Download & Set Up Zydra To begin, we need to download Zydra from GitHub — use the wget utility to grab the Python file right from the command line: ~$ wget https://raw.githubusercontent.com/hamedA2/Zydra/master/Zydra.py --2020-07-15 18:41:25-- https://raw.githubusercontent.com/hamedA2/Zydra/master/Zydra.py Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ... Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 30544 (30K) [text/plain] Saving to: ‘Zydra.py’ Zydra.py 100%[======================>] 29.83K --.-KB/s in 0.04s 2020-07-15 18:41:26 (764 KB/s) - ‘Zydra.py’ saved [30544/30544] Next, and this step is completely optional, let's rename the script making it entirely lowercase. If you're lazy like me, it's just one less key to press: ~$ mv Zydra.py zydra.py We also need to install some dependencies for Zydra to work properly — it uses Python 3, so we can use pip3 to install the extra modules: ~$ pip3 install rarfile pyfiglet py-term Collecting rarfile Downloading rarfile-3.1.tar.gz (121 kB) |████████████████████████████████| 121 kB 1.0 MB/s Requirement already satisfied: pyfiglet in /usr/lib/python3/dist-packages (0.8.post0) Collecting py-term Downloading py-term-0.6.tar.gz (5.4 kB) Building wheels for collected packages: rarfile, py-term Building wheel for rarfile (setup.py) ... done Created wheel for rarfile: filename=rarfile-3.1-py3-none-any.whl size=24908 sha256=6f16c1h4b06a3f7a7d8v4baa34e9a6d58a949b5a78c2b23bb60c0d62791372e3 Stored in directory: /home/kali/.cache/pip/wheels/21/50/d0/8da8b10f46113f46c6f0247c5f59401293fb5b15aa7888a4ce Building wheel for py-term (setup.py) ... done Created wheel for py-term: filename=py_term-0.6-py3-none-any.whl size=6268 sha256=ab75424c7aa6ef71001a24c3e3a558ad3748ee0d6a3c0153c3a0cf955f814a13 Stored in directory: /home/kali/.cache/pip/wheels/76/cc/73/8ac13320a2a98600008575b936742bbb6025d21d674ca6e2fd Successfully built rarfile py-term Installing collected packages: rarfile, py-term Successfully installed py-term-0.6 rarfile-3.1 Now we should be ready to run Zydra using the python3 command: ~$ python3 zydra.py @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ _______ ______ _______ _______ / ___ )|\ /|( __ \ ( ____ )( ___ ) \/ ) |( \ / )| ( \ )| ( )|| ( ) | / ) \ (_) / | | ) || (____)|| (___) | / / \ / | | | || __)| ___ | / / ) ( | | ) || (\ ( | ( ) | / (_/\ | | | (__/ )| ) \ \__| ) ( | (_______/ \_/ (______/ |/ \__/|/ \| Author : Hamed Hosseini @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Usage: zydra.py [options] [args] Dictionary Mode: zydra.py -f -d Brute force Mode: zydra.py -f -b -m -x Available char_type: The lowercase letters abcdefghijklmnopqrstuvwxyz The uppercase letters ABCDEFGHIJKLMNOPQRSTUVWXYZ The concatenation of the lowercase and uppercase numbers 0123456789 punctuation characters !#$%&'()*+,-./:;<=>?@[\]^_`{|}~'" space character You can select multiple character types. Example: zydra.py -f -b -m 1 -x 8 zydra.py: error: Choose a file, Use --help for more info This gives us a nice little banner, a usage example, and some information about some of the options available. It also gives us an error stating it needs a file, and tells us to use --help for more info; this will give us more details and options: ~$ python3 zydra.py --help @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ _______ ______ _______ _______ / ___ )|\ /|( __ \ ( ____ )( ___ ) \/ ) |( \ / )| ( \ )| ( )|| ( ) | / ) \ (_) / | | ) || (____)|| (___) | / / \ / | | | || __)| ___ | / / ) ( | | ) || (\ ( | ( ) | / (_/\ | | | (__/ )| ) \ \__| ) ( | (_______/ \_/ (______/ |/ \__/|/ \| Author : Hamed Hosseini @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Usage: zydra.py [options] [args] Dictionary Mode: zydra.py -f -d Brute force Mode: zydra.py -f -b -m -x Available char_type: The lowercase letters abcdefghijklmnopqrstuvwxyz The uppercase letters ABCDEFGHIJKLMNOPQRSTUVWXYZ The concatenation of the lowercase and uppercase numbers 0123456789 punctuation characters !#$%&'()*+,-./:;<=>?