Hydra is a powerful and flexible password-cracking tool that is used for performing brute-force attacks against various types of authentication protocols, including HTTP, FTP, SMTP, and more. It is widely utilized by security professionals and penetration testers to test the strength of passwords and assess the security of network services.

(It is important to note that its official name is THC-Hydra and that is how you will find the documentation and everything you may need on the internet – at this GitHub repo.)

As the introduction of the repo states, Number one of the biggest security holes are passwords, as every password security study shows.

Brute-forcing a password basically means that we start trying different username-password combinations until we get the one that works. It is about luck (e.g., selecting the proper wordlist is crucial), but it is also a pure numbers game.

Image taking an iPhone and trying to unlock it with going: 0000. Incorrect. 0001. Incorrect. 0002… and so on until it unlocks at e.g. 6679. Now, obviously, this would take a lot of time on an iPhone as after every 3 consecutive incorrect tries it will lock the phone for 5+ minutes. But there are certain situations where such limitations do not exist and we can try guessing as many times as we wish.

Different applications/protocols work differently and handle user authorization differently, therefore the “under the hood” mechanics of how trying a set of credentials looks is different. Hydra is a versatile tool because it supports a huge number of different protocols (supports = could be used to crack).

Based on the documentation, currently Hydra supports the following protocols:

Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP,
HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

And indeed, Hydra is an amazing tool – but let’s face it, if you do not use it properly, it becomes a massive time suck and a source of frustration and discouragement… There are protocols (e.g. FTP or SSH), where the whole process is pretty straightforward and there is not really anything to mess up. If the cracking actually starts then everything is OK.

But with other protocols – e.g. http-post-form = cracking sign in forms of web applications – a lot of things could go wrong when setting up, but still, the brute forcing will proceed. Nobody wants to run a password cracking on a box for several hours that results in “no found password”, only to realize later that the actual password was indeed in the wordlist used – and the reason the cracking did not work is that Hydra wasn’t set up properly…

It has been a recurring experience for me to try brute-forcing a login page or port with Hydra on a box, spending several hours waiting for the result and get a “no password found” message – only to check a walk through and see that the actual password was on the list I used, but the way I specified the success/failure conditions was incorrect.

What I did is that I went back to those boxes and worked on the Hydra command – using different tools to check what is actually happening in the background) and reading the documentation – until I figured out what was missing for the successful crack.

HOW TO USE HYDRA:

Obviously, understanding the full workings of Hydra would take a lot more than a post, so there will be certain things that I am going to just brush over quickly.

Generally, way to use Hydra is:

1. Specify the username-password pairs that we want to try.
2. Set our target (that we are attacking).
3. Specify the type of service we want to brute-force.

So at the most basic, we provide the credentials, the target and the service, hit Enter and let it go.

To go a bit deeper, let’s check Hydra’s man page. Under SYNOPSIS, we see the possible flags that we can use:

hydra
    [[[-l LOGIN|-L FILE] [-p PASS|-P FILE|-x OPT -y]] | [-C FILE]]
    [-e nsr] [-u] [-f|-F] [-M FILE] [-o FILE] [-b FORMAT]
    [-t TASKS] [-T TASKS] [-w TIME] [-W TIME] [-m OPTIONS] [-s PORT]
    [-c TIME] [-S] [-O] [-4|6] [-I] [-vV] [-d]
    server service [OPTIONS]

The above output could be broken down in the following way:

1. Line: [[[-l LOGIN|-L FILE] [-p PASS|-P FILE|-x OPT -y]] | [-C FILE]] – describes how we can provide the credentials that should be used during the brute forcing.
   • -C – provide a file path to a file that contains a list of possible credentials in a colon separated “login:pass” format.
   • If we do not have a file to use the -C option:
     • -l LOGIN|-L FILE – this means that we either provide a single username (“admin”) – if we know that an actual user exists of us the -L option and try a list of usernames by providing a file path.
     • For the password we have 3 options:
     • -p PASS|-P FILE
     • -x option and have hydra generate a list of passwords
2. Line: contains some further options on how Hydra should perform the attack. The most import are:
   • -u by default Hydra checks all passwords for one login and then tries the next login. This option loops around the passwords, so the first password is tried on all logins, then the next password.
   • -f exit after the first found login/password pair (if we are scanning a list of usernames with a list of passwords, we could decide to just find 1 pair of credentials that works, or find all the pairs).
   • -o FILE write found login/password pairs to FILE instead of stdout

Also, we should include the protocol/service we are attacking.

If we want to understand deeper how the attack against a certain protocol should be done, we can use the hydra -U servicename, e.g. hydra -U http-post-form.