Hack Like a Pro: How to Crack Online Passwords with Tamper Data & THC Hydra

How to Crack Online Passwords with Tamper Data & THC Hydra

Welcome back, my tenderfoot hackers!

Not too long ago, I showed how to find various online devices using Shodan. As you remember, Shodan is a different type of search engine. Instead of indexing the content of websites, it pulls the banner of web servers on all types of online devices and then indexes the content of those banners.

This info can be from any type of device including web servers, routers, webcams, SCADA systems, home security systems, and basically anything that has a web interface, which in 2014, means just about everything.

I mentioned in my first Shodan tutorial that you can often access these devices by simply using the default username and password, as administrators are often lazy and neglectful. The question we want to address in this tutorial is—what do we do when the site requires credentials and the defaults don't work?

There is tool that is excellent for cracking online passwords and it is called THC-Hydra. Fortunately, it is built into our Kali distribution, so we don't need to download, install, or compile anything to use it.

Image via Shutterstock

Step 1: Download & Install Tamper Data

Before we start with THC-Hydra, let's install another tool that complements THC-Hydra. This tool is known as "Tamper Data", and it is a plug-in for Mozilla's Firefox. Since our IceWeasel browser in Kali is built on the open source Firefox, it plugs equally well into Iceweasel.

Tamper Data enables us to capture and see the HTTP and HTTPS GET and POST information. In essense, Tamper Data is a web proxy similar to Burp Suite, but simpler and built right into our browser.

Tamper Data enables us to grab the information from the browser en route to the server and modify it. In addition, once we get into more sophisticated web attacks, it is crucial to know what fields and methods are being used by the web form, and Tamper Data can help us with that as well.

Let's download it from here and install it into Iceweasel.

Install the Tamper Data Firefox add-on in Iceweasel.

Step 2: Test Tamper Data

Now that we have Tamper Data installed into our browser, let's see what it can do. Activate Tamper Data and then navigate to any website. Below you can see that I have navigated to Bank of America and Tamper Data provides we with each HTTPS GET and POST request between my browser and the server.

HTTPS GET and POST requests for BOA.

When I try to login to the site with the username "hacker", Tamper Data returns to me all the critical info on the form. This information will be useful when we begin to use Hydra to crack online passwords.

Tamper Data information for BOA login.

Step 3: Open THC Hydra

Now that we have Tamper Data in place and working properly, let's open Hydra. You can find it at Kali Linux -> Password -> Online Attacks -> Hydra. You can see it about midway among the list of online password cracking tools.

Select the "hydra" tool.

Step 4: Understand the Hydra Basics

When we open Hydra, we are greeted with this help screen. Note the sample syntax at the bottom of the screen. Hydra's syntax is relatively simple and similar to other password cracking tools.

The initial help screen for Hydra.

Let's take a look at it further.

hydra -l username -p passwordlist.txt target

The username can be a single user name, such as "admin" or username list, passwordlist is usually any text file that contains potential passwords, and target can be an IP address and port, or it can be a specific web form field.

Although you can use ANY password text file in Hydra, Kali has several built in. Let's change directories to /usr/share/wordlists:

kali > cd /usr/share/wordlists

Then list the contents of that directory:

kali > ls

You can see below, Kali has many word lists built in. You can use any of these or any word list you download from the web as long as it was created in Linux and is in the .txt format.

The default word lists available in Kali.

Step 5: Use Hydra to Crack Passwords

In the example below, I am using Hydra to try to crack the "admin" password using the "rockyou.txt" wordlist at 192.168.89.190 on port 80.

An example of using Hydra.

Using Hydra on Web Forms

Using Hydra on web forms adds a level of complexity, but the format is similar except that you need info on the web form parameters that Tamper Data can provide us.

The syntax for using Hydra with a web form is to use <url>:<formparameters>:<failure string> where previously we had used the target IP. We still need a username list and password list.

Probably the most critical of these parameters for web form password hacking is the "failure string". This is the string that the form returns when the username or password is incorrect. We need to capture this and provide it to Hydra so that Hydra knows when the attempted password is incorrect and can then go to the next attempt.

In my next Hydra tutorial, I will show you how to use this information to brute-force any web form including all those web cams, SCADA systems, traffic lights, etc. that we can find on Shodan.

Cover image via Shutterstock

113 Comments

Did he write is next hydra tutorial on hacking web forms yet?

