How to use Hydra to Brute Force Password

What is Hydra?

Hydra is one of the tools commonly used by hackers and security researchers. This tool is available in Kali Linux versions and is used to perform Brute Force Password attacks, also known as password sniffers.

In this article, I will show you how to perform a brute force attack with Hydra on FTP, MYSQL, SMB, SMTP, SSH and Web Login Auth Server.

I have an analysis about Brute Force and how to prevent it very detailed, if you want to learn more about this method, you should read this article carefully.

Wordlist

When attacking Brute Force, you need to have a list of characters available to use to guess username and password. You should use WordList set Kaonashi or set Worldlist shared by Natuts.

Username WordList:

Hydra allows you to Brute Force both username, if you don’t know the username you can also try WorldList, to use Hydra to find Username you have to modify the parameter -l user Fort -L user.txt (user.txt is the file containing the list of usernames used to detect passwords).

Password WordList

Is a list of passwords you will use to try to log in to the Web or SSH, FTP …., as mentioned above, I usually use the Password WordList collection of Natuts.

How to use Hydra to detect passwords for network services

Brute Force SSH using Hydra

Attack command:

hydra -l user -P passwords.txt IP_VICTIM ssh

or

hydra -L user.txt -P passwords.txt IP_VICTIM ssh

Brute Force Login Website with Hydra

Attack command:

hydra -l user -p passwords.txt IP_VICTIM http-post-form '/path/login:username_field&password_field=^PASS^:wrong'

Replace /path/login:username_field&password_field= with the link and the login file in the HTML link

wrong: if this word appears on the page, the password is not correct

How to get Username Field and Password Field:

• Username Field: open Firefox press F12 -> Network -> Send Login.
• Password Field: open Firefox press Firefox F12 -> Network -> Send Login.

Or you can use Burp Suite to catch Request.

Brute Force FTP

Attack command:

hydra -l user -P passwords.txt IP_VICTIM ftp

Brute Force MYSQL

hydra -l user -P passwords.txt IP_VICTIM mysql

Brute Force SMB

hydra -l user -P passwords.txt IP_VICTIM smb

On Kali Linux there is also an interface version of Hydra, which may be easier to use than the command line Hydra to Brute Force, but in my opinion you should get in the habit of using the command line to get used to Linux and when installing Hydra. other operating systems you can easily use. Now there are also Hydra Windows versionbut I have not used it, if you have used it, please comment below.