A brute force attack is a security breach in which an attacker systematically tries all possible combinations of passwords or encryption keys until the correct one is found. This method involves using automated tools or scripts to repeatedly attempt different combinations until the attacker gains access to a system, network, or encrypted data.

TryHackMe’s Hydra Lab : https://www.tryhackme.com/room/hydra

Disclaimer:

Keep in mind that using such tools for unauthorized access or any malicious activities is illegal and against ethical standards. Always ensure that you have the necessary permissions and legal rights before attempting to use password-cracking tools.

Hydra stands out as a widely utilized open-source password cracking tool employed by ethical hackers and penetration testers. It is designed for executing brute-force attacks on login credentials across diverse network protocols such as FTP, HTTP, SSH, Telnet, among others. Employing a variety of attacking techniques including dictionary attacks and brute-force attacks. Hydra endeavors to predict passwords, thereby enabling unauthorized access to targeted systems.

Today, we will conduct an in-depth exploration into the password-cracking process for two prominent services using the Hydra tool.

To install Hydra on Kali Linux, you can use the following steps:

1. Open a terminal on your system.
2. Update the package repository by running the following command :

sudo apt update

3. Once the update is complete, you can install Hydra using the following command :

sudo apt install hydra

4. After completion of this process, You can verify the installation by checking the version of Hydra :

hydra --version

This command should display the installed version of Hydra on your system.

In this article, we will see how we can bruteforce password of various services including SSH, HTTP, FTP, etc.

You can try this tool Here on TryHackMe. You can explore all the options provided by Hydra by simply executing the below command:

hydra -h

If you want to crack a password using Hydra, you will need some files for that. If you know the username, you don’t need any wordlist for the username, but if you don’t have any username, Hydra will take a list of usernames from a wordlist and use a combination of all usernames and passwords to crack the password.

Here is the command that can be used for HTTP-POST-FORM:

hydra -l <username> -P <password-wordlist> <web-url or ip-address> http-post-form "/<login page url>:<login request>:F=<error message>"

Description:

In the above command, observe the following options:

• -l: If you have a specific username, use this option.
• -L: This option is used when you don't have any specific username and want to provide a wordlist for the username.
• -P: This option is used for providing a password wordlist.
• <web-url or ip-address>: Write the IP address or the URL of the website.
• http-post-form: Indicates that the web page is using HTTP POST forms. Alternatively, if the web page is using GET forms, you can use http-get-form.
• "/<login page url>:<login request>:F=<error message>": Defines the target page, login request parameters, and error message.

Now let’s jump to the actual lab of TryHackMe. Let’s break down the below command and understand it.

hydra -l molly -P /usr/share/wordlist/rockyou.txt 10.10.127.113 http-post-form "/login:username=^USER^&password=^PASS^:F=Your username or password is incorrect."

In this command, the username is “molly,” and Kali Linux already has a password wordlist named “rockyou.txt.” This wordlist contains 14 million passwords from RockYou company, which experienced a data breach in 2009.

Other than this, one more parameter is the website IP address — 10.10.127.113.

"/login:username=^USER^&password=^PASS^:F=Your username or password is incorrect.": In this line, you can see that the login page is at 10.10.127.113/login, so the parameter is provided as /login.

Here you can see that I found one credential with username “molly” and password “sunshine.”

Note: You can find this header by intercepting the request using Burp Suite.

If the victim user is using a service called SSH, you can retrieve its password using Hydra.

To retrieve the victim’s system password, you need three things:

• username (optional)
• IP address of the user
• wordlist (containing possible passwords)

Here is the command that can be used for the SSH service:

hydra -l <username> -P <password-wordlist> <victim-IP-address> -t 4 ssh

Description:

• -l: Specify the username of the victim system.
• -P: Specify the password wordlist.
• <victim-IP-address>: Provide the IP address of the system.
• -t: Specify the number of threads you want to use. Here we are using 4 threads.
• At last, it is provided that Hydra will attack on SSH.

Note :

• You can use the -L flag and specify the username wordlist if you don't know the username of the victim system.
• It should be noted that SSH server can run on ports other than 22. To specify the port number, use the -s flag followed by the port number.

Let’s try this command with the TryHackMe machine:

hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.127.113 -t 4 ssh

Here you can see that I found one credential with username “molly” and password “butterfly.”

Note:

• If you are in Kali Linux, you will find all your wordlists in ‘/usr/share/wordlists’ directory.
• -v: You can use this flag to see each test run by Hydra.

You can use Hydra for other services like FTP, HTTP-GET, Telnet, SMTP, etc.

Hydra works by attempting to log in with different username and password combinations until a valid one is found. It supports parallelized attacks, making it faster and more efficient.