How to Crack Online Passwords with Tamper Data & THC Hydra

Welcome back, my tenderfoot hackers!
Not too long ago, I showed how to find various online devices using Shodan. As you remember, Shodan is a different type of search engine. Instead of indexing the content of websites, it pulls the banner of web servers on all types of online devices and then indexes the content of those banners.
This info can be from any type of device including web servers, routers, webcams, SCADA systems, home security systems, and basically anything that has a web interface, which in 2014, means just about everything.
I mentioned in my first Shodan tutorial that you can often access these devices by simply using the default username and password, as administrators are often lazy and neglectful. The question we want to address in this tutorial is—what do we do when the site requires credentials and the defaults don't work?
There is tool that is excellent for cracking online passwords and it is called THC-Hydra. Fortunately, it is built into our Kali distribution, so we don't need to download, install, or compile anything to use it.
Image via Shutterstock

Step 1Download & Install Tamper Data

Before we start with THC-Hydra, let's install another tool that complements THC-Hydra. This tool is known as "Tamper Data", and it is a plug-in for Mozilla's Firefox. Since our IceWeasel browser in Kali is built on the open source Firefox, it plugs equally well into Iceweasel.
Tamper Data enables us to capture and see the HTTP and HTTPS GET and POST information. In essense, Tamper Data is a web proxy similar to Burp Suite, but simpler and built right into our browser.
Tamper Data enables us to grab the information from the browser en route to the server and modify it. In addition, once we get into more sophisticated web attacks, it is crucial to know what fields and methods are being used by the web form, and Tamper Data can help us with that as well.
Let's download it from here and install it into Iceweasel.
Install the Tamper Data Firefox add-on in Iceweasel.

Step 2Test Tamper Data

Now that we have Tamper Data installed into our browser, let's see what it can do. Activate Tamper Data and then navigate to any website. Below you can see that I have navigated to Bank of America and Tamper Data provides we with each HTTPS GET and POST request between my browser and the server.
HTTPS GET and POST requests for BOA.
When I try to login to the site with the username "hacker", Tamper Data returns to me all the critical info on the form. This information will be useful when we begin to use Hydra to crack online passwords.
Tamper Data information for BOA login.

Step 3Open THC Hydra

Now that we have Tamper Data in place and working properly, let's open Hydra. You can find it at Kali Linux -> Password -> Online Attacks -> Hydra. You can see it about midway among the list of online password cracking tools.
Select the "hydra" tool.

Step 4Understand the Hydra Basics

When we open Hydra, we are greeted with this help screen. Note the sample syntax at the bottom of the screen. Hydra's syntax is relatively simple and similar to other password cracking tools.
The initial help screen for Hydra.
Let's take a look at it further.
hydra -l username -p passwordlist.txt target
The username can be a single user name, such as "admin" or username list, passwordlist is usually any text file that contains potential passwords, and target can be an IP address and port, or it can be a specific web form field.
Although you can use ANY password text file in Hydra, Kali has several built in. Let's change directories to /usr/share/wordlists:
kali > cd /usr/share/wordlists
Then list the contents of that directory:
kali > ls
You can see below, Kali has many word lists built in. You can use any of these or any word list you download from the web as long as it was created in Linux and is in the .txt format.
The default word lists available in Kali.

Step 5Use Hydra to Crack Passwords

In the example below, I am using Hydra to try to crack the "admin" password using the "rockyou.txt" wordlist at 192.168.89.190 on port 80.
An example of using Hydra.

Using Hydra on Web Forms

Using Hydra on web forms adds a level of complexity, but the format is similar except that you need info on the web form parameters that Tamper Data can provide us.
The syntax for using Hydra with a web form is to use <url>:<formparameters>:<failure string> where previously we had used the target IP. We still need a username list and password list.
Probably the most critical of these parameters for web form password hacking is the "failure string". This is the string that the form returns when the username or password is incorrect. We need to capture this and provide it to Hydra so that Hydra knows when the attempted password is incorrect and can then go to the next attempt.
In my next Hydra tutorial, I will show you how to use this information to brute-force any web form including all those web cams, SCADA systems, traffic lights, etc. that we can find on Shodan.

Comments

  1. eric foster20 September 2019 at 17:58

    I am a Single full time dad on disability getting no help from their moms. It a struggle every day. My boys are 15 and 9 been doing this by myself for 8 years now it’s completely drained all my savings everything . These guys are the present day ROBIN HOOD. Im back on my feet again and my kids can have a better life all thanks to the blank card i acquired from skylink technology. Now i can withdraw up too 3000 per day Contact them as well on Mail: skylinktechnes@yahoo.com   or   whatsspp: +1(213)328–0248

    ReplyDelete

Post a Comment

COMMENT HERE

Popular posts from this blog

Hacking Tools for Bank Transfer and online Money Transfer in USA

I am oxford graduated with Banking background. Later on i have learned hacking techniques and now i am very good hacking with 5 to 6 years hacking experience. I have hacked Bank accounts from different countries like, India, Sweden, USA, Canada, Philippines, Egypt, Ghana, Germany, UK, Kenya, Italy, and lot of other countries. I have user name, Password and every security questions and answers. These Accounts are full of money. All these accounts have very high balance in them. I am expert to send money int your personal bank Account, Saving bank account, Checking Bank account, Business Account or Company Account in any country of the world. I Can send money into your Bank account by wire transfer from the Hacked bank account to your account. I have a lot of local bank login, like USA Chase, Wells Fargo, Capital One, SunTrust Banks, HSBC Bank USA, Bank of America, Citigroup, American Express, State Street Bank, Royal Bank of Scotland UK, Barclays UK, Standard Chartered UK, Unity Tru
Read more

Oritsefemi Rents Static Private Jet For N500k For Music Video [PICS]

Image
howing off your rich lifestyle, sure comes at a cost, especially for musicians who tend to want to please their adoring fans with excess glitz and glamour. Such is the case of musical Taliban, Oritsefemi who has coughed up N500k just to rent a private jet for a music video and he didn't even get to take a shot inside of it. For the visuals of his song, 'Happy Day' which is directed by Avalon Okpe, Oritsefemi is shot in one of the scenes singing while ladies danced in front of the jet, another shot sees him stand with vixens dressed as air hostess. The jet didn't leave its position and no scene was shot inside of it. The video for Happy Day, which should be dropping any time soon was shot at, Lekki and Ikeja, Lagos. http://www.tunezmediablog.com/2017/02/singer-oritsefemi-spends-500k-to-rent.html
Read more

Bet9ja Predictions 10 sure games you can PREDICT FREE

Arsenal vs Bournemouth This week Arsenal is playing at home against Bournemouth.  we expect Arsenal to win the match. we also the game to produce goals  . This best predictions for this game is 1. Arsenal to win. Alternatively, if you are greedy like me. play it 1 and GG. it will give you better odd. The Bet9ja code for the game is 1267. You can also bet on goals say over 1.5, 2.5 and over 3.5. Bet9ja Predictions 10 sure games you can predict 2.  Metz vs PSG PSG will continue the season this week at home against Metz. PSG is expected to win this match 2. You can bet this game on goals.  Over 1.5. 2.5 etc. The bet9ja code of the game is 9353. 3.  Valencia vs Atl. Madrid This match is going to be tough. Atl. Madrid may find it difficult to win the match. Atl. Madrid playing away will surely goals. Valencia also will score. but for winning any of the two teams will score. The best prediction for the match is GG.  You can also bet on goals, over 1.5, over 2.5. The code is
Read more