This article will explain what Hydra is and how we can use this tool to crack the remote authentication service. You can see more information about Hydra in the room Advend of Cyber on Tryhackme.
What is Hydra?
Hydra is a powerful brute force tool; a quick password ‘hack’ tool for system logins.
We can use Hydra to cycle through a list and ‘bruteforce‘ some authentication service. Imagine you are trying to manually guess some passwords on a particular service (SSH, Web Application Form, FTP or SNMP) – we can use Hydra to cycle through the password list and speed up the process. this program to determine the correct password.
Hydra is capable of executing the following protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP -POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+ v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
For more information on the options of each protocol in Hydra, read the official Kali Hydra tools page here.
This shows how important it is to use a strong password, if your password is common, contains no special characters or is no more than 8 characters, then it will be easily guessed. 100 million password lists exist that contain common passwords, so when a front-end application uses an easy-to-login password, you should change that password. Usually CCTV cameras and web frameworks use admin:password as default password, which is very easy to hack.
If you are using Kali Linux, then hydra is already installed. If not you can download here.
If you don’t have Linux or a suitable desktop environment, you can deploy your own Kali Linux machine with all the necessary security tools. You can even control Linux in your browser here.
How to use Hydra?
The options we pass into Hydra depend on the service (protocol) we are attacking. For example, if we wanted to bruteforce FTP with the username as user and the list of passwords as passlist.txt, we would use the following command:
hydra -l user -P passlist.txt ftp://192.168.0.1
passlist you can download in post World Password Latest.
For the purposes of the Christmas challenge, here are the commands to use Hydra over SSH and the web form (POST method).
hydra -l <username> -P <full path to pass> <ip> -t 4 ssh
Explanation of options:
- -l is the username
- -P Use password list
- -t specifies how many threads to use
Post Web Form
We can also use Hydra to bruteforce web forms, you’ll have to make sure you know its request type – GET or POST methods are commonly used. You can use the Network tab in the browser (press F12 – developer tools) to see the request method types.
Here is an example of the Hydra command to brute force a login form using the POST method.
hydra -l <username> -P <password list> <ip> http-post-form "/<login url>:username=^USER^&password=^PASS^:F=incorrect" -V
Explanation of options:
- -l: Unique username
- -P: indicates to use the following password list
- http-post-form: indicates the method type (post)
- /login url: login page URL
- :username: form field where username is entered
- ^USER^: tell Hydra to use username
- password: the form field where the password is entered
- ^PASS^: tells Hydra to use the previously provided password list
- Login: indicates to withdraw the failed login message
- Login failed: is the login failed message returned by the form
- F=incorrect: if this word appears on the page, it is incorrect
- -V: output for every attempt
You should now have enough hydra information to practice and complete the Hydra Christmas challenge.