HOW TO HACK ONLINE PASSWORD Step 1: Download & Install Tamper Data Before we start with THC-Hydra, lets install another tool that complements THC-Hydra. This tool is known as Tamper Data, and it is a plug-in for Mozillas Firefox. Since our IceWeasel browser in Kali is built on the open source Firefox, it plugs equally well into Iceweasel. Tamper Data enables us to capture and see the HTTP and HTTPS GET and POST information. In essense, Tamper Data is a web proxy similar to Burp Suite, but simpler and built right into our browser. Tamper Data enables us to grab the information from the browser en route to the server and modify it. In addition, once we get into more sophisticated web attacks, it is crucial to know what fields and methods are being used by the web form, and Tamper Data can help us with that as well. Lets download it from here and install it into Iceweasel. Install the Tamper Data Firefox add-on in Iceweasel. Step 2: Test Tamper Data Now that we have Tamper Data installed into our browser, lets see what it can do. Activate Tamper Data and then navigate to any website. Below you can see that I have navigated to Bank of America and Tamper Data provides we with each HTTPS GET and POST request between my browser and the server. HTTPS GET and POST requests for BOA. When I try to login to the site with the username hacker, Tamper Data returns to me all the critical info on the form. This information will be useful when we begin to use Hydra to crack online passwords. Tamper Data information for BOA login. Step 3: Open THC Hydra Now that we have Tamper Data in place and working properly, lets open Hydra. You can find it at Kali Linux -> Password -> Online Attacks -> Hydra. You can see it about midway among the list of online password cracking tools. Select the hydra tool. Step 4: Understand the Hydra Basics When we open Hydra, we are greeted with this help screen. Note the sample syntax at the bottom of the screen. Hydras syntax is relatively simple and similar to other password cracking tools. The initial help screen for Hydra. Lets take a look at it further. hydra -l username -p passwordlist.txt target The username can be a single user name, such as admin or username list, passwordlist is usually any text file that contains potential passwords, and target can be an IP address and port, or it can be a specific web form field. Although you can use ANY password text file in Hydra, Kali has several built in. Lets change directories to /usr/share/wordlists: kali > cd /usr/share/wordlists Then list the contents of that directory: kali > ls You can see below, Kali has many word lists built in. You can use any of these or any word list you download from the web as long as it was created in Linux and is in the .txt format. The default word lists available in Kali. Step 5: Use Hydra to Crack Passwords In the example below, I am using Hydra to try to crack the admin password using the rockyou.txt wordlist at 192.168.89.190 on port 80. An example of using Hydra.
Posted on: Fri, 03 Oct 2014 22:05:18 +0000
Trending Topics
Recently Viewed Topics
© 2015