Henry Dalziel | Pentesting Tools | July 21, 2016
What will I learn from this interview?
We are really excited to post this!
We interviewed ‘THC Hydra’ creator, Marc “van Hauser” Heuse, and asked him a bunch of questions about his much-loved and used password cracking tool, THC Hydra, as well as other ‘career-starting’ questions.
As a way of background to this interview – we’ve been publishing tons of content on hacking tools for years now, and we’ve done a bunch of video interviews which you can see here. We thought it would be a great idea to continue with these ‘interview theme’, especially since we feel that such resources benefit younger people looking to increase their skills and subsequently find work in cyber security. By reading this post you will learn how Marc “van Hauser” Heuse developed Hydra, and why – and also tips and ways to get your tool out there!
What is THC Hydra?
THC Hydra (gitub) is one of the tools we all love. THC (The ‘Hacker’s Choice) password cracking tool has a legendary status – mostly because of its’ awesomeness at being able to act as a login cracker which supports numerous protocols to attack. Most users would agree that ‘Hydra’ is an easy tool to use and a highly efficient brute-force weapon.
vanHauser was asked a few questions on how he came up with coding hydra and how to advertise your own tools: https://t.co/24bgXQSCPH
— The Hacker's Choice (@hackerschoice) 25 July 2016
The Interview: July 21, 2016
THC Hydra is awesome. How did you get the inspiration behind developing Hydra? What prompted your research? Said another way, where did you see the vulnerability that was most plausible to attack with regards to (multi-threaded) network logon cracking?
Marc “van Hauser” Heuse, THC Hydra
I was unsatisfied that at this point only tools exist to try login/ passwords against a single service – like telnet, ftp, pop3 etc. and every tool of course having different command line options. So I had the idea to create one tool that supports multiple protocols, and no need anymore for any other tool and easy usage.
Then I went to DEFCON (first time), and met Fyodor, the nmap programmer, who had been a friend for some time until then. We were in his hotel room, one other person was there too, talked about ideas etc and realized that we all three had the same idea! So I realized I had to be fast and just a few weeks later I had a prototype. As I was first, Fyodor and the other guy did not follow up with a tool of their own. Many years later Fyodor tried with the Summer of Code event to get ncrack running, which was actually quite nice, but was not followed up with support. So hydra is still the main tool available. Medusa is great too though – but also seems to be not supported anymore.
You’ve developed a bunch of security tools, namely, hydra, amap, thc-ipv6, THC-Scan, secure_delete, SuSEfirewall and many more. What is your preferred language to use when developing a tool?
For all those budding security developers out there trying to create tools, how do you recommend they promote their work? Perhaps presenting research at conferences? Any other ways?
Marc “van Hauser” Heuse, THC Hydra
This is actually difficult. There a tons of tools, many of them accomplishing the same in just a little bit different way.
First – make it accessible for contribution, e.g. via github.
Second – encourage people to join your project: be friendly and helpful.
Third – actually use your own tool. find bugs: see what new features would help and report on your success
Fourth – support your tool as long as possible; do not drop it because you now have different interests
Fifth – Have more than one great tool
We’d like to thank Marc “van Hauser” Heuse for his time and wish him and the development all the best luck for the future!