PASSWORD CRACKING WITH HYDRA — PART 1
Hey, readers!
You would have heard from your friends or relatives that their social media account has been hacked or even you might have gone through a similar situation. So, let me start by asking you a question, “How is your google account or any social media account is being hacked?”. Factually speaking, there are many possible ways. You might have given your password to someone or typed in your password in public, or you might be a victim of a phishing attack or any social engineering attack. But there is also a significant chance that your password might not be strong enough to hold on to a brute-force attack. Now, I might sound like speaking in Greek and Latin, so, let me explain!
(Note: This is a 2 part blog. This part is completely about password cracking only!)
What is hydra?
Hydra is a cross-platform parallelised network login cracker available for Windows, Linux, Free BSD, Solaris, and OS X (Installation procedure of Hydra for a different OS is embedded). It is fast and extensible which supports numerous network protocols to attack.
We know that hydra cracks passwords, but how does it do it?
Password authentication:
Let’s say, you are trying to login into ‘your’ Gmail account. To do that, you are prompted with a screen to type in your Gmail id and password. If you have put in the right password, then ‘boom’, you would be able to access your account.
From here, you can understand that passwords are used for user authentication and make sure that only “you” are accessing your account. But this doesn’t imply that your account is vulnerable to being accessed by others. Consider, if the password you use for an account is being saved as plain text in the accounts’ database. And if there happens a data breach or there is a malicious insider in the backend, he/she can easily gain access to all of the user accounts on the system.
So, do you think that Google or any social media giant would save your password as plaintext? The answer is a big NO! Then how do they verify if you have typed in the correct password? A well-designed password-based authentication system hashes your password (NOTE: “hashes” and not “Encrypts”. Click here to learn about hashing) using a certain algorithm and saves your password hash only. In that way, your password text is not leaked out publicly.
While you type in your password, the hash-code of whatever text is generated simultaneously and compared with the hash-code at the server end and is almost as good as comparing the real passwords.
What is password cracking?
So, when your password is hashed, how is your password goes into the hands of the hacker? Hackers crack your password using the process of “Password cracking” in which the password is extracted from the associated password hash. This introduces us to the types of credential-stealing attacks that can be accomplished.
- Brute-force attack: It is one of the old yet effective and popular attacks that involve guessing the username and password to gain unauthorized access to a system. There is only a definite number of potential passwords of a given length. This attack is slow but it has a high probability of cracking the password.
- Dictionary attack: These are brute-force attacks in nature but still more efficient than normal brute-forcing. Most people use weak and common passwords. Making a list of commonly used words and their permutations enables a password cracker to crack numerous passwords very quickly. However, if the password is unique, a dictionary attack won’t work.
- Hybrid attack: It mixes both of the above techniques. It passes on to brute force if a dictionary attack fails.
- Password spraying: In traditional brute-forcing, passwords are tried one after the other continuously and the server may detect these unusual activities and would block your IP. This could be overcome by using password spraying where you try passwords at a certain interval of time for a particular user.
Hydra is capable of carrying out all these attacks for the majority of the protocol available. In the next part of the blog, let’s get on hands-on experience of how hydra works.
Here is a link to Part 2 of Password Hacking with Hydra.
Happy hacking!
