Skip to content
heschl.dev

hydra

Hydra is a command line tool used to brute force credentials. Hydra supports a multitude of protocols and schemes.

Simple usage

GET Requests with HTTP basic auth

Terminal window
hydra -C /path/to/wordlist 1.2.3.4 -s 1337 -uf http-get /path
  • -C: Singular, combined (username:password) wordlist to use.
  • 1.2.3.4: Target system.
  • -s: Target port.
  • -u: Iterate through users before passwords. E.g. Try all users on a password before trying the next password.
  • -f: Stop searching for more valid credentials after finding the first valid.
  • http-get: Try the credentials via HTTP basic auth.
  • /path: The path to try the credentials on with HTTP basic auth.

Separate username and password list

Terminal window
hydra -L /path/to/usernames -P /path/to/passwords -uf 1.2.3.4 -s 1337 <attack-method>
  • -L: Wordlist to use for usernames.
  • -P: Wordlist to use for passwords.
  • -u: Iterate through users before passwords. E.g. Try all users on a password before trying the next password.
  • -f: Stop searching for more valid credentials after finding the first valid.
  • 1.2.3.4: Target system.
  • -s: Target port.
  • <attack-method>: How hydra should try to use the credentials. For instance, HTTP basic auth.

Known/static username or password

Terminal window
hydra -P /path/to/passwords -l "known-username" 1.2.3.4 -s 1337 -f <attack-method>
Terminal window
hydra -p "known-password" -L /path/to/usernames 1.2.3.4 -s 1337 -f <attack-method>

You can have either -p or -l lowercase, which makes hydra use it as a known, static credential. Uppercase on the other hand will refer to the given wordlist for credentials.

  • -P: Wordlist to use for passwords.
  • -p: Known, static password.
  • -L: Wordlist to use for usernames.
  • -l: Known, static username.
  • 1.2.3.4: Target system.
  • -s: Target port.
  • -f: Stop searching for more valid credentials after finding the first valid.
  • http-get: Try the credentials via HTTP basic auth.
  • /path: The path to try the credentials on with HTTP basic auth.

HTTP POST form encoded data

Terminal window
hydra -L /path/to/usernames -P /path/to/passwords 1.2.3.4 -s 1337 -uf http-post-form "/<path>:username=^USER^&password=^PASS^:F=<failure-string>"
  • -L: Wordlist to use for usernames.
  • -P: Wordlist to use for passwords.
  • 1.2.3.4: Target system.
  • -s: Target port.
  • -u: Iterate through users before passwords. E.g. Try all users on a password before trying the next password.
  • -f: Stop searching for more valid credentials after finding the first valid.
  • http-post-form: Send a post request with the following form encoded data.
  • /path: The path to try the credentials on with HTTP basic auth.
  • ^USER^: Where in the form encoded data to inject the username.
  • ^PASS^: Where in the form encoded data to inject the password.
  • <failure-string>: A string which, when present in the response, indicates a login failure.

SSH

Terminal window
hydra -L /path/to/usernames -P /path/to/passwords -uf ssh://1.2.3.4:1337 -t 4
  • -L: Wordlist to use for usernames.
  • -P: Wordlist to use for passwords.
  • -u: Iterate through users before passwords. E.g. Try all users on a password before trying the next password.
  • -f: Stop searching for more valid credentials after finding the first valid.
  • 1.2.3.4: Target system.
  • :1337: Target port.
  • -t: Reduce the number of threads to 4. SSH, by default, blocks more than 4 simultaneous connections.

FTP

Terminal window
hydra -L /path/to/usernames -P /path/to/passwords -uf ftp://1.2.3.4
  • -L: Wordlist to use for usernames.
  • -P: Wordlist to use for passwords.
  • -u: Iterate through users before passwords. E.g. Try all users on a password before trying the next password.
  • -f: Stop searching for more valid credentials after finding the first valid.
  • 1.2.3.4: Target system.

Saving progress

Hydra by default saves the current progress when aborting a scan. Using hydra -R the last run can be resumed from where it was aborted.

References

  1. hydra GitHub repository