As part of the Hacking with Hayden series: Hydra is used to brute force passwords. The goal is to crack a password by using a long list of potential passwords.

Hydra is used to brute force passwords. The goal is to crack a password by using a long list of potential passwords. Hydra targets protocols and works on the following list of protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP,  HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP. 

Hydra highlights the importance of using a strong and secure password including special characters and more than 8 characters. If it does not and you are using a common password, it will be guessed. Hydra has access to lists with over 100 million potential passwords. This emphasizes the importance of using a strong password and never leaving the default passwords. 

Hydra Commands 

Depending on the protocol we are attacking, we use different protocols. The basic example given by TryHackMe is for bruteforcing an FTP protocol where the username is ‘user’ and we are using a list of passwords. ‘passlist.txt’ is the command we have put in place of the password to run the txt document containing a list of passwords to try in combination with the username ‘user’. 

hydra –l user –P passlist.txt ftp://MACHINE_IP  

Using SSH: -l is for the username, -P is to use a list of passwords, and –t determines how many threads to use.

E.g. hydra –l <username> -P <path to pass> MACHINE_IP –t 4 ssh 

Bruteforcing web forms – Hydra also has the ability to bruteforce web forms. To do this you must know if what type of request the web form is making, typically either GET or POST methods. In your browser, navigate to the developer tools to see the request types, or look at the source code. Following this is an example Hydra command used to brute force a POST web login form:

hydra –l <username> -P <wordlist> MACHINE_IP http-post-form “/:username=^USER&password=^PASS^:F=incorrect” -V 

That example uses a lot of options and looks a little daunting… lets break it down and describe what all of the options mean.  

-l = single username 

-P = use the following password list 

http-post-form = the type of form (post) 

/login url = the login page URL 

:username = form field where you input the username 

^USER^ = tells hydra the username 

password = form field where you input the password 

^PASS^ = tells Hydra to use the password list given earlier 

Login = indicates to hydra the Login failed message 

 Login failed = the login failure message that the form returns 

 F=incorrect = if you see this word on the page, its incorrect 

-V = verbose output for attempts 

To find all of the Hydra commads, in your terminal type /hydra -h , this will launch the Hydra help page.