Hydra Tool Can Crack Your Online Passwords

Here is a website link that discusses Hydra trying to crack online passwords at websites:

http://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html

The tool can attack (and iterate)  through a set amount of dictionary passwords to ssh and ftp server accounts very easily (without any extra configuration)

If there are website forms that have usernames and passwords (like WordPress or Joomla or other CMS(Content Management Systems)

 

There is a better web blog explaining what Hydra does and a successful sample attack:

http://cs337-unyunizer.blogspot.com/

hydrasnippetfromattack

The snippet is from the cs337-unyunizer.blogspot.com webpage

All the white responses are the attempts at hacking, while the green text response was the successful attack with the correct password.

 

So this tool makes finding a password easy to set up, the hard part of course is finding a good dictionary list of words to attack the username password  (this is also called brute-force password attack)

 

Interesting to note, but if CAPTCHA is implemented well, this method will not work at all.

So let’s say one is a criminal hacker, the key is to find a good password file (from known passwords on the internet) there are likely files out there which allow the criminal to amass a decent password file, which would allow you to attack sites with this password dictionary file. Or one can generate a fgile on their own.

 

A good Google search can start the hacker on the way to building this file.

http://security.stackexchange.com/questions/1376/where-can-i-find-good-dictionaries-for-dictionary-attacks  is an example. of a link.

There is a list of password dictionaries at this site https://wiki.skullsecurity.org/Passwords . There are some lists that were used by the Conficker worm to spread.

As well as some leaked passwords (like from Sony etc. that have been compiled here.

So you can see it is a relatively straight forward method to try and go after online websites that have username and passwords.

Why am I saying this?  Because we ahve to become better at making passwords, change your passwords, make them longer and use less known words combinations with numbers and special characters. And the longer the better, to the tune of 10-20 letters.

 

Check this xkcd comic:  http://xkcd.com/936/  Tries to show pictorally that it is better to run together several words rather than using difficult combinations that cannot be remembered.

 

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.