Forum Thread: Hey Guys LONG TIME READER First Time Poster.I'm

I justed wanted to say I love this site. It's become my new home page and first stop for all computer questions.

I have a lot of questions about Kali linux and hydra linux. I recently downloaded hydra linux and hydra was not under the applications. After searching around and screaming at my computer I finally opened the terminal and typed in hydra. Sure enough. Hydra showed up. I then tried yhydra and the gui version on hydra popped up. So I was pleased with that.

I know people don't enjoy having a noob asking a ton of questions (especially questions that have been answered on the web so I'm going to say this right away. If there is anyone out there who would like to mentor me in Kali linix (emphasis on thchydra) I would greatly appreciate it. But I do have a few questions and I have searched everywhere I can think of for these answers. So any help would be appreciated.

Question1: I have seen the command code written different ways on different sites all for the same purpose. Hacking gmail or Cracking gmail I guess. I tried about 4 different ways of writing the command code and seemed to get one to work..

can someone give me their preferred way to write the cmdcode for cracking SMTP?

2: I am trying too crack Into a web based form. There is a tutorial on here about using hydra and tamper data. (Informative) but I fugure if I have hydra gui it would make it easier so I didn't screw up any cmdcode but I can not for the life of me find any tutorials describing how to crack a web based login using Gui hydra (gui or not it's still a bit complicated for a noob) I cant find almost anything informative on hydra gui.

Can someone explain to me how to crack a web based login with gui hydra?

3: I want to get more into cracking and understanding codes and commands. Are there or is there a goodfellas online course you would recommend?

Thanks guys.

12 Responses

Hey washu ,

Thanks for the link to the bash script I followed the directions and it worked up until I tried to enter the password list. I have the pass word list saved in the root file as "password.txt" when I try to enter the password list it says "PERMISSION DENIED"

Do you know anything about this?

Ok so I just realized I had to get permission. I got the script to run but it went right past the real password. (I tested it on my account). So that sucks. But I noticed there was no "denial string" or whatbever it's called.

Can you explain your problems with the GUI (xHydra)? All a GUI does is take the information you put into the textboxes and convert it into a cmdline code, so you would need the same information either way. '

For cracking I'd start with learning basic types of encryption and then how to capture hashes. Once you have the hashes you can try a brute force or dictionary attack with the latter being much much faster. If your password is under 7 characters this site will attempt to crack it for free (if its longer it will cost a few $$)

http://www.onlinehashcrack.com/

Thanks guysots of help.

My problem with the gui is I'm not exactly sure what information to add or what buttons to "check". I used tamper data to get the "get, post" but I don't see where to put the "denial string"

With hashing I am just at a loss. I'm aware of programs like Jon the ripper for hash cracking but I have no idea how to get hashes. Type in Google "how to get hashes" or "learn to hash crack" and all I get is information on programs or how to crack the hashes. BUT I CANT FIGURE OUT HOW TO GET THESE DAMN HASHES! :) ??

Is it possible to get hashes for a small niche website with maybe a couple thousand members? As far as I have learned hashes are more for your own personal computers or maybe a work net work but I can't figure out how to get hashes. Could somebody send me in that direction. I will also research on this site.

I have a goal and a specific login I want to crack I've been studying up on this for about a month now and I'm not getting very far. But this is my first post on this ever. Thanks again guys. I look into everything you guys posted.

Sweetcorn.

There are a LOT of types of hashes, you get them and crack them each in a different way.

You said you have a specific target, what is it ? If it's a website, sometimes you can get the hash intercepting a cookie, sometimes you just get a session ID (might look like an hash, but it's not...). It works on old cms only, as new one usually have other auth scheme.

Also, hydra does not crack hashes, it's meant only for a 'live' attack on the server, while hash cracking is mostly done offline.

Yes I am aware of the differences between hashing offline and cracking online. I just have no idea how to get hashes. I can't find info on how to get hashes.

My specific target Is an email account. But I figured trying to brute force gmail would be fairly difficult without the target knowing. I would assume gmail would shut it down or send the target an email saying too many log in systems or something. But I know another site the targetUses or used to use so imbtrying to crack that because I'm pretty sure it's the same password as email. So my ultimate target is a gmail account and to get into that I am trying to crack the password for the target's match.com account.

So there that is my that is goal. Do you guys think it's a good idea to try to brute force the match.com account? Can it be done. ?

Blindly brute forcing is never a good idea... it takes too much, it leaves a lot of tracks, is raises too many red flags. Unless you do it intentionally: you can brute force untill you're locked out, just to be sure the user is warned by google, then try to phish them.. Google will tell them that someone tried to break in, then you will write them a fake mail to promptly change the password (on your fake site). Have a mail notify you about when he does it, then immediately login and change the password to his new password. Not sure it would work, but that's an idea :P

OR you can focus on match.com, that looks easier to break (site supports https, but it's not by default, it's mandatory only on login form, but that can be manipulated because main page is not https). If you make your victim join the same (w)lan an make a mitm, he wouldn't even notice you grabbed his plain text password.

I don't have an account so I don't know how passwords are stored, but you can try it yourself.

Thank teiphat. The victim lives out of state so I can't get him in the same lan. I tried social engineering with Google"forgot my pass". I got all the way to the part where they were ready rinsed it to me but they said my up wasn't in the same region. I was thinking. Maybe I could use aproxy from the victins region? Would hat work? I'll try it. But I'm not sure how to get. Proxy from the mount prospect, Illinois region. Also I tried the same thing on my email account and it said the same thing. That I was in the wrong region so I don't know. The victim also also on HIGH ALERT I'll figure something out.

A proxy might work, but then you have to find the right one (and hope google won't block you anyway, because it can detect you're using a proxy). There are a lot of free proxy websites, you should first filter out the usa ones and then traceroute their location. Or ask a local illinois friend to set up a proxy for you. If victim is on high alert, he might alredy tightened his account settings

Share Your Thoughts

  • Hot
  • Active