Comprehensive Guide on Hydra – A Brute Forcing Tool

Hello friends!! Today we are going to discuss – How much impactful hydra is in cracking login credentials of various protocols to make unauthorized access to a system remotely. In this article, we have discussed each option available in hydra to make brute force attacks in the various scenario. 

Table of Content

  • Introduction to hydra
  • Multiple Features of Hydra
  • Password Guessing For Specific Username
  • Username Guessing For Specific Password
  • Cracking Login Credential
  • Use of Verbose or Debug Mode for Examining Brute Force
  • NULL/Same as Login/Reverse login Attempt
  • Save Output to Disk
  • Resuming The Brute Force Attack
  • Password Generating Using Various Set of Characters
  • Attacking on Specific Port Instead of Default
  • Making Brute Force Attack on Multiple Hosts

Introduction to Hydra

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

It supports: Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Multiple Feature of Hydra

Since we are using GNOME build of Kali Linux, therefore, the “the-hydra” package is already included by default, all we need to do, open the terminal and just type “hydra -h” and press Enter. You will be welcomed by its help screen.

-R :                                         restore a previous aborted/crashed session

-I :                                           ignore an existing restore file.

-S :                                          perform an SSL connect

-s :                                          PORT   if the service is on a different default port, define it here

-l LOGIN or -L :                   FILE login with LOGIN name, or load several logins from FILE

-p PASS  or -P :                  FILE  try password PASS, or load several passwords from FILE

-x MIN:MAX:CHARSET : password bruteforce generation, type “-x -h” to get help

-e nsr :                                  try “n” null password, “s” login as pass and/or “r” reversed login

-u :                                         loop around users, not passwords (effective! implied with -x)

-C FILE :                                colon separated “login:pass” format, instead of -L/-P options

-M FILE :                               list of servers to be attacked in parallel, one entry per line

-o FILE :                                write found login/password pairs to FILE instead of stdout

-f / -F :                                  exit when a login/pass pair is found (-M: -f per host, -F global)

-t TASKS :                             run TASKS number of connects in parallel (per host, default: 16)

-w / -W TIME :                   wait time for responses (32s) / between connects per thread

-4 / -6 :                                  prefer IPv4 (default) or IPv6 addresses

-v / -V / -d :                         verbose mode / show login+pass for each attempt / debug mode

-U :                                         service module usage details

server :                                 the target server (use either this OR the -M option)

service :                               the service to crack (see below for supported protocols)

OPT :                                     some service modules support additional input (-U for module help)

Reference Source: https://tools.kali.org/password-attacks/hydra

Password Guessing For Specific Username

Hydra is a very impactful tool and also quite easy to use for making a brute force attack on any protocol.

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [service://server[:PORT][/OPT]]                                                                          

Suppose you want to crack password for ftp (or any other) whose username is with you, you only wish to make a password brute force attack by using a dictionary to guess the valid password.

At that moment you should go with the following command where -l option enables username parameter and -P options enables dictionary for the password list.

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Username Guessing For Specific Password

Suppose you want to crack username for FTP (or any other) whose password is with you, you only wish to make a username brute force attack by using a dictionary to guess the valid username. Hence it is a vice-versa situation compared to the above situation.

At that moment you should go with the following command where -L option enables dictionary for username list and -p options enables password parameter.

As you can observe it has found 1 valid username: raj for the password: 123 FTP login.

Cracking Login Credential

Suppose you want to crack username and password for FTP (or any other), wish to make username and password brute force attack by using a dictionary to guess the valid combination

At that moment you should go with the following command where -L option enables dictionary for username list and – P options enables dictionary for a password list.

As you can observe it has found 1 valid username: raj for password: 123 FTP login.

Use of Verbose or Debug Mode for Examining Brute Force

You can use -V option along with each command, with the help of verbose mode you can observe each attempt for matching the valid combination of username and password. If you will observe the given below image; then you will find there are 5 usernames in the user.txt file (L=5) and 5 passwords in a pass.txt file (P=5) and hence the total number of login attempts will be 5*5=25.

