Understanding and preventing credential stuffing attacks
Getting Your Hands Dirtier
In addition to harvesting lists of passwords and hunting for relevant usernames for credential stuffing on the command line, you need to consider the automation behind such attacks. Unsurprisingly, there are multiple automation tools.
One such tool, Hydra (sometimes called THC Hydra), is part of the Kali Linux suite of tools and available in Van Hauser's repository [10] on GitHub. The efficient Hydra supports operating with parallel connections. Note the reminder in the README file [11]: "This Tool Is for Legal Purposes Only!"
Although I've only really talked about web services so far, Hydra purportedly supports a significant number of protocols as mentioned in the README file (see Table 1).
Table 1
Hydra Supported Protocols and Services
Asterisk |
ICQ |
Rlogin |
AFP |
IMAP |
Rsh |
Cisco AAA |
IRC |
RTSP |
Cisco auth |
LDAP |
SAP/R3 |
Cisco enable |
MEMCACHED |
SIP |
CVS |
MONGODB |
SMB |
Firebird |
MS-SQL |
SMTP |
FTP |
MYSQL |
SMTP Enum |
HTTP-FORM-GET |
NCP |
SNMP v1+v2+v3 |
HTTP-FORM-POST |
NNTP |
SOCKS5 |
HTTP-GET |
Oracle Listener |
SSH (v1 and v2) |
HTTP-HEAD |
Oracle SID |
SSHKEY |
HTTP-POST |
Oracle |
Subversion |
HTTP-PROXY |
PC-Anywhere |
Teamspeak (TS2) |
HTTPS-FORM-GET |
PCNFS |
Telnet |
HTTPS-FORM-POST |
POP3 |
VMware-Auth |
HTTPS-GET |
POSTGRES |
VNC |
HTTPS-HEAD |
Radmin |
XMPP |
HTTPS-POST |
RDP |
|
HTTP-Proxy |
Rexec |
A quick word of warning: Hydra can take a few attempts to get the command-line options right, so I recommend practicing on a Capture the Flag server or a service where you know the credentials in case you come across problems. I like to save successful command-line options for later.
There are a few ways to install Hydra (see the README [11] for more information). I will purposely cover generic commands. If you want to run these commands using the developer's preferred installation route with Docker, see the "Using Docker with Hydra" box. I think Docker is preferred because it guarantees you are using the latest version.
Using Docker with Hydra
For the Docker installation route, you will need to make some tweaks to the generic commands used in this article. If you use local files on a laptop for usernames and passwords lists, then you need to mount the local directory into the Docker container. You also need to prepend some Docker commands to the Hydra commands.
An example of a Docker command would look as follows:
$ docker run -it vanhauser/hydra -v -L /home/chris/users.txt -P /home/chris/passwords.txt -s22 -t4 -I target.tld ssh
However, the above command won't work until you mount a volume. To do that, you need to convert the above Hydra SSH command to mount local files to a container as follows:
$ docker run -it --mount type=bind,source="/home/chris"/,target=/tmp,readonly vanhauser/hydra -L /tmp/users.txt -P /tmp/passwords.txt -s22 -t4 -I target.tld ssh
Admittedly, there is a lot going on in the above command, so I'll break it down into sections. At the start, I prepend the docker run
command and then mount the volume (read only) from /home/chris
locally to /tmp
inside the container. I then point Docker at the vanhauser/hydra
container image and tell Hydra to look in the /tmp
directory for both the usernames and passwords files before offering a target host and asking Hydra to use SSH logins.
If you are new to Docker, it may take a couple of attempts to tweak the generic commands, but it's not too difficult to transpose the other commands in this article using the examples shown here.
To use Hydra, I need to install Docker, log into Docker Hub [12], and then create a token to pull from the vanhauser/hydra
repository on Docker Hub. On Debian Linux derivatives, such as Ubuntu, you can get started with the following command:
$ apt update; apt install -y docker.io
Next you need to create a personal access token as shown in Figure 3. To get there, either log in or create a Docker Hub account and then click on Account Settings (top right) followed by Security (left).
