Hydra

Hydra is a fast network login cracker that supports numerous attack protocols. It is a versatile tool that can brute-force a wide range of services, including web applications, remote login services like SSH and FTP, and even databases.

Hydra's popularity stems from its:

  • Speed and Efficiency: Hydra utilizes parallel connections to perform multiple login attempts simultaneously, significantly speeding up the cracking process.
  • Flexibility: Hydra supports many protocols and services, making it adaptable to various attack scenarios.
  • Ease of Use: Hydra is relatively easy to use despite its power, with a straightforward command-line interface and clear syntax.

Installation

Hydra often comes pre-installed on popular penetration testing distributions. You can verify its presence by running:

Hydra

sasorirose@htb[/htb]$ hydra -h

If Hydra is not installed or you are using a different Linux distribution, you can install it from the package repository:

Hydra

sasorirose@htb[/htb]$ sudo apt-get -y update
sasorirose@htb[/htb]$ sudo apt-get -y install hydra

Basic Usage

Hydra's basic syntax is:

Hydra

sasorirose@htb[/htb]$ hydra [login_options] [password_options] [attack_options] [service_options]

Hydra Services

Hydra services essentially define the specific protocols or services that Hydra can target. They enable Hydra to interact with different authentication mechanisms used by various systems, applications, and network services. Each module is designed to understand a particular protocol's communication patterns and authentication requirements, allowing Hydra to send appropriate login requests and interpret the responses. Below is a table of commonly used services:

Brute-Forcing HTTP Authentication

Imagine you're tasked with testing the security of a website using basic HTTP authentication at www.example.com. You have a list of potential usernames stored in usernames.txt and corresponding passwords in passwords.txt. To launch a brute-force attack against this HTTP service, use the following Hydra command:

Hydra

sasorirose@htb[/htb]$ hydra -L usernames.txt -P passwords.txt www.example.com http-get

This command instructs Hydra to:

  • Use the list of usernames from the usernames.txt file.
  • Use the list of passwords from the passwords.txt file.
  • Target the website www.example.com.
  • Employ the http-get module to test the HTTP authentication.

Hydra will systematically try each username-password combination against the target website to discover a valid login.

Targeting Multiple SSH Servers

Consider a situation where you have identified several servers that may be vulnerable to SSH brute-force attacks. You compile their IP addresses into a file named targets.txt and know that these servers might use the default username "root" and password "toor." To efficiently test all these servers simultaneously, use the following Hydra command:

Hydra

sasorirose@htb[/htb]$ hydra -l root -p toor -M targets.txt ssh

This command instructs Hydra to:

  • Use the username "root".
  • Use the password "toor".
  • Target all IP addresses listed in the targets.txt file.
  • Employ the ssh module for the attack.

Hydra will execute parallel brute-force attempts on each server, significantly speeding up the process.

Testing FTP Credentials on a Non-Standard Port

Imagine you need to assess the security of an FTP server hosted at ftp.example.com, which operates on a non-standard port 2121. You have lists of potential usernames and passwords stored in usernames.txt and passwords.txt, respectively. To test these credentials against the FTP service, use the following Hydra command:

Hydra

sasorirose@htb[/htb]$ hydra -L usernames.txt -P passwords.txt -s 2121 -V ftp.example.com ftp

This command instructs Hydra to:

  • Use the list of usernames from the usernames.txt file.
  • Use the list of passwords from the passwords.txt file.
  • Target the FTP service on ftp.example.com via port 2121.
  • Use the ftp module and provide verbose output (V) for detailed monitoring.

Hydra will attempt to match each username-password combination against the FTP server on the specified port.

Brute-Forcing a Web Login Form

Suppose you are tasked with brute-forcing a login form on a web application at www.example.com. You know the username is "admin," and the form parameters for the login are user=^USER^&pass=^PASS^. To perform this attack, use the following Hydra command:

Hydra

sasorirose@htb[/htb]$ hydra -l admin -P passwords.txt www.example.com http-post-form "/login:user=^USER^&pass=^PASS^:S=302"

This command instructs Hydra to:

  • Use the username "admin".
  • Use the list of passwords from the passwords.txt file.
  • Target the login form at /login on www.example.com.
  • Employ the http-post-form module with the specified form parameters.
  • Look for a successful login indicated by the HTTP status code 302.

Hydra will systematically attempt each password for the "admin" account, checking for the specified success condition.

Advanced RDP Brute-Forcing

Now, imagine you're testing a Remote Desktop Protocol (RDP) service on a server with IP 192.168.1.100. You suspect the username is "administrator," and that the password consists of 6 to 8 characters, including lowercase letters, uppercase letters, and numbers. To carry out this precise attack, use the following Hydra command:

Hydra

sasorirose@htb[/htb]$ hydra -l administrator -x 6:8:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 192.168.1.100 rdp

This command instructs Hydra to:

  • Use the username "administrator".
  • Generate and test passwords ranging from 6 to 8 characters, using the specified character set.
  • Target the RDP service on 192.168.1.100.
  • Employ the rdp module for the attack.

Hydra will generate and test all possible password combinations within the specified parameters, attempting to break into the RDP service.