OTW
i know that i can't spoof my ip during an online brute force attack
because i have to syn ->syn ack->ack to send data..
and if i spoof ip addr, the syn ack will never be received.. RIGHT?
what can i do to spoof my ip and complete the attack?

Dark:

When using TCP, as you say, you can't spoof your IP. This is where the best anonymizing would be either ToR or proxychains.

OTW

OTW:
ok thanks..

hey i m new to this but js out of curiosity .. want to knw can i hack password of a person whn the person is not evn using the id.. can i still get the password ?

To answer your question, you will need to know the username to have a chance of hacking the password. I think grammar is important on this site because not everyone's first language was English, you are more likely to get help from someone if they can read your question so please try type things properly.

Snowman

Diya:

Welcome to Null Byte!

Yes, you can hack the password of the person without even knowing the username, but it is much faster if you know the username as Snowman says. I would also agree with Snowman that asking you questions in precise and proper English, without the text acronyms (js, knw,evn), is important to conveying what you are looking for.

OTW

Hi

Having trouble finding these password lists in Kali , type in command line to the T , with no luck

Brook:

Can you provide me a screenshot?

OTW

have worked out, had no space in my typing doh

Would love to go in more on hacking wifi surveillance cameras :-)

Brook:

Hydra can be used to hack any web app including web surveillance cameras. In my next Hydra tutorial, I show you how to use it hack web forms of any type.

OTW

Great tutorial, really looking forward to the next one

Hi everybody.
I've only one problem:

When i try a list of pass, when i'm hacking My Facebook account or My google account, hydra says that all the pass are valid pass!

I've sniffed with wireshark the port and the ip address of the site (Facebook, google etc) and i'm dure that is all right in The command in My terminal.. The port is 443. Have you dome solution about this problem?? I've already googled but no solution was found..

I would like to see a tutorial about FB hacking, remotely.
Not in local Wifi, and not a simple phising page via kali LINUX.

thanks bro !

Does this work for all sites ? Or should I ask : Is this going to work on a specific website I would like to break in ? I will wait for response .Thank you

Alexandra:

It will work for password cracking of any online application.

OTW

Not really. It's depend on individual security, it mean it depend on your victim and your 'way' to crack it.

hey OTW, i am new here, and like you stated above, i tried the whole process just as is. now there is this funny thing coming up on my screen. I would like you to share some thoughts regarding it, Thanks!

Image via imgur.com

you have to write -P instead of -p

Ankit:

What are you asking me? It looks like it cracked the admin password. Congrats!

OTW

hahaha, thats the point.. it says it has cracked the password, but the password isn't "/usr/share/wordlists/rockyou.txt", cos its my own router :p

now if i have to go through each password on that wordlist, isn't this whole process just futile?

I'm having the same issues, I don't know if the password is blank or what? Someone please respond.

If the password is not on the list you are using, it won't find it. Try another list.

The weird thing is that hydra displayed: "username: mysql password: /home/user/desktop/rockyou.txt 1 out 1 target successfully completed, 1 valid password found" so I though the password was blank or hydra is saying the password is in that wordlist. Because it usually displays: 0 valid password found.

Ankit:

Did you run all the way through the password list? Of course, you have to run through the entire list. What do you mean it is futile?

OTW

Greetings. Is this one of those routers with l:admin p: (blank) ?

Try: #~hydra -t 5 -V -f -l admin -e ns -p rockyou.txt xxx.xxx.xxx
Maybe you need to tweak this a little, maybe not.

Thanks, that worked. ;)

It worked in displaying the password, but it gave me the wrong password, because I tried to log in and it keeps saying access denied.

Run same cmd chg 5 to 10. If same result take the -t and number out.

The -f is force stop on right password.

BTW this is the part where if this is your server that you can vet if the pwsd is correct.

