ITLearn

Hydra

5 min read

Hydra Introductory Guide

Hydra is a fast and flexible password-cracking tool used to brute-force login credentials for various services. It’s often used in security assessments to test the strength of user passwords. Below is a guide on how to use Hydra through the command line:

1. Basic Hydra Command Structure

The basic syntax for Hydra is:

hydra -l <username> -P <password_list> <target_ip> <service>
  • -l <username>: Specifies a single username.
  • -L <username_list>: Specifies a file with a list of usernames.
  • -p <password>: Specifies a single password.
  • -P <password_list>: Specifies a file with a list of passwords.
  • <target_ip>: The IP address or domain of the target.
  • <service>: The service to target (e.g., ssh, ftp, http, etc.).

2. Examples of Common Hydra Commands

  • Brute-force SSH Login:

    hydra -l root -P /path/to/password_list.txt ssh://192.168.1.10

  • Brute-force FTP Login with Username List:

    hydra -L /path/to/usernames.txt -P /path/to/password_list.txt ftp://192.168.1.10

  • Brute-force HTTP Form Login:

    hydra -l admin -P /path/to/password_list.txt 192.168.1.10 http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect"

3. Explanation of HTTP Form Parameters

  • http-post-form:
    • /login: The path to the login page.
    • username=^USER^&password=^PASS^: Replace ^USER^ and ^PASS^ with the respective field names on the form.
    • :F=incorrect: The string returned when a login attempt fails.

4. Adding Custom Options

  • Specify the Number of Parallel Tasks:

    hydra -t 4 -l admin -P /path/to/password_list.txt ssh://192.168.1.10

  • Use a Proxy for HTTP/HTTPS:

    hydra -l admin -P /path/to/password_list.txt -e ns -o results.txt 192.168.1.10 http-form-post "/login:username=^USER^&password=^PASS^:F=error" -u -I

5. Output Results

  • Save Results to a File: 
    hydra -l admin -P /path/to/password_list.txt ssh://192.168.1.10 -o /path/to/output.txt

6. Useful Tips and Flags

  • -e ns: Try “no password” and the username as the password.
  • -f: Stop after the first successful login.
  • -V: Verbose mode (displays each attempt).
  • -I: Ignore an already found result and continue brute-forcing.

7. Important Considerations

  • Use Responsibly: Ensure you have authorization before using Hydra on any network or system.
  • Be Mindful of Rate Limiting: Target systems might have brute-force protections in place. Use the -W <seconds> option to add a wait time between attempts if needed.

This guide provides a solid foundation for using Hydra for password-cracking and login brute-forcing tasks.

Hydra is a brute force online password cracking program, a quick system login password “hacking” tool.

Hydra can run through a list and “brute force” some authentication services. Imagine trying to manually guess someone’s password on a particular service (SSH, Web Application Form, FTP or SNMP) - we can use Hydra to run through a password list and speed this process up for us, determining the correct password.

According to its official repository, Hydra supports, i.e., has the ability to brute force the following protocols: “Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, TeamSpeak (TS2), Telnet, VMware-Auth, VNC and XMPP.”

For more information on the options of each protocol in Hydra, you can check the Kali Hydra tool page.

This shows the importance of using a strong password; if your password is common, doesn’t contain special characters and is not above eight characters, it will be prone to be guessed. A one-hundred-million-password list contains common passwords, so when an out-of-the-box application uses an easy password to log in, change it from the default! CCTV cameras and web frameworks often use admin:password as the default login credentials, which is obviously not strong enough.

Installing Hydra

Hydra is already installed on the AttackBox. You can access it by clicking on the Start AttackBox button.

If you prefer to use the in-browser Kali machine, Hydra also comes pre-installed, as is the case with all Kali distributions. You can access it by selecting Use Kali Linux and clicking on Start Kali Linux button.

However, you can check its official repositories if you prefer to use another Linux distribution. For instance, you can install Hydra on an Ubuntu or Fedora system by executing apt install hydra or dnf install hydra. Furthermore, you can download it from its official THC-Hydra repository.

Hydra Commands

The options we pass into Hydra depend on which service (protocol) we’re attacking. For example, if we wanted to brute force FTP with the username being user and a password list being passlist.txt, we’d use the following command:

hydra -l user -P passlist.txt ftp://MACHINE_IP

For this deployed machine, here are the commands to use Hydra on SSH and a web form (POST method).

SSH

hydra -l <username> -P <full path to pass> MACHINE_IP -t 4 ssh

OptionDescription
-lspecifies the (SSH) username for login
-Pindicates a list of passwords
-tsets the number of threads to spawn

For example, hydra -l root -P passwords.txt MACHINE_IP -t 4 ssh will run with the following arguments:

  • Hydra will use root as the username for ssh
  • It will try the passwords in the passwords.txt file
  • There will be four threads running in parallel as indicated by -t 4

Post Web Form

We can use Hydra to brute force web forms too. You must know which type of request it is making; GET or POST methods are commonly used. You can use your browser’s network tab (in developer tools) to see the request types or view the source code.

sudo hydra <username> <wordlist> MACHINE_IP http-post-form "<path>:<login_credentials>:<invalid_response>"

OptionDescription
-lthe username for (web form) login
-Pthe password list to use
http-post-formthe type of the form is POST
<path>the login page URL, for example, login.php
<login_credentials>the username and password used to log in, for example, username=^USER^&password=^PASS^
<invalid_response>part of the response when the login fails
-Vverbose output for every attempt

Below is a more concrete example Hydra command to brute force a POST login form:

hydra -l <username> -P <wordlist> MACHINE_IP http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V

  • The login page is only /, i.e., the main IP address.
  • The username is the form field where the username is entered
  • The specified username(s) will replace ^USER^
  • The password is the form field where the password is entered
  • The provided passwords will be replacing ^PASS^
  • Finally, F=incorrect is a string that appears in the server reply when the login fails

You should now have enough information to put this to practice and brute force your credentials to the deployed machine!

Graph View

Backlinks