Networking | Programming | Security | Linux | Computer Science | About

Hydra: Online Password Hacking

Best known as ‘THC-Hydra’, hydra is a powerful online password attack tool that uses brute force and other password cracking combinations on live internet services such as http, https, smtp, snmp, ssh, smb, and telnet among others. This tool supports over 30 protocols including those secured with SSL and brute force services using wordlists and userlists.

Hydra working modes

Hydra has four working modes:

What makes Hydra one-of-a-kind password cracking tool is that it is a fast connection bruteforcer that is also flexible with tons of new modules always available to add with ease. There are lots of password lists out there that a hacker will get familiar using, you can find them with a simple Google search.

Hydra Commands

For a brute force kind of password cracking to work, no matter which tool you use, you need to have a list of possible passwords that the software will use. You can also use a list of passwords that comes with John the Ripper - it is pretty much the same thing.

If you are using Kali Linux, you can find Hydra by going to:

Applications > Password Attacks > Online Attacks > Hydra

If you're not using Kali, you can install by using your usual package manager. On Debian/Ubuntu, if its not installed you can run the following command to install:

sudo apt-get install hydra hydra-gtk

When you run hydra, it should open on the terminal. Alternatively, you can easily use the command hydra on the terminal to initiate this tool.

Hydra uses the following command for a typical basic attack:

hydra -l username -p passwordlist target

The username is a single username such as “user” or “admin” or can be a list of usernames. The passwordlist is typically a text file that contains the possible passwords to match the username, and the target is the service or host to that authenticates the credentials. The target can be an IP address and port number or a specific web form field.

You can check the passwords that come with Kali Linux default in the directory /usr/share/wordlists by first going to the directory:

root@kali: ~# cd /usr/share/wordlists

Then listing the contents of the directory:

root@kali: /usr/share/wordlists# ls

dirb fasttrack.txt metasploit-jtr w3af.txt 
dirbuster fern-wi-fi metaspoilt-pro 
sqlmap dnsmap.txt nmap.lst wfuzz.txt

To use hydra to crack a password, use the command format illustrated in the previous example, replacing the placeholders username, passwordlist, and target with actual information.

Using Hydra on web forms

There is a level of complexity in using Hydra on web forms because you have to provide more information parameters that the form needs. However, the syntax is pretty much the same as above.

To use hydra on a web form, you will need the URL, form parameters, and failure string instead of the IP. This means your command would be structured like this:

root@kali: /usr/share/wordlists# hydra -l admin -p /usr/share/wordlists/mypasswords.txt 8080

Unfortunately, using Hydra on a webform is beyond the scope of this article. I could go into detail with demonstrations and examples, but this tool alone would need an entire website to cover how you can use it to hack into Facebook, Gmail, or any other formidable online service.

The most critical of the parameters required to crack an online web form using Hydra is the failure string. This is the text that the form returns when Hydra attempts incorrect username and, or password combinations. This information is vital because Hydra needs to know when an attempt fails so it can move on to the next attempt.

You can read more and discover the many features, and practical examples of using Hydra and its advanced features on the Kali Linux web page here.

Published on Fri 02 July 2010 by Hatty Jenkins in Security with tag(s): password hacking