@[\]^_`{|}~'" space character You can select multiple character types. Example: zydra.py -f -b -m 1 -x 8 Options: -h, --help show this help message and exit -d DICTFILE Specifies dictionary file -f FILE Specifies the file -b CHARTYPE Specifies the character type -m MINLENGTH Specifies minimum length of password -x MAXLENGTH Specifies maximum length of password Before we can run Zydra, we will need some files to test it out on. I have created a RAR file, ZIP file, and PDF file that you can download and use to follow along. The password for all three of these is "password1" as you'll soon find out. There is also a shadow file you can download, which I got from the Metasploitable virtual machine. Download: all test files | .rar test | .zip test | .pdf test | .shadow test We'll also need a suitable wordlist. Since our password for these files is pretty simple, we'll use a minimal list for demonstration purposes — this one from the SecLists GitHub repo will work: ~$ wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/darkweb2017-top10.txt --2020-07-15 19:08:05-- https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/darkweb2017-top10.txt Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.0.133, 151.101.64.133, 151.101.128.133, ... Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.0.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 81 [text/plain] Saving to: ‘darkweb2017-top10.txt’ darkweb2017-top10.tx 100%[======================>] 81 --.-KB/s in 0s 2020-07-15 19:08:05 (3.10 MB/s) - ‘darkweb2017-top10.txt’ saved [81/81] At this point, we are ready to get cracking. Option 1Cracking RAR Files Zydra can operate in two modes: dictionary and brute force. In dictionary mode, we just need to supply a wordlist with the -d flag. We also need to specify the file we are trying to crack using the -f flag: ~$ python3 zydra.py -f nb-rar.rar -d darkweb2017-top10.txt @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ _______ ______ _______ _______ / ___ )|\ /|( __ \ ( ____ )( ___ ) \/ ) |( \ / )| ( \ )| ( )|| ( ) | / ) \ (_) / | | ) || (____)|| (___) | ok / / \ / | | | || __)| ___ | / / ) ( | | ) || (\ ( | ( ) | / (_/\ | | | (__/ )| ) \ \__| ) ( | (_______/ \_/ (______/ |/ \__/|/ \| Author : Hamed Hosseini @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Start time ==> Wed Jul 15 19:08:15 2020 Starting password cracking for /root/nb/nb-rar.rar / [*] Count of possible passwords: 10 Progress : [##################################### ] 80.000 % [+] Password Found: password1 End time ==> Wed Jul 15 19:08:41 2020 Execution time ==> 0:00:25.876620 Once it starts, it gives us the possible password count (basically, how many lines there are in the wordlist) and a progress bar. It doesn't take long before it finds the password and tells us what it is. For brute force mode, we need to set a few more options. We still specify the file to crack, but now we can use the -b flag to set the character types to use for brute forcing. The minimum and maximum length of the password can also be set now, using the -m and -x flags, respectively: ~$ python3 zydra.py -f nb-rar.rar -b letters,digits -m 1 -x 10 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ _______ ______ _______ _______ / ___ )|\ /|( __ \ ( ____ )( ___ ) \/ ) |( \ / )| ( \ )| ( )|| ( ) | / ) \ (_) / | | ) || (____)|| (___) | / / \ / | | | || __)| ___ | / / ) ( | | ) || (\ ( | ( ) | / (_/\ | | | (__/ )| ) \ \__| ) ( | (_______/ \_/ (______/ |/ \__/|/ \| Author : Hamed Hosseini @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Start time ==> Wed Jul 15 19:09:01 2020 Starting password cracking for /root/nb/nb-rar.rar / [*] Count of possible passwords: 853058371866181866 Progress : [ ] 0.000 % As you can see, the number of potential passwords is quite large, so while this feature can be useful in certain cases, most of the time it is wise to use the dictionary mode. Now that we have the password, we can extract the contents of the RAR file with the following command: ~$ unrar x nb-rar.rar UNRAR 5.61 beta 1 freeware Copyright (c) 1993-2018 Alexander Roshal Extracting from nb-rar.rar Enter password (will not be echoed) for test.txt: Option 2Cracking ZIP Files Cracking ZIP files works pretty much the same way — we'll only use dictionary mode from here on out since it is way more efficient. Just specify the file to crack and wordlist to use: ~$ python3 zydra.py -f nb-zip.zip -d darkweb2017-top10.txt @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ _______ ______ _______ _______ / ___ )|\ /|( __ \ ( ____ )( ___ ) \/ ) |( \ / )| ( \ )| ( )|| ( ) | / ) \ (_) / | | ) || (____)|| (___) | ok / / \ / | | | || __)| ___ | / / ) ( | | ) || (\ ( | ( ) | / (_/\ | | | (__/ )| ) \ \__| ) ( | (_______/ \_/ (______/ |/ \__/|/ \| Author : Hamed Hosseini @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Start time ==> Wed Jul 15 19:09:45 2020 Starting password