Hydra
Hydra is a fast network login cracker that supports numerous attack protocols. It is a versatile tool that can brute-force a wide range of services, including web applications, remote login services like SSH and FTP, and even databases.
Hydra’s popularity stems from its:
- Speed and Efficiency: Hydra utilizes parallel connections to perform multiple login attempts simultaneously, significantly speeding up the cracking process.
- Flexibility: Hydra supports many protocols and services, making it adaptable to various attack scenarios.
- Ease of Use: Hydra is relatively easy to use despite its power, with a straightforward command-line interface and clear syntax.
Installation
Hydra often comes pre-installed on popular penetration testing distributions. You can verify its presence by running:
hydra -h
If Hydra is not installed or you are using a different Linux distribution, you can install it from the package repository:
sudo apt-get -y update
sudo apt-get -y install hydra
Basic Syntax
Hydra’s basic syntax is:
hydra [login_options] [password_options] [attack_options] [service_options] service://server
Login Options
| Option | Description | Example |
|---|---|---|
-l LOGIN | Specify a single username | hydra -l admin ... |
-L FILE | Specify a file containing a list of usernames | hydra -L usernames.txt ... |
Password Options
| Option | Description | Example |
|---|---|---|
-p PASS | Provide a single password | hydra -p password123 ... |
-P FILE | Provide a file containing a list of passwords | hydra -P passwords.txt ... |
-x MIN:MAX:CHARSET | Generate passwords dynamically | hydra -x 6:8:aA1 ... |
The -x option generates passwords on-the-fly:
MIN:MAXspecifies the password length rangeCHARSETdefines the character set to use (e.g.,afor lowercase,Afor uppercase,1for numbers)
Attack Options
| Option | Description | Example |
|---|---|---|
-t TASKS | Define the number of parallel tasks (threads) to run, potentially speeding up the attack | hydra -t 4 ... |
-f | Fast mode: Stop the attack after the first successful login is found | hydra -f ... |
-s PORT | Specify a non-default port for the target service | hydra -s 2222 ... |
-v | Verbose output: Display detailed information about the attack’s progress | hydra -v ... |
-V | Very verbose output: Display even more detailed information | hydra -V ... |
Hydra Services
Hydra services essentially define the specific protocols or services that Hydra can target. They enable Hydra to interact with different authentication mechanisms used by various systems, applications, and network services. Each module is designed to understand a particular protocol’s communication patterns and authentication requirements, allowing Hydra to send appropriate login requests and interpret the responses.
| Service | Protocol | Description | Example Command |
|---|---|---|---|
ftp | File Transfer Protocol (FTP) | Used to brute-force login credentials for FTP services, commonly used to transfer files over a network | hydra -l admin -P /path/to/password_list.txt ftp://192.168.1.100 |
ssh | Secure Shell (SSH) | Targets SSH services to brute-force credentials, commonly used for secure remote login to systems | hydra -l root -P /path/to/password_list.txt ssh://192.168.1.100 |
http-get | HTTP GET | Used to brute-force login credentials for HTTP web login forms using GET requests | hydra -l admin -P /path/to/password_list.txt http-get://example.com/login |
http-post | HTTP POST | Used to brute-force login credentials for HTTP web login forms using POST requests | hydra -l admin -P /path/to/password_list.txt http-post-form "/login.php:user=^USER^&pass=^PASS^:F=incorrect" |
smtp | Simple Mail Transfer Protocol | Attacks email servers by brute-forcing login credentials for SMTP, commonly used to send emails | hydra -l admin -P /path/to/password_list.txt smtp://mail.server.com |
pop3 | Post Office Protocol (POP3) | Targets email retrieval services to brute-force credentials for POP3 login | hydra -l user@example.com -P /path/to/password_list.txt pop3://mail.server.com |
imap | Internet Message Access Protocol | Used to brute-force credentials for IMAP services, which allow users to access their email remotely | hydra -l user@example.com -P /path/to/password_list.txt imap://mail.server.com |
rdp | Remote Desktop Protocol | Targets RDP services to brute-force credentials for remote desktop connections | hydra -l administrator -P /path/to/password_list.txt rdp://192.168.1.100 |
telnet | Telnet | Targets Telnet services for remote terminal access | hydra -l admin -P /path/to/password_list.txt telnet://192.168.1.100 |
mysql | MySQL | Targets MySQL database servers | hydra -l root -P /path/to/password_list.txt mysql://192.168.1.100 |
postgres | PostgreSQL | Targets PostgreSQL database servers | hydra -l postgres -P /path/to/password_list.txt postgres://192.168.1.100 |
HTTP Form-Based Authentication
For HTTP form-based authentication, Hydra uses a specific syntax:
http-post-form "/path/to/login.php:field1=^USER^&field2=^PASS^:failure_string"
^USER^and^PASS^are placeholders that Hydra replaces with actual credentials- The failure string (after the second
:) helps Hydra identify failed login attempts - Use
F=prefix for failure strings (e.g.,F=incorrect)
Example:
hydra -l admin -P passwords.txt http-post-form "/login.php:user=^USER^&pass=^PASS^:F=incorrect" 192.168.1.100
Password Generation (-x)
The -x option allows Hydra to generate passwords dynamically instead of using a wordlist. This is useful when you have information about password requirements.
Format: -x MIN:MAX:CHARSET
MIN: Minimum password lengthMAX: Maximum password lengthCHARSET: Character set to usea= lowercase lettersA= uppercase letters1= numbers- Custom character sets can be specified directly
Example: If you know the password is 6-8 characters with lowercase, uppercase, and numbers:
hydra -l administrator -x 6:8:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 rdp://192.168.1.100
This command instructs Hydra to:
- Use the username “administrator”
- Generate and test passwords ranging from 6 to 8 characters
- Use the specified character set (lowercase, uppercase, numbers)
- Target the RDP service on 192.168.1.100
Hydra will generate and test all possible password combinations within the specified parameters.
Common Usage Examples
SSH Brute Force
hydra -l root -P /path/to/passwords.txt -t 4 ssh://192.168.1.100
FTP Brute Force with Username List
hydra -L usernames.txt -P passwords.txt ftp://192.168.1.100
HTTP POST Form Attack
hydra -l admin -P passwords.txt http-post-form "/login.php:user=^USER^&pass=^PASS^:F=incorrect" 192.168.1.100
RDP with Password Generation
hydra -l administrator -x 6:8:aA1 rdp://192.168.1.100
SSH on Non-Default Port
hydra -l admin -P passwords.txt -s 2222 ssh://192.168.1.100
Stop After First Success
hydra -l admin -P passwords.txt -f ssh://192.168.1.100
Verbose Output for Debugging
hydra -l admin -P passwords.txt -v ssh://192.168.1.100
Core Takeaways
- Hydra uses parallel connections to speed up brute-force attacks significantly.
- Login options (
-lor-L) specify usernames, while password options (-p,-P, or-x) specify passwords. - The
-xoption allows dynamic password generation based on length and character set requirements. - HTTP form attacks require specific syntax with
^USER^and^PASS^placeholders. - Use
-fto stop after the first successful login, and-v/-Vfor detailed output. - Adjust
-tto control parallel threads, balancing speed against detection risk.