Can anyone give me some syntax if i were to crack an online form that i know the username to, for example what would go in the <formparamters> and <failurestring> spaces???

hello admin
can u tell me the full roll of tamper data in cracking pass

and
hyfra search wrong password :/

i was wondering if you can tell me a bit more about THC-Hydra like i don't understand about how you use the passwords file and users file to crack passwords

I am new to all this awesome topics and am trying to hack a facebook password, (MIne of course) just to learn more about LINUX Because I think it is great. What would be the process to doing that? is there a tutorial anywhere I can study from?

go to openclassroom the best site web to learn all in informatique

could you help me in getting in "administative" account into my router? this is the login.asp page

my router is a Gemtek hybrid wimax/lte device. I did not found any useful on the web about "admin" account and the manufacturer is a lot far away to support me properly.

this are all the info I got from source page:

document.write('<td><input type="text" class="inputname" id="username" name="username" onKeyPress="if(event.keyCode == \'13\') Validate();" size="20" maxlength="65" autocomplete="off"></td>');

document.write('<td><input type="password" class="inputpwd" id="userpasswd" name="userpasswd" onKeyPress="if(event.keyCode == \'13\') Validate();" size="20" maxlength="64" autocomplete="off"></td>');

and
function checkascii(obj)
{
for(i=0;i<obj.value.length;i++)
{
if(obj.value.charCodeAt(i)>126||obj.value.charCodeAt(i)<32)
{
return false;
// obj.value=obj.value.replace(new RegExp(obj.value.charAt(i),"g"),"");
these were the only info I read from source login.asp page. thx for Ur help?

hey i'm new at this, i want to ask what is the function of Tamper Data? do you use it to know IP address and port of a website?

Tamper Data is not to find the IP address and port of the website. That can be found through nmap and other simple tools. Tamper Data helps us to understand how the web form is using our info. It displays the type of requests and the responses from the server. In that way, we can tailor our password cracking in THC Hydra.

Hi

I am using Kali Linux and need some help with hydra for dictionary attack. Is there a way to make it faster other that changing -t? I have 2.7 million combinations and it's taking a long time. I can use only hydra and the hint given is to automate hydra. I have searched but with no luck. Any help is welcome...

Guys i want to hydra gtk bruteforce mail.in.com(email) but i can't find out its target,port,protocol info .. i head it can be found online but so far no luck, I'll be grateful if someone provides me with some info

Hi, I'm a little confused on the process. Am I interpreting it correctly that this program makes several attempts at cracking the password on a site and most of them fail and then it stops when it gets the successful password? I'm talking about a website where I have the username and need to get the password to log on. Won't it trigger some sort of security if its done this way and there are multiple failed log in attempts? Sorry if I'm missing something, I'm new to all of this and just trying to get an idea of how this whole thing works.

Hi, I tried to run hydra.exe from thc-hydra-windows-master archieve on windows 7 and nothing happens. Please advice, how to proceed!

Archives and Instructions found at: https://github.com/vanhauser-thc/thc-hydra and https://github.com/maaaaz/thc-hydra-windows

thc-hydra-master ARCHIEVE FOUND AT: https://github.com/vanhauser-thc/thc-hydra

thc-hydra-windows-master ARCHIEVE FOUND AT: https://github.com/maaaaz/thc-hydra-windows

README FILE also at : http://textuploader.com/oyhn

Thanks

Andy:

Use THC-Hydra in Linux. It works.

Thanks but I do not use Linux and I do not know anything about Linux. I am using windows 7.

Andy:

If you want to be hacker, you must use Linux. We are all using Kali Linux. You can't really be hacker using Windows. Check out my article here on why.

I also have a series on learning Linux here .

OTW

I know this is a late comment, but on tamperdata, where does it show you the type (eg; POST) and where does it show you the 'post' details? Thanks for your help.

Hey, this was an incredible tutorial but I have a couple questions...

1)Say my potential victim is on their own computer...What method do I use to get their username? I think I saw you have a tutorial on how to install software on their computer...but then why not just install a keylogger...If I come across as a jerk I appologize I'm just trying to learn :)

2)Is there a way to anonymize yourself? I think you can use tor? or would it just be easier to go through a free vpn?

3)Could you make a list or send me to a link of what the letters mean in your script and how to know when to put them in and where in the script they go (like -l, -p, etc.)

Thanks again for the awesome tutorials

Forgot to mention. Welcome to Null Byte.

Oi mate,

  1. OTW's Tutorials.

1.1 Keylogger is fine if all you want is a thin data stream and 90's to boot. (If you can get a keylogger in, you could of got something better in?)

  1. Sure.

2.1 ToR is kinda anonymous still: Rouge fdral nodes but you are in a crowd. They purposely degrade the performance of the ToR network as well.

