Hydra is a brute force online password cracking program and a quick system login password hacking tool. Hydra can run a list and brute-force authentication services, especially if they have weak passwords.
Let’s learn more about this tool in our daily #FromZeroToHacker challenge.
| Table of contents |
| Introduction |
| What have I learnt today? |
| Stats |
| Resources |
Introduction to Hydra
Using rapid dictionary attacks against more than 50 protocols, including Telnet, FTP, HTTP and HTTPS, SMB, databases and more, Hydra is a great tool for anyone in Cyber Security.
What have I learnt today?
Installing Hydra
Pre-installed in Kali Linux distributions, Hydra can be installed with apt install hydra or dnf install hydra. Also, you can download it from its official website: THC-Hydra repository.
Using Hydra
This is what you came here.
Basic commands
hydra -l <USERNAME> -p <LIST_OF_PASSWORDS> <SERVICE>://<TARGET_IP>
-l sets the username and -p points to a list of passwords. For example, if we know there is a user called paul in an FTP service:
hydra -l paul -p passwords_list.txt ftp://10.10.10.10
SSH
hydra -l <USERNAME> -P <LIST_OF_PASSWORDS> <TARGET_IP> -t <NUMBER_OF_THREADS> ssh
Here we are speeding up the process with -t 4, which sets the number of threads to spawn.
hydra -l root -P passwords_list.txt 10.10.10.10 -t 4 ssh
Post web form
Hydra can also target web forms too. We need to know which type of request is using (GET or POST methods, normally):
sudo hydra <USERNAME> <PASSWORD_LIST> <TARGET_IP> http-post-form <PATH>:<LOGIN_CREDENTIALS>:<INVALID_RESPONSE>
We know half of the flags here, but now we also use http-post-form to indicate the type of the form, <PATH> to point to the login page URL (for example, login.php), <LOGIN_CREDENTIALS> to set the username and password attributes (username=^USER^&password=^PASS^), and <INVALID_CREDENTIALS> as a part of the response when the login fails. We can also add -V to increase the verbosity of every attempt.
hydra -l <username> -P <wordlist> 10.10.10.10 http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V
Summary
Today learn more about Hydra and:
- What it does.
- How to install it.
- How to crack SSH connections.
- Learn how to brute-force our way into web forms.
Stats
From 54.784th to 54.835th.
Here is also the Skill Matrix:
