Hydra (Parallel Login Brute-Forcer) Modifications

by JoMo-kun 02/10/2004



News

03-31-2005

Starting with the release of Hydra v4.1, the SMBNT module was broken. Whoever modified the module to use MD4 from openssl rather than libdes failed to notice that openssl's MD4Update function requires a string's length in bytes, not bits. This completely broke normal password checking. However, this should not have affected the passing-the-hash ability of the module.

The following patch should fix this issue: smbnt_fix_v46_030805.diff

While figuring out what was broken in the module, I made several additional modifications to the code. Here they are, in no particular order:

07-23-2004

THC.org has released v3.0 of Hydra. Unfortunately, they broke my parallel patch when they applied it. Below is a link to a patch which attempts to fix some of the bugs they introduced to the code. The patch also modifies how the SMBNT module works. A user can now control whether the local workstation accounts are checked or if the workstation being tested should check its domain controller.

hydra_30_parallel_fix.diff

Let me know if there are any issues with this patch.


DISCLAIMER:

I make no claims that any of this code will work for anyone, including myself. I am not some 31337 c0der, just a lame PERL script kiddie who is trying to learn some C. As with most free code, if this breaks, you can keep both pieces. Please let me know if any bugs crawl out or if these mods are actually useful.



Some modifications to Hydra [www.thc.org]...


SMB NTLM Password/HASH Checking Hydra Module

This code allows Hydra to directly test NTLM hashes against a Windows host. This may be useful for an auditor who has acquired a sam._ or pwdump file and would like to quickly determine which are valid entries. This module can also be used to test SMB passwords against devices that do not allow clear-text LanMan passwords.

The "-m 'METHOD'" option is required for this module. The following are valid methods: L, LH, D, DH, B, BH and M (in quotes).

Be careful of mass domain account lockout with this. For example, assume you are checking several accounts against many domain workstations. If you are not using the 'L' options and these accounts do not exist locally on the workstations, each workstation will in turn check their respective domain controller. This could cause a bunch of lockouts. Of course, it'd look like the workstations, not you, were doing it. ;)

**FYI, this code is unable to test accounts on default XP hosts which are not part of a domain and do not have normal file sharing enabled. Default XP does not allow shares and returns STATUS_LOGON_FAILED for both valid and invalid credentials. XP with simple sharing enabled returns SUCCESS for both valid and invalid credentials. If anyone knows a way to test in these configurations...

Hash Example 1: Full pwdump check

[test.pwdump]
foo:1066:26390A40CF5AD25A4830DADF5E5D5E23:4209547164BF4A6740BF437D1482C58F:::
bar:1065:42A890C2D481585CAAD3B435B51404EE:792B4E931573C7D7610FA455D9AD6022:::
bla:1067:1769720DEDC36610AAD3B435B51404EE:BD00552FF0EDB090B1074AEB143AE80E:::

hydra -C test.pwdump server smbnt -m 'LH'

Hash Example 2: Individual user check

[test.pwdump]
1066:26390A40CF5AD25A4830DADF5E5D5E23:4209547164BF4A6740BF437D1482C58F:::
1065:42A890C2D481585CAAD3B435B51404EE:792B4E931573C7D7610FA455D9AD6022:::
1067:1769720DEDC36610AAD3B435B51404EE:BD00552FF0EDB090B1074AEB143AE80E:::

hydra -l foo -P test.pwdump server smbnt -m 'LH'

Hash Example 3: Individual user/pass check

hydra -l foo -p 1066:26390A40CF5AD25A4830DADF5E5D5E23:4209547164BF4A6740BF437D1482C58F::: server smbnt -m 'LH'


CODE:
Hydra-NTLMsupport.diff
**Patch is against a clean Hydra 2.4 for SMB NTLM Password/HASH support only

Parallel Host Scanning

The purpose of this patch is to add functionality to the Hydra core to allow the scanning multiple concurrent hosts. Currently, Hydra performs parallel logins to a single host. Now a user can execute parallel logins to parallel hosts. This greatly increases the speed at which one can lock accounts. ;)

Example: Check for usable entries in pwdump file

hydra -C test.pwdump -M windows_hosts.txt -T 8 smbnt -m 'LH'

This example will test each user listed in the test.pwdump file along with that user's respective NTLM hash against each host in windows_hosts.txt. The '-T 8' option causes Hydra to maintain 8 parallel scans until the server list is exhausted.


This patch also includes:

Reading servers from text file

Using the '-M FILE' option, a user can feed Hydra a list of servers to scan. This can be used for scanning multiple concurrent (with -T) or sequential (default) servers.

Displaying current login attempt

The '-X' option will display current information about each logon attempt, such as: username, password, attempt number and server.

Example '-X' output
New pair: host: "192.168.0.100" login "foo" - pass "bar" (1 of 1 completed)


CODE:
Hydra-ParallelScan.diff
**Patch is against a clean Hydra 2.4 and includes SMB NTLM Password/HASH patch


AAA Support in Cisco-Enable Module

Added the ability to use '-l' option to specify a username if the Cisco device being tested uses AAA. The code is also reworked a bit so that it keeps sending the 'ena' string rather than starting a new connection for each password check. This is significantly faster.


CODE:
cisco-enable_AAA.diff



Enjoy,
-j