cracking for /root/nb/nb-zip.zip / [*] Count of possible passwords: 10 Progress : [##################################### ] 80.000 % [+] Password Found: password1 End time ==> Wed Jul 15 19:10:10 2020 Execution time ==> 0:00:25.062398 We can see it found the password again with no issues. To extract the contents of the ZIP archive, use the unzip command: ~$ unzip nb-zip.zip Archive: nb-zip.zip [nb-zip.zip] example.txt password: Option 3Cracking PDF Files For Zydra to work with PDF files, we need to install a program called qpdf first: ~$ sudo apt install qpdf Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: libqpdf28 The following NEW packages will be installed: libqpdf28 qpdf 0 upgraded, 2 newly installed, 0 to remove and 568 not upgraded. Need to get 1,015 kB of archives. After this operation, 2,690 kB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://kali.download/kali kali-rolling/main amd64 libqpdf28 amd64 10.0.1-2 [479 kB] Get:2 http://kali.download/kali kali-rolling/main amd64 qpdf amd64 10.0.1-2 [537 kB] Fetched 1,015 kB in 1s (830 kB/s) Selecting previously unselected package libqpdf28:amd64. (Reading database ... 377060 files and directories currently installed.) Preparing to unpack .../libqpdf28_10.0.1-2_amd64.deb ... Unpacking libqpdf28:amd64 (10.0.1-2) ... Selecting previously unselected package qpdf. Preparing to unpack .../qpdf_10.0.1-2_amd64.deb ... Unpacking qpdf (10.0.1-2) ... Setting up libqpdf28:amd64 (10.0.1-2) ... Setting up qpdf (10.0.1-2) ... Processing triggers for libc-bin (2.30-4) ... Processing triggers for man-db (2.9.1-1) ... Processing triggers for kali-menu (2020.2.2) ... Now we can crack the PDF by providing the file and wordlist to use, just like before: ~$ python3 zydra.py -f nb-sample.pdf -d darkweb2017-top10.txt @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ _______ ______ _______ _______ / ___ )|\ /|( __ \ ( ____ )( ___ ) \/ ) |( \ / )| ( \ )| ( )|| ( ) | / ) \ (_) / | | ) || (____)|| (___) | ok / / \ / | | | || __)| ___ | / / ) ( | | ) || (\ ( | ( ) | / (_/\ | | | (__/ )| ) \ \__| ) ( | (_______/ \_/ (______/ |/ \__/|/ \| Author : Hamed Hosseini @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Start time ==> Wed Jul 15 19:10:30 2020 Starting password cracking for /root/nb/nb-sample.pdf / [*] Count of possible passwords: 10 Progress : [##################################### ] 80.000 % [+] Password Found: password1 [*] Your decrypted file is decrypted_nb-sample.pdf End time ==> Wed Jul 15 19:10:55 2020 Execution time ==> 0:00:25.118694 Again, we can see it found the password, but this time there is an additional dialogue. This is simply telling us the file is a decrypted version of the original, which we can verify with the file command: ~$ file decrypted_nb-sample.pdf decrypted_nb-sample.pdf: PDF document, version 1.4 Option 4Cracking Shadow Files Zydra will automatically attempt to crack the password hashes for any users found in Linux shadow files. While it's not always successful, this can be a good method to try out first since it is quick and easy. All we need to do is specify the file with the -f flag and the wordlist with the -d flag: ~$ python3 zydra.py -f nb-shadow -d darkweb2017-top10.txt @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ _______ ______ _______ _______ / ___ )|\ /|( __ \ ( ____ )( ___ ) \/ ) |( \ / )| ( \ )| ( )|| ( ) | / ) \ (_) / | | ) || (____)|| (___) | ok / / \ / | | | || __)| ___ | / / ) ( | | ) || (\ ( | ( ) | / (_/\ | | | (__/ )| ) \ \__| ) ( | (_______/ \_/ (______/ |/ \__/|/ \| Author : Hamed Hosseini @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Start time ==> Wed Jul 15 19:11:03 2020 Starting password cracking for /root/nb/nb-shadow / [*] Count of possible passwords: 10 [**] cracking Password for: root Progress : [##############################################] 100.000 % [-] password not found [**] cracking Password for: sys [**] cracking Password for: klog [**] cracking Password for: msfadmin [**] cracking Password for: postgres [**] cracking Password for: user [**] cracking Password for: service End time ==> Wed Jul 15 19:11:26 2020 Execution time ==> 0:00:22.062705 We can see it finds several users, but since we are only using a simple wordlist, it fails to find the password for any of them. Like any other cracking tool, using a more extensive wordlist will increase your chances of successfully recovering a password, but it will also take longer.