[Tutorial] Password Attacks With Hydra
#1
Hydra Tutorial
Welcome to my tutorial on password attacks with hydra. Hydra is a network-based brute force/dictionary attack tool. It can be used to crack several different network logins. Among them are RDP, SSH, telnet, FTP, and many more. Hydra is fast, pretty simple to use, and very configurable. We're going to be using it from Kali Linux since it's usually preinstalled and Kali is widely available. You could easily use it on many other OSs though. To install it in Kali (if it's not already), enter this command in a terminal
Code:
sudo apt update -y && sudo apt install -y hydra
 
We're primarily going to be attacking SSH, since I have it on hand in my own network and it's a common thing to run across in the wild. I don't recommend using hydra on systems you don't own, because that's illegal in a lot of countries. If it's not illegal in your country, then I somewhat envy you and wish you good luck. Hydra requires a few things from us. Firstly we need a target IP or hostname. I'm going to be attacking my Ubuntu server at 192.168.1.2. If you want to attack it too, I give you full permission to follow along and try to brute force 192.168.1.2 XD. We also need a wordlist for the usernames we're going to try, and a wordlist of passwords. Kali usually has some in /usr/share/wordlists and metasploit has some in /usr/share/metasploit-framework/data/wordlists. I personally prefer using the SecLists wordlists: https://github.com/danielmiessler/SecLists. It has a lot of default passwords, common credentials, and some good wordlists. Just pick a good password list and username list. We're not going to use these right away, but we'll need them later. To try a username/password, enter the following command:
Code:
hydra -l root -p password ssh://192.168.1.2
 
This will try to login to 192.168.1.2's SSH with the username root and password "password." Pretty easy right? But we don't want to change the password every two seconds, so let's give it a password list. Just make sure to make the "P" an uppercase one since the arguments are case sensitive. Use whatever password list you want.
Code:
hydra -l root -P /usr/share/wordlists/password.lst ssh://192.168.1.2
 
Depending on how long your wordlist is, how fast the network you're on, and how fast the server's response is determines how long this will take. On a LAN it should be pretty fast. I don't really recommend running this over TOR unless you bring the speed down a bit. Brute forcing/dictionary attacks do make a lot of network traffic after all. You'll take bandwidth away from people trying to use TOR like a normal human being. We can also specify a username list by making the "l" uppercase and giving it the path to our wordlist.
Code:
hydra -L /path/to/user.list -P /path/to/password.list ssh://192.168.1.2
 
Something you have to understand about hydra is that it doesn't just guess a password and wait for the reponse, then try another, and so on. It has several threads running at the same time, which is why it's fast. The default thread count is 16. So that's 16 threads guessing user/pass combos at once. You may have noticed hydra recommending 4 threads for SSH. Which brings me to our next option. The "-t" flag. This flag sets the number of threads we have.
Code:
hydra -L /path/to/userlist -P /path/to/passlist -t 4 ssh://192.168.1.2
 
This is what you would use to tone down the speed when running this over TOR. Keep the thread count low (less than 5) to prevent you from eating up TOR bandwidth. 5 threads is still quite a bit of traffic, but definitely not as bad as the default 16. Another useful flag is the "-f" flag. It makes hydra stop after it finds a valid login. So if you're just looking to crack one account then this is useful. We're not going to go over every flag, because I also want to share some general password cracking knowledge. The last command line option is the "ssh://IP" part itself. Just change the "ssh" to whatever the service name is you want to attack. For example "ftp://192.168.1.2" or "rdp://192.168.1.2." Hydra also has the option to supply a list of hosts to attack. When you're using that you don't specify the IP address. You just specify the service like so:
Code:
hydra -l root -p root -M host.list ssh
 
The rest of this is just password cracking tips and recommendations. Questions and comments are welcome.
  • When using hydra over TOR or proxies, turn down the thread count. Saves TOR bandwidth.
  • When you're using TOR or proxies, focus your attack more. Keep wordlists shorter because doing all this over TOR/proxy will drop the performance and speed a lot.
  • Password spraying. It's a technique other than dictionary/brute forcing you can try. Instead of try ten million user/pass combos, use a larger wordlist of usernames and a few weak passwords. This technique is popular in Active directory environments because if you try too many passwords on a single account, you'll lock the account out. So try a large list of usernames and less than 10 passwords or so. For hydra, you need to specify the -u option. This tries the first password on all the usernames, then the next password on all the usernames, and so on. This is a good technique to root out the weak password accounts. Of course you also have to take honeypots into consideration.
  • Fail2ban: fail2ban is a IPS (intrusion prevention system) that will block your IP with the system firewall if you have too many failed logins. It can work with several services, but it's used with SSH a good amount. It's pretty configurable so knowing exactly how to tune depends on your situation. You could always use several proxies with the -R option. For example you could write a script that would guess a few logins, switch proxies, then use the -R option to pickup where it left off. You could always just limit the speed of the password cracking too. There's no way to tell ahead of time if fail2ban is present on a system (that I know of). A good indicator would be if you suddenly start getting blocked by the firewall when you weren't at the beginning.
  • Website (HTTP) cracking. I don't really like using hydra for cracking website logins. The reason being, it's kind of finnicky and you have to configure it quite a bit. It's pretty unreliable if you don't configure it right as well. It's just a pain in the butt when you could use other tools that are made for it.
  • If you start popping a lot of accounts with weak credentials on a single system, that shit is probably a honeypot. Leave it alone. If it seems too good to be true, it probably is. This tip may be kind of irrelevant since we're not doing illegal things. But if you ever go into pentesting or ever decide to become an APT, you may run into honeypots.
Reply
#2
Interesting thread Dismal.

Going to give this a try myself. Just need to set up a local host first with something else. And yeah I can see it being a pain to deal with for http cracking. Sites are so different, different security mechanisms, captcha etc. Maybe would be better off to more specialized tools like Sentry MBA for that.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Portscanning - Beginner Tutorial Dismal_0x8 0 320 05-03-2020, 06:01 PM
Last Post: Dismal_0x8