How to Crack Online Passwords with Tamper Data Adons &THC Hydra

Download & install tamper data

Before we start with THC-Hydra, let's insl another tool that complements THC-Hydra.

This tool is known as "Tamper Data", and it is a plug-in for Mozilla's Firefox.

Since our IceWeasel browser in Kali is built on the open source Firefox, it plugs equally well into Iceweasel.

Tamper data enables us to capture and see the HTTP and HTTPS GET and POST information.

In essense, Tamper Data is a web proxy similar to Burp Suite, but simpler and built right into our browser.

Tamper data enables us to grab the information from the browser en route to the server and modify it.

 In addition, once we get into more sophisticated web attacks, it is crucial to know what fields and methods are being used by the web form, and Tamper Data can help us with that as well.

Let's download it from here and install it into Iceweasel.

Install the Tamper Data Firefox add-on in Iceweasel.

Test tamper data

Now that we have Tamper Data installed into our browser, let's see what it can do.

Activate Tamper Data and then navigate to any website. Or 

•Below you can see that I have navigated to Bank of America and Tamper Data provides we with each HTTPS GET and POST request between my browser and the server. Http

PS GET and POST requests for BOA.

When I try to login to the site with the username "hacker", Tamper Data returns to me all the critical info on the form.

This information will be useful when we begin to use Hydra to crack online passwords.

Tamper Data information for BOA login.

Open Hydra

Now that we have Tamper Data in place and working properly, let's open Hydra. You can find it at Kali Linus  -> Password Online Attacks -> Hydra. 

You can see it about midway among the list of online password cracking tools.

Step 4: Understand the Hydra Basics

When we open Hydra, we are greeted with this help screen. 

Note the sample syntax at the bottom of the screen. 

Hydra's syntax is relatively simple and similar to other password cracking tools

Lets take a look at it further.

hydra -l username -p passwordlist.txt target

The username can be a single user name, such as "admin" or username list,passwordlist is usually any text file that contains potential passwords, 

and target can be an IP address and port, or it can be a specific web form field.

Although you can use ANY password text file in Hydra, Kali has several built in. 

Let's change directories to /usr/share/wordlists:

kali > cd /usr/share/wordlists

Then list the contents of that directory:

kali > ls

You can see below, Kali has many word lists built in. You can use any of these or any word list you download from the web as long as it was created in Linux and is in the .txt format.

Step 5: Use Hydra to Crack Passwords

In the example below, I am using Hydra to try to crack the "admin" password using the "rockyou.txt" wordlist at 192.168.89.190 on port 80.

Using hydra on web forum

Using Hydra on web forms adds a level of complexity, but the format is similar except that you need info on the web form parameters that Tamper Data can provide us.

The syntax for using Hydra with a web form is to use <url>:<formparameters>:<failure string> where previously we had used the target IP.

 We still need a username list and password list.

Probably the most critical of these parameters for web form password hacking is the "failure string". 

This is the string that the form returns when the username or password is incorrect.

 We need to capture this and provide it to Hydra so that Hydra knows when the attempted password is incorrect and can then go to the next attempt.

In my next Hydra tutorial, I will show you how to use this information to brute-force any web form including all those web cams, SCADA systems, traffic lights, etc.

 that we can find on shodan

Share Share Tweet Share Share Share

Home

Thanks For You Reading The Post We are very happy for you to come to our site. Our Website Domain name https://codedforum.blogspot.com/.