Even you can use -d option that enables debug and verbose mode together and shows complete detail of attacking mode.

As you can observe the verbose mode is showing each attempt for matching valid credential for username and password with the help of user.txt and pass.txt as well as debug mode is showing wait-time, con-wait, socket, send pid and received pid

NULL/Same as Login/Reverse login Attempt

Using option -e along with nsr enables three parameter null/same as login/reverse login while making brute force attack on the password field, if you will observe the given below image then you will notice that this time L=5 and automatically P=8 which means now the total number of login tries will be 5*8=40.

As you can observe with every username, it is trying to match the following combination along with the password list.

Login “root” and pass “” as null password

Login “root” and pass “root” as same as the login

Login “root” and pass “toor” as the reverse of login

Save Output to Disk

For the purpose of the record maintenance, better readability, and future references, we will save the output of the hydra brute force attack in a file. To this, we will use the parameter -o of the hydra to save the output in a text file.

Now that we have successfully executed the command, now let’s traverse to the location to ensure whether the output has been saved on the file or not. In this case, our location for output is /root /output.txt.

Resuming the Brute Force Attack

Sometimes while making brute force, the attack gets paused/halt or cancel accidentally at this moment to save your time you can use -r option that enables resume parameter and continue the brute-forcing from the last dropped attempt of the dictionary instead of starting it from the 1st attempt.

Now you can observe the output result from the given below image where after pressing ctrl C it stopped the attack and then type hydra -R to resume the attack and continue it.

Password Generating Using Various Set of Character

Hydra has -x option that enables password generation option that involves following instructions:

-x MIN:MAX:CHARSET

MIN is used to specify the minimum number of characters in the password

MAX is used to specify the maximum number of characters in the password

CHARSET is used to specify a specification of the characters to use in the generation valid CHARSET values are: ‘a’ for lowercase letters, ‘A’ for uppercase letters, ‘1’ for numbers, and for all others, just add their real representation.

-y disables the use if the above letters as placeholders

Now suppose we want to try 123 as the password for that I should set MIN=1, MAX=3 CHARSET 1 for generating a numeric password for the given username and run following command as said.

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Now suppose we want to try abc as the password for that I should set MIN=1, MAX=3 CHARSET a for generating lowercase character password for the given username and run following command as said.

As you can observe it has found 1 valid password: abc for username: shubham for FTP login.

Attacking on Specific Port Instead of Default

Due to security concern; the network admin can change the port number of a service on another port. Hydra makes brute force attack on the default port of service as you can observe in above all attacks it has automatically made the attack on port 21 for FTP login.

But you can use -s option that enables specific port number parameter and launch the attack on mention port instead of default port number.

Suppose on scanning the target network; I found FTP is running port 2121 instead of 21, therefore, I will execute the following command for FTP login attack.

As you can observe it has found 1 valid password: 123 for username: raj for FTP login.

Making Brute Force Attack on Multiple Host

If you want to use a user-pass dictionary on multiple hosts in a network then you can use -M option that enables the host list parameter and make brute force attack using the same dictionary and will try the same number of login attempt on each HOST IP mentioned in the host’s list.

Here you can observe I had saved two host IP in a text file and then used the following command to make brute force attack on multiple hosts by using the same dictionary.

As you can observe it has found 2 valid FTP logins for each Host.

Suppose you had given a list of multiple targets and wish to finish the brute force attack as soon as it has found the valid login for any host IP, then you should use -F options which enables finish parameter when found valid credential for either host from inside the host list.

As you can observe it has found 1 valid FTP logins for 192.168.1.108 and finished the attack.

Disclaimer by Hydra – Please do not use in military or secret service organizations, or for illegal purposes.

Author: Shubham Sharma is a Technical Writer, Researcher and Penetration tester contact here

Leave a Reply

Your email address will not be published. Required fields are marked *