hydra

hydra adventofcyber4 protocolsandservers2 passwordattacks loginbruteforcing

Hydra (9.0k ⭐) is a well-known tool to brute force authentication services such SSH, FTP, RDP, MySQL... It can even be used on login forms too, but that's uncommon.

$ wordlist=/usr/share/wordlists/rockyou.txt
# use ssh, ftp...
$ hydra -l username -P $wordlist ssh://IP
$ hydra -l username -P $wordlist ssh://IP:port
$ hydra -l username -P $wordlist ftp://IP
$ hydra -l username -P $wordlist rdp://IP
$ hydra -l xxx@xxx.xxx -P $wordlist smtp://IP
$ [...]
# alternate form
$ hydra -l username -P $wordlist IP ssh -s port

➑️ I use a variable $wordlist to write shorter commands.
You can learn more about wordlists here πŸ–‹οΈ.

⚠️ If you don't provide an username, hydra will try to find as many working credentials as possible. To stop at the first one, use -f.

  • -l username: try this username
  • -L file: try a list of usernames
  • -p password: try this password
  • -P file: try a list of passwords
  • -C file: instead of L/P, provide a list of "username:password"
  • -s port: use another port
  • -t n: use $n$ threads (default: 16) | 4 for services
  • -v / -d : verbose / debug
  • -V: show login+password for every attempt
  • -e [values] such as -e nsr for all three
    • n: try null password
    • s: try login as pass
    • r: try reversed login
  • -f: quit on first log in found
  • -u: try all usernames for each password

Special uses

form brute force

Try to brute force the account "toto". ^USER^/^PASS^ mean replace with the username/password. username=/password= are the name of the fields. F= is a word in the answer indicates a failure. See also: S=.

$ hydra -l toto -P wordlist IP http-get-form "/login.php:username=^USER^&password=^PASS^:F=incorrect" -V
$ hydra -l toto -P wordlist IP http-post-form "/login.php:username=^USER^&password=^PASS^:F=incorrect" -V

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • HTTP Basic Auth: [...] IP http-get /