H Y D R A

                      (c) 2001-2012 by van Hauser / THC
                       <vh@thc.org> http://www.thc.org
            co-maintained by David (dot) Maciejak @ gmail (dot) com
                 BFG code by Jan Dlabal <dlabaljan@gmail.com>

  		    Licensed under GPLv3 (see LICENSE file)



INTRODUCTION
------------
Number one of the biggest security holes are passwords, as every password
security study shows.
This tool is a proof of concept code, to give researchers and security
consultants the possiblity to show how easy it would be to gain unauthorized
access from remote to a system.

THIS TOOL IS FOR LEGAL PURPOSES ONLY!

There are already several login hacker tools available, however none does
either support more than one protocol to attack or support parallized
connects.

It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, FreeBSD
and OSX.

Currently this tool supports:

 AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET,
 HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET,
 HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP,
 MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere,
 PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP,
 SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2),
 Telnet, VMware-Auth, VNC and XMPP.

However the module engine for new services is very easy so it won't take a
long time until even more services are supported.
Your help in writing, enhancing or fixing modules is highly appreciated!! :-)



HOW TO COMPILE
--------------
For hydra, just type:

./configure
make
make install

If you need ssh module support, you have to setup libssh on your system, 
get it from http://www.libssh.org, for ssh v1 support you also need to add
"-DWITH_SSH1=On" option in the cmake command line.

If you use Ubuntu, this will install supplementary libraries needed for a
few optional modules:
 apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \
                 libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \
                 firebird2.1-dev libncp-dev
This enables all optional modules and features with the exception of Oracle,
SAP R/3 and the apple filing protocol - which you will need to download and
install from the vendor's web sites.

For all other Linux derivates and BSD based systems, use the system
software installer and look for similar named libraries like in the
comand above. In all other cases you have to download all source libraries
and compile them manually.



SUPPORTED PLATFORMS
-------------------
All UNIX platforms (linux, *bsd, solaris, etc.)
Mac OS/X
Windows with Cygwin (both ipv4 and ipv6)
Mobile systems based on Linux or Mac OS/X (e.g. Android, iPhone, Zaurus, iPaq)



HOW TO USE
----------
Type "./configure", followed by "make" to compile hydra and then
"./hydra -h" to see the command line options.
You make also type "make install" to install hydra to /usr/local/bin.
Note that NO login/password file is included. Generate them yourself.
For Linux users, a GTK gui is available, try "./xhydra"



SPECIAL OPTIONS FOR MODULES
---------------------------
Via the third command line parameter (TARGET SERVICE OPTIONAL) or the -m
commandline option, you can pass one option to a module.
Many modules use this, a few require it!

To see the special option of a module, type:
  hydra -U <module>
e.g.
  ./hydra -U http-post-form

The special options can be passed via the -m parameter, as 3rd command line
option or in the service://target/option format.

Examples (they are all equal):
  ./hydra -l test -p test -m PLAIN 127.0.0.1 imap
  ./hydra -l test -p test 127.0.0.1 imap PLAIN
  ./hydra -l test -p test imap://127.0.0.1/PLAIN



RESTORING AN ABORTED/CRASHED SESSION
------------------------------------
When hydra is aborted with Control-C, killed or crashs, it leavs a
"hydra.restore" file behind which contains all necessary information to
restore the session. This session file is written every 5 minutes.
NOTE: if you are cracking parallel hosts (-M option), this feature doesnt
work, and is therefore disabled!
NOTE: the hydra.restore file can NOT be copied to a different platform (e.g.
from little indian to big indian, or from solaris to aix)



HOW TO SCAN/CRACK OVER A PROXY
------------------------------
The environment variable HYDRA_PROXY_HTTP defines the web proxy (this works
just for the http/www service!).
The following syntax is valid:
  HYDRA_PROXY_HTTP="http://123.45.67.89:8080/"
For all other services, use the HYDRA_PROXY variable to scan/crack
via by default a web proxy's CONNECT call. It uses the same syntax. eg:
  HYDRA_PROXY=[http|socks4|socks5]://proxy_addr:proxy_port
for example:
  HYDRA_PROXY=http://proxy.anonymizer.com:8000

If you require authentication for the proxy, use the HYDRA_PROXY_AUTH
environment variable:
  HYDRA_PROXY_AUTH="the_login:the_password"



ADDITIONAL HINTS
----------------
* sort your password files by likelihood and use the -u option to find
  passwords much faster!
* uniq your dictionary files! this can save you a lot of time :-)
    cat words.txt | sort | uniq > dictionary.txt
* if you know that the target is using a password policy (allowing users
  only to choose password with a minimum length of 6, containing a least one
  letter and one number, etc. use the tool pw-inspector which comes along
  with the hydra package to reduce the password list:
    cat dictionary.txt | pw-inspector -m 6 -c 2 -n > passlist.txt



SPEED
-----
through the parallizing feature, this password cracker tool can be very
fast, however it depends on the protocol. The fastest are generally POP3
and FTP.
Experiment with the task option (-t) to speed things up! The higher - the
faster ;-) (but too high - and it disables the service)



STATISTICS
----------
Run against a SuSE Linux 7.2 on localhost with a "-C FILE" containing
295 entries (294 tries invalid logins, 1 valid). Every test was run three
times (only for "1 task" just once), and the average noted down.

			P A R A L L E L    T A S K S
SERVICE	1	4	8	16	32	50	64	100	128
------- --------------------------------------------------------------------
telnet	23:20	5:58	2:58	1:34	1:05	0:33	0:45*	0:25*	0:55*
ftp	45:54	11:51	5:54	3:06	1:25	0:58	0:46	0:29	0:32
pop3	92:10	27:16	13:56	6:42	2:55	1:57	1:24	1:14	0:50
imap	31:05	7:41	3:51	1:58	1:01	0:39	0:32	0:25	0:21

(*)
Note: telnet timings can be VERY different for 64 to 128 tasks! e.g. with
128 tasks, running four times resulted in timings between 28 and 97 seconds!
The reason for this is unknown...

guesses per task (rounded up):
	295	74	38	19	10	6	5	3	3

guesses possible per connect (depends on the server software and config):
	telnet	4
	ftp	6
	pop3	1
	imap	3



BUGS & FEATURES
---------------
Hydra:
Email me or David if you find bugs or if you have written a new module.
vh@thc.org (and put "antispam" in the subject line)
David (dot) Maciejak @ gmail (dot) com


Type Bits/KeyID    Date       User ID
pub  2048/CDD6A571 1998/04/27 van Hauser / THC <vh@reptile.rug.ac.be>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU
SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L
XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC
meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc
QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq
s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU
SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD
/3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn
CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYnOkUXgUQdPo69B04dl
C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN
1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ
PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ
2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X
lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/
Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI
o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw==
=MdzX
-----END PGP PUBLIC KEY BLOCK-----