2.2 VPN: Log retention? (Pretty sure it's (un)official that every backbone fiber line is tapped now.)

  1. Umm: Probably not but maybe. In the mean time for your viewing enjoyment. :~ thc-hydra --help

;-p

Thanks a lot! That actually helped a lot

I tried to hack a gmail acc, and everything worked out fine until gmail blocked me for too many try.
I think they banned me after 150 requests.

I were just wondering about there was a way to pass this "ban." ?

I need to use wordlists over 150 words if it should be realistic, so there is no way that i can use wordlists beneath 150.

If anyone have a idea how to pass the block,
would a reply be highly appreciate!
thanks :)

OTW
Looks like i came late
but i hope , you reply
the post was very good
but right now , iam not using linux , instead windows
i have tried password cracking with cain and abel and it worked
but i needed a tool to hack online //telnet - http - smtp//
i know only brutus in this category and it keeps failing to crack even very simple telnet logins
i need help and possibely guidence
iam reading "Hacking for dummies" to learn more
also iam a CCNA-MCITP - and soon CCNP - If that matters
thank you in advance

Amr:

I strongly suggest that you install Kali Linux if you want to really learn hacking.

OTW

Hello ! I need some help for hacking an instagram account. I know this might be illegal but that account is made by someone in our school and he's using it to show everyone private information about some of my friends, aswell as about me. If you can't help me out, it's okay, but if you can, that'd be great ! :)

Hey OTW. How do I open Kali linux? I have a Mac:)

Did you install it in a VM?

What is a VM? Just download it from kali linux.

Did you read my tutorial on installing Kali?

Where is it? I don't see the tutorial! I appreciate your help:)
Do you have a link?

Hello OTW, I have a few questions...

I tried it so far but now when I want to break the password of gmail account, I need to get the IP from gmail.com or by the person who own the account? What is the best method to find out the IP and the port?

The next question is about the word lists, when I use the command - /user/share/wordlists - I get given word lists? I can use them?

sorry for my questions, but I'm trying to understand it and get forward ...

Thank you!

Beni:

First, THC-Hydra is a brute force password cracking tool. Gmail will not allow you to continue to guess indefinitely, so it is probably the wrong tool for this job.

That having been said, you can use any wordlist you want. Some are better than others. It's important to choose the appropriate wordlist for the job to increase your chances of success.

OTW

you have a tutorial what could be the right way to continue in this?

Hello, any progress with the tutorial about hydra and web form? I was looking through your articles but was not able to find something. Thanks!

I'll have one out so soon, so keep coming back.

Hi OTW!! I am new here and I started with this tutorial. But I have got a problem. In step 4. When i wrote cd/usr/wordlists cmd says that this directory doesnt exist. How can I fix this?

Simon:

Welcome to Null Byte!

The command should be "cd /usr/share/wordlists". You copied it incorrectly.

OTW

...patiently waits for almost a year since original article was written for promised follow up that is said to be "coming soon"...

Tried just about every combo of commands I could think of. I have an xfinity router that does not have the pop-up style login. I also could not figure out how to add the username and pw to the url in a way that attempted authentication.

When trying the different types of requests (http-get, http-get-form, etc) I would either get all the passwords working or all of them failing when the correct password was the fifth entry in the word list.

Thanks for any help!

You showed how to install tamper data,but you didn't show us how to install hydra. I tried looking up download links to hydra but I couldn't find any! You need to show how to download hydra!

Hydra is built into Kali. No need to download anything.

What if you use Windows 7 instead of Kali?

Windows is not a hacking platform.

I think I'll install virtual box and use kali that way. Then,I might could start hacking from there. Is there a better way?

What is a better way? Should I use brute force instead? I installed brute force one time and it didn't give me the shortcut.

What about burpsuite?

Also,is there a more simple way to crack passwords? You know,like putting the URL of the site down and typing in the username of who's password you want to crack and then it processes it and cracks it?

Will this be effective for obtaining passwords to sites that require no username?

Jonathan:

I have never tried it with a site that requires just a password, but I don't see why not. When you are building the command, just leave out the username. Give it a try and let us know how it works.

How does Hydra know what website to crack on? Like if I'm trying to brute force on Steam , how will it know that I'm not trying to brute force let's say facebook if I have them both on tab? Is that what the port and ip was for? And one more question how does it bypass the password limit lock? I'm a HUGE fan of yours awesome guides

It doesn't work through your browser. It only attacks the IP and port you specify. Likely it cannot bypass such preventative measures. Brute force attacks will not be effective against locks.