Once you click on the blue New Access Token button (and choose read-only access), as shown in Figure 3, you're all set. (If you need additional help in setting up an access token, see [13]). Using this access token as the password, you can log into Docker Hub on the command line and see if your access token works as follows:
$ docker login -u chrisbinnie # change your Docker Hub username Password: <enter Personal Access Token here>
Warning: Your password will be stored unencrypted in /root/.docker/config.json
. Configure a credential helper to remove this warning (see [14]).
Login Success
Now that you have access to Docker Hub (public) images, you can pull Hydra's image with the code in Listing 2.
Listing 2
Pulling the Hydra Image
01 $ docker pull vanhauser/hydra 02 Using default tag: latest 03 latest: Pulling from vanhauser/hydra 04 90ac1ecaf92c: Pull complete 05 be7c66840ebb: Pull complete 06 <...snip?> 07 08 $ docker images 09 REPOSITORY TAG IMAGE ID CREATED SIZE 10 vanhauser/hydra latest d89f1bd1e06f 6 days ago 1.24GB
The docker images
command confirms that you have pulled around one and a quarter gigabytes for Hydra. In order to check that the image is valid, you can open Hydra's help page with the following command:
$ docker run -it vanhauser/hydra -h
As the heavily abbreviated help page in Listing 3 shows, Hydra is ready to use. Note the authors' request in Listing 3: "Please do not use in military or secret service organizations, or for illegal purposes."
Listing 3
Hydra Help Page
Hydra v9.6dev (c) 2023 by van Hauser/THC & David Maciejak -- Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]] Options: -R restore a previous aborted/crashed session -I ignore an existing restore file (don't wait 10 seconds) -S perform an SSL connect -s PORT if the service is on a different default port, define it here -l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE -p PASS or -P FILE try password PASS, or load several passwords from FILE -x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help -y disable use of symbols in bruteforce, see above -r use a non-random shuffling method for option -x -e nsr try "n" null password, "s" login as pass and/or "r" reversed login -u loop around users, not passwords (effective! implied with -x) -C FILE colon separated "login:pass" format, instead of -L/-P options <...snip?>
Always Make Lists
As my first credential stuffing example using Hydra, I will target an SSH server. The syntax is simple and easy to follow (remember to refer to the "Using Docker with Hydra" box to use Docker with these commands). I start by using a local list (in the current directory) of passwords (in a file called passwords.txt
) and just one username with a lowercase -l
option as follows:
$ hydra -v -l chris -P passwords.txt -s22 -t4 -I target.tld ssh
Bear in mind that the server may lock a user out after three attempts so focusing on one username isn't the ideal approach. Instead, you can collect a list of usernames and then save them into a file, with the uppercase -L
option, with full file paths as follows:
$ hydra -v -L /home/chris/users.txt -P /home/chris/passwords.txt -s22 -t4 -I target.tld ssh
That's all you need for attacking SSH servers. If you want to attack a web application, then you would need to append http-get
at the end and add -s
for HTTP's port 80 (I will explain -t
shortly) as follows:
$ hydra -v -L /home/chris/users.txt -P /home/chris/passwords.txt -s80 -t4 -I target.tld http-get
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome 48 Debuts New Audio Player
To date, the audio player found within the Gnome desktop has been meh at best, but with the upcoming release that all changes.
-
Plasma 6.3 Ready for Public Beta Testing
Plasma 6.3 will ship with KDE Gear 24.12.1 and KDE Frameworks 6.10, along with some new and exciting features.
-
Budgie 10.10 Scheduled for Q1 2025 with a Surprising Desktop Update
If Budgie is your desktop environment of choice, 2025 is going to be a great year for you.
-
Firefox 134 Offers Improvements for Linux Version
Fans of Linux and Firefox rejoice, as there's a new version available that includes some handy updates.
-
Serpent OS Arrives with a New Alpha Release
After months of silence, Ikey Doherty has released a new alpha for his Serpent OS.
-
HashiCorp Cofounder Unveils Ghostty, a Linux Terminal App
Ghostty is a new Linux terminal app that's fast, feature-rich, and offers a platform-native GUI while remaining cross-platform.
-
Fedora Asahi Remix 41 Available for Apple Silicon
If you have an Apple Silicon Mac and you're hoping to install Fedora, you're in luck because the latest release supports the M1 and M2 chips.
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.