutes to run the whole set. This particular scan took an hour. I achieved nearly the same result over a switched 100Mbps network in later testing. In that test, Hydra's bandwidth usage averaged 100Kbps. If you need to quit mid-scan, go ahead. Hydra saves its results in a file named hydra.restore. To pick up where you left off, use the command hydra -r from within the directory where you initiated the scan.

There is much more to Hydra then what these simple examples show. Hydra can scan entire networks at a time and work through proxy servers. A GTK-based graphical interface called xhydra is also included.

With the help of Hydra, you can weed out the weak logins and passwords that pose a security threat to your network. It's a good tool in your network security arsenal.

Paul Virijevich is working to eliminate the "Linux consultants cost more" TCO myth. He recently started a consultancy, providing cost-effective open source solutions to small businesses.


  • Security
Click Here!