Can I hack games like Smallworlds? Like breaching data and stuff?

This might be a very idiotic question. But how do i open Tamper Data after I've installed it to Firefox?

In the Menu bar-> tools-> Tamper data

any one know what is the direbuster and how can i work it

I have a tutorial on dirbuster. It basically finds the directories of a website.

I have one problem, when I start Tamper data and try to login. All good, but I dont know where I can get the ip adress, which I must write in the hydra commment?

I'm currently learning all about THC-Hydra because i find Brute Forcing one of the more interesting topics to learn about and discuss. I get how to use hydra -l username -p passwordlist.txt. When it comes to Tamper Data i get confused. I have programmed a login system in Php and i want to Pen-test it. I'm what would be considered a noob at this stuff. So my main questions are

-How do i understand Tamper Data in a simple way.

-How do i use hydra to get the password of an account of a login system i created in Php.

-What can i start learning to help me with this stuff.

Please Respond to this post and thank you for this helpful post!

Okay, I am severely confused on how to download Kali, I have the person IP address and was wondering if anyone would like to do this for me? Or at least help me download kali XD

So wonderful,But does he miss something? where is the next Hydra tutorial?

OTW
hi i am new in hacker things i installed kali linux one month ago
can i use xhydra to crack hotspot admin login account ?

please tell me how to use it right i tried to do that but it gave wrong password i think that because hotspot use proxy login page right ?

and i didn't understand tamper data usage and how to get the ip of a website
that is what tamper data gave when i try login to the hotspot

NOTE
maybe you will find some syntex mistake that because i am noot good in english
thanks for your article.

don't worry about ip i am using ping to get it but i can't get the port

Does an instant message web page records all the passwords of their usernames? Even if they enter their username and password using a software on their computer?

Is this correct? usr/share/wordlists# hydra -l username -P passwordlist.txt target <url> <formparameters> <failure string>

Where can I find the failure string?? Is it possible to do that? Thanks in adavance :)

Hello everyone

Does this strategy works on online games? And would i get IP ban or be blocked if i did crack a password... I know a lot of accounts on the game i go on stopped playing since 5 years .. Please tell me

I have further questions for the moderator or writer of this article. I am in desperate need of a tool to hack my own email. Beginners level as I understand nearly nothing about computers.

You ask why, because either I have forgotten the password or someone else hacked and hijacked my account and recovery options. I suspect the latter is more true but I can't get the ISP to do anything about it. They forum of help is super limited and pretty much they tell me they cant do anything I am SOL. I figure my account means I should be allowed to hack my own shit...I am ethical.

I have been through the utterly pointless circular system of contacting the email provider who snidely says ...figure it out on your own because we do not help people with free accounts now. They used to but not anymore and you cant get a real person anymore ...just a lot of run around via these automated options.

Once I gain access to my email... I plan to port all my emails and contacts to a better email system. I am tired of the no service unless their is profit in it attitude. And I am tired of them getting hacked but telling the rest of us that it isn't their problem. I do not like the attitude...I have been with them since the 2004ish mark (had more than one account).

I did set up a recovery but that was also compromised so that is a pointless endeavor. So if one of you genius types is willing to help me to get from point A to B...I would greatly appreciate it. I especially liked Allen Freemans hacking article. I do not think all hacker are disreputable...I think there are ethical people with these skills so I am seeking one of you to contact me.

Thanks....
great articles but way way beyond my head.

I was using HYDRA GTK where on different executions, HYDRA displayed successful password every-time with a different set of string. Each of them was invalid. If any-one faced this problem or knows the solution, please help.

I have a problem when I tried THC hydra

I used this code.....
hydra -l <email> -P \Users\neo\documents\rockyou.txt -e ns -V -S -s 465 smtp.gmail.com smtp

And the result is..

Hydra (http://www.thc.org/thc-hydra) starting at 2017-11-10 15:52:51
INFO several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
DATA max 16 tasks per 1 server, overall 64 tasks, 14344400 login tries (l:1/p:14344400), ~14008 tries per task
DATA attacking service smtp on port 465 with SSL
ERROR socketpair creation failed: Connection timed out
ERROR socketpair creation failed: Connection timed out
ERROR socketpair creation failed: Connection timed out
ERROR socketpair creation failed: Connection timed out
ERROR socketpair creation failed: Connection timed out

why its happening and what is the solution?

Share Your Thoughts

  • Hot
  • Latest