Hydra | Authentication Cracker

Hydra is a versatile authentication cracker, but syntax is often the biggest challenge in using it. There's little room for error, and the tool doesn't specifically guide you through the issues it raises.

by Johann Van Niekerk

Hydra | Authentication Cracker


You are able to download hydra at the hydra github page

Hydra is a authentication cracker that goes through a list of users (or a single user) and then uses the list of passwords (or a single password) to authenticate against a protocol or service. This is the difference compared to password crackers like hashcat & john the ripper and similar tools. Hydra will go ahead and validate the username/password combination when trying to login and if successful, will return the user the correct combination.

If you can imagine sending hundreds or thousands of password login requests; Then if the security is the same as your phone or other personal devices, you will likely be locked and unable to try again. Depending on service, protocol, or security; Hydra can be the right tool for the job or the wrong tool.

There are many tools that can perform the same actions, and they may have limit thresholds such as Burp Suit that require a "pro" version to work at full speed, or tools that target a particular authentication method but do not work with other protocols. Hydra can be used in many situations to decipher numerous protocols skillfully and efficiently; knowing Hydra is very important for your set of tools when pentesting.

Bruteforce Protocols

The below is an example of how to tackle different protocols; there is a legend below to explain all the options which is all denoted with "$" that is user-input required.

Options Explained:

Some of the various options being used below. There are plenty more when using hydra -h when crafting your setup.

$RHOST		:Remote Host IP/Target IP or domain
-l $username:user name
-L $FILE 	:Wordlist such as usernames or passwords
-p $password:password
-P $FILE	:Wordlist such as usernames or passwords
-s $RPORT   :Specify a port if it not the default port 80 such as port 8080
-V			:Verbosity, display more information while tool is running
-u			:Loop around 'users' wordlist
-I 			:Immediate start, normally hydra waits for previous attempt
-t $NUMBER  :Threads, be aware that some protocols require reduced threads as it won't process the connections in quick succession

Protocol Examples and their Syntax:

Tackling different protocols and services using the correct syntax but be wary of the -t 30 switch as some protocols don't respond well with higher thread numbers.

        hydra -l $administrator -P $WORDLIST $RHOST smb -t 1 -V -I
            #Users /usr/share/seclists/Usernames/top-usernames-shortlist.txt
            #Pass /usr/share/seclists/Passwords/Common-Credentials/best15.txt
        hydra -l $administrator -P $WORDLIST rdp://$RHOST -t 1 -V -I
        hydra -L $FILE -P $WORDLIST $RHOST ldap2 -V -I -t 30
        hydra -P $WORDLIST $RHOST snmp -V -I -t 30
        hydra -L $FILE -P $WORDLIST $RHOST ftp -V -I -t 30 
        hydra -L $FILE -P $WORDLIST $RHOST ssh -u -V -I -t 30
        hydra -l $username -P $WORDLIST $RHOST pop3 -V -I -t 30
        hydra -P $WORDLIST $RHOST smtp -V -I -t 30
        hydra -L $FILE -P $WORDLIST telnet://$RHOST

Bruteforce Webapps

Options explained:

Some of the various options being used below. There are plenty more when using hydra -h when crafting your setup.

http-post-form   :Target parameter
http-get-form    :Target parameter
-e nsr           :Optional, attempts 'null', 'backwards' username as password
^USER^			 :Required in the place where you want to test usernames
^PASS^ 			 :Required in the place where you want to test passwords
H= $HEADER:$HEADERcontent     :Using a Header to test for incorrect attempts

The syntax for tackling website authentication cracking is that you require a few parts to complete the checks and then the below is an example of how it can be done.

Syntax explained:

Setup for the post parameter; sending a login "post" request.

Three parts separated by colon to specify the login page and details:

For the login variables, we need to find what the correct variables are on the page and then we need to tell Hydra that this is the location where I want you to put the username and that is the location I want you to put the password. For example:

Bruteforcing passwords

^USER^       :Tell Hydra to put usernames or name here
^PASS^       :As above but with passwords or password

hydra -l john -P /usr/share/wordlist/rockyou.txt http-post-form "/blog/login:user=^USER^&pword=^PASS^:Your login attempt was incorrect username or password."
example of correct syntax

Bruteforcing usernames

Hydra can also brute force usernames. This could be beneficial on website content managers such as wordpress, that will specifically tell you "The user name doesn't exist" or along those lines. This is useful information for a pentester.

hydra -L /usr/share/wordlist/usernames.txt -p anything http-post-form "/blog/login:user=^USER^&pword=^PASS^:Username was incorrect."

The THREE parts explained

Get The Correct Variable Names

In order to properly utilize Hydra, it is important to get the syntax correct and that includes the variables name you are passing to hydra in the event of a web application login page. The below are some visuals to assist in understanding the location of the variables and then using the variables correctly.

Sending an initial 'test' login
Inspecting the source code
Locating the variable names

Or with burp suite:

Locating the variable names, burp suite

Note: It is not always the case that the variable is called 'username' and 'password'. It entirely depends on the code running and so the variable could be 'user' 'usr' 'anything'. This is the reason you need to look at either the source code or through burp suite, both will return the correct info for the structure of your hydra command


	hydra -l molly -P Rockyou.txt $RHOST http-post-form "/login:username=^USER^&password=^PASS^:your username or password is incorrect" -t 30 -I -V

Additional Examples of POST/GET parameters

    hydra -l $USER -P $FILE $RHOST http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:The password you entered for the username" -t 30 -I -V

    hydra -e nsr -l $USER -P $FILE $RHOST http-get-form "/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: PHPSESSID=v4js1i3dkt0jrlcv8lvj238ur5; security=low" -t 30 -I -V
    hydra -L $FILE -P $FILE http-get://$RHOST/

#BASIC AUTHENTICATION (login to view page)
    hydra -e nsr -l $USER -P $FILE $RHOST -s $RPORT http-get /protected -I -V -t 30

And finally, if you enjoyed the content and want to see more; I need coffee to stay awake and this is not a bribe. 👌