top of page
Writer's pictureKyser Clark

How to Brute Force Password Logins Using Hydra: A Step-by-Step Guide

THC Hydra Logo

Being a cybersecurity professional, it is essential for you to be able to test the strength of passwords. Brute-forcing password logins are something I’d like to visit, and we’ll do just that in this post! The tool we will use is THC Hydra, one of the most potent tools a cybersecurity professional can use. I will also discuss some basic techniques to help you further ‘polish’ your attacks. Hydra is versatile enough to use whether you want to conduct penetration tests or get ready for a Capture the Flag (CTF) challenge.


Related Video:


Introduction to THC Hydra

The very widely used password-cracking tool THC Hydra supports many protocols, such as SSH, FTP, and HTTP. Hydra knows all about brute-force attacks; it tries different username and password combinations until it finds working login details.


Basic Hydra Command Breakdown

The Hydra command is straightforward, and here's the basic format:

hydra -l [username] -P [password_wordlist] [target_ip] [protocol]

Let’s break it down step by step:

  • -l [username]: This flag specifies the username. In our example, the username is molly.

  • -P [password_wordlist]: This flag indicates the path to your password list. We’re using rockyou.txt, which is included in Kali Linux.

  • [target_ip]: The IP address of the target machine.

  • [protocol]: Will tell Hydra which protocol you want to attack, for example, SSH, FTP, or HTTP.


For instance, if you want to brute-force SSH logins, the command would look like this:

hydra -l molly -P /usr/share/wordlists/rockyou.txt 192.168.1.10 ssh

If you haven't already unzipped rockyou, you can do this:

sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

This will brute force the molly login using all passwords from the rockyou.txt word list.


Brute Force Usernames

Sometimes, during engagements or CTFs, you will encounter a password but not know what username it's associated with. Hydra also allows you to specify a wordlist for usernames if you’re unsure which username to target and hard-code a password if you know it but need to brute-force the username.


Example: Brute-forcing Usernames with a Known Password

hydra -L /path/to/username_list.txt -p [known_password] [target_ip] ssh

Note that this command uses a capital -L instead of a lowercase -l and a lowercase -p instead of an uppercase -P.


A capital letter means you are specifying a wordlist, whereas a lowercase letter means you are specifying a hard-coded value.


Customizing Ports

Sometimes, services like SSH or FTP don’t run on their default ports. For instance, SSH might run on port 2222 instead of the default port 22. To account for this, you can use the -s flag to specify a custom port:

hydra -l molly -P /usr/share/wordlists/rockyou.txt -s 2222 192.168.1.10 ssh

Using Hydra for HTTP Logins

Brute-forcing HTTP logins requires capturing the form submission details, which are slightly more complex than other protocols like SSH or FTP.

Here’s how you can do it:


  1. Capture HTTP Post Requests The easiest way to capture a login form’s request is through the browser’s developer tools. Both Firefox and Chrome allow you to inspect network traffic by pressing F12 and going to the Network tab.

    • Fill in some dummy login credentials (e.g., username: test and password: testpass) on the target site.

    • Hit the login button and locate the POST request under the Network tab. This is the form request that Hydra will brute-force.


  2. Get the Raw Request Data

    • In Firefox or Chrome, click the Raw or Source option to view the entire request.

    • Copy this raw data into your notes because you’ll need it for the Hydra command.


Setting Up Hydra for HTTP POST Forms

Once you have the form data, you can construct the Hydra command to brute-force the login form.


Here’s a basic structure for brute-forcing an HTTP POST form:

hydra -l [username] -P [password_wordlist] [target_ip] http-post-form "/login:username=^USER^&password=^PASS^:Invalid credentials"
  • /login: This is the login page path. Every website is different, and this value can vary, e.g., /admin/login or /user/login.

  • ^USER^ and ^PASS^: These placeholders allow Hydra to dynamically replace the username and password from the wordlists.

  • Invalid credentials: This is the error message returned when login fails. You’ll need to copy the exact error message from the web page after a failed login attempt. If this message contains a colon :, omit the colon to avoid breaking Hydra’s command syntax.


Troubleshooting Hydra for HTTP

If you encounter a situation where Hydra reports multiple successful passwords, it’s a strong indicator that something is wrong with your setup—most likely the login fail text. Ensure that you’ve captured the exact login fail message from the website and that no colons exist within it.


Additionally, not all web forms can be brute-forced with Hydra. Some sites do not have clear fail texts or use complex forms with anti-bot protections, which can interfere with Hydra’s operation.


Complex HTTP Login Forms

Many websites have more complex login forms, including additional fields like cookies or hidden values. In these cases, you must include the entire request payload when constructing your Hydra command. Tools like Burp Suite or browser developer tools (via F12) are invaluable for capturing this information.


For example:

hydra -l [username] -P [password_wordlist] [target_ip] http-post-form "/account/login.aspx:username=^USER^&password=^PASS^&token=xyz:Invalid login"

This example includes a hidden token field (token=xyz) that’s often required in modern web applications.


Using Burp Suite for HTTP Brute Force Attacks

While Hydra is a fantastic tool for brute-forcing login credentials, sometimes you’ll need more granular control over your HTTP requests. This is where Burp Suite comes in. Using Burp Suite, you can capture complex login requests and integrate those with Hydra for more advanced attacks.


Here’s how:

  1. Open Burp Suite and intercept the login request from your target site.

  2. Inspect the request payload for any hidden fields or tokens that need to be included.

  3. Modify your Hydra command to match the request structure, using the same steps outlined earlier for simpler HTTP POST forms.


Check out my dedicated Burp Suite video here for more in-depth tutorials on Burp Suite.


Conclusion

Hydra is an extremely powerful tool for password cracking across various protocols, including SSH and HTTP. While brute-forcing is a basic technique, mastering tools like Hydra and auxiliary tools such as Burp Suite will significantly enhance your ability to conduct penetration tests and CTFs.


To recap, we covered:

  • Basic brute-forcing commands for SSH.

  • Advanced techniques for brute-forcing usernames or changing ports.

  • How to brute-force HTTP login forms, including complex form structures.

  • The importance of using Burp Suite for capturing and analyzing web application requests.


If you found this guide useful, be sure to subscribe to my YouTube channel for more tutorials on hacking and cybersecurity. Learning tools like Hydra and Burp Suite are essential if you’re serious about becoming a professional pentester.


Disclaimer

Attention readers: This post is strictly for educational purposes, emphasizing ETHICAL and LEGAL hacking only. I do not, and will NEVER, condone the act of illegally hacking into computer systems and networks for any reason. My goal is to foster cybersecurity awareness and responsible digital behavior. Please behave responsibly and adhere to legal and ethical standards in your use of this information.




133 views

Related Posts

See All
bottom of page