Hydra is a brute force online password cracking program, a quick system login password “hacking” tool.
Hydra can run through a list and “brute force” some authentication services. Imagine trying to manually guess someone’s password on a particular service (SSH, Web Application Form, FTP or SNMP) - we can use Hydra to run through a password list and speed this process up for us, determining the correct password same as ffuf just the difference is fuff is used for finding endpoints and hydra is used for password.
Commands
The options we pass into Hydra depend on which service (protocol) we’re attacking. For example, if we wanted to brute force FTP with the username being user and a password list being rockyou.txt, we’d use the following command:
hydra -l user -P rockyou.txt ftp://TARGET_IP
For this deployed machine, here are the commands to use Hydra on SSH and a web form (POST method).
SSH
hydra -l <username> -P <full path to pass> TARGET_IP -t 4 ssh
| Option | Description |
|---|---|
-l | specifies the (SSH) username for login |
-P | indicates a list of passwords |
-t | sets the number of threads to spawn |
For example, hydra -l root -P rockyou.txt TARGET_IP -t 4 ssh will run with the following arguments:
- Hydra will use
rootas the username forssh - It will try the passwords in the
passwords.txtfile - There will be four threads running in parallel as indicated by
-t 4
Post Web Form
We can use Hydra to brute force web forms too. You must know which type of request it is making; GET or POST methods are commonly used. You can use your browser’s network tab (in developer tools) to see the request types or view the source code.
sudo hydra <username> <wordlist> TARGET_IP http-post-form "<path>:<login_credentials>:<invalid_response>"
| Option | Description |
|---|---|
-l | the username for (web form) login |
-P | the password list to use |
http-post-form | the type of the form is POST |
<path> | the login page URL, for example, login.php |
<login_credentials> | the username and password used to log in, for example, username=^USER^&password=^PASS^ |
<invalid_response> | part of the response when the login fails |
-V | verbose output for every attempt |
Below is a more concrete example Hydra command to brute force a POST login form:
hydra -l <username> -P <wordlist> TARGET_IP http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V
- The login page is only
/, i.e., the main IP address. - The
usernameis the form field where the username is entered - The specified username(s) will replace
^USER^ - The
passwordis the form field where the password is entered - The provided passwords will be replacing
^PASS^ - Finally,
F=incorrectis a string that appears in the server reply when the login fails