Salta ai contenuti
1337skills 1337skills - Cheat Sheet

THC Hydra

Hydra is a parallelized login cracker supporting numerous protocols. Fast, flexible, and widely used for credential testing.

Installation

Linux/Ubuntu

# Install from repositories
sudo apt update
sudo apt install hydra hydra-gtk

# Build from source
git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra
./configure
make
sudo make install

# Verify
hydra -v

macOS

# Homebrew
brew install hydra

# Or MacPorts
sudo port install hydra

Windows

# Chocolatey
choco install hydra

# Download from:
# https://github.com/vanhauser-thc/thc-hydra/releases

Basic Usage

Simple SSH Attack

# Single password per user
hydra -l admin -p password123 ssh://192.168.1.100

# Multiple users, multiple passwords
hydra -L users.txt -P passwords.txt ssh://192.168.1.100

# Specify port
hydra -l admin -p password -s 2222 ssh://192.168.1.100

# Show results
hydra -o results.txt -l admin -P passwords.txt ssh://192.168.1.100

Common Protocols

# SSH
hydra -l admin -P passwords.txt ssh://192.168.1.100

# FTP
hydra -l admin -P passwords.txt ftp://192.168.1.100

# HTTP (basic auth)
hydra -l admin -P passwords.txt http-get://web.example.com

# HTTP (form-based)
hydra -l admin -P passwords.txt http-post-form://web.example.com:80"/login.php:user=^USER^&pass=^PASS^:F=Login Failed"

# SMTP
hydra -l admin -P passwords.txt smtp://192.168.1.100

# Telnet
hydra -l admin -P passwords.txt telnet://192.168.1.100

# VNC
hydra -P passwords.txt vnc://192.168.1.100

# MySQL
hydra -l root -P passwords.txt mysql://192.168.1.100

# PostgreSQL
hydra -l postgres -P passwords.txt postgres://192.168.1.100

# FTP over SSL
hydra -l admin -P passwords.txt ftps://192.168.1.100:21

Input Options

FlagDescription
-l <login>Single username
-L <file>Username list (one per line)
-p <pass>Single password
-P <file>Password list (one per line)
-C <file>Combo file (login:password)
-x <min-max>Generate passwords (min to max length)
-e <options>Try empty/reverse/login=pass
-s <port>Specify non-standard port

Performance Options

Parallelization

# Number of parallel threads
hydra -t 4 -l admin -P passwords.txt ssh://192.168.1.100

# Threads per target
hydra -T 4 -L hosts.txt -l admin -P passwords.txt ssh://

# Task distribution
hydra -t 16 -l admin -P passwords.txt ssh://192.168.1.100

# Wait time between attempts
hydra -w 0 -l admin -P passwords.txt ssh://192.168.1.100

# Timeout per connection
hydra -o timeout=5 -l admin -P passwords.txt ssh://192.168.1.100

Performance Tuning

# Aggressive (fast, may trigger alarms)
hydra -t 16 -l admin -P passwords.txt ssh://192.168.1.100

# Moderate
hydra -t 8 -w 1 -l admin -P passwords.txt ssh://192.168.1.100

# Conservative (slow, stealthy)
hydra -t 2 -w 3 -l admin -P passwords.txt ssh://192.168.1.100

Output Options

Logging & Display

# Verbose output
hydra -v -l admin -P passwords.txt ssh://192.168.1.100

# Very verbose
hydra -vv -l admin -P passwords.txt ssh://192.168.1.100

# Save results to file
hydra -o results.txt -l admin -P passwords.txt ssh://192.168.1.100

# Save in different format
hydra -o results_json.json -f -l admin -P passwords.txt ssh://192.168.1.100

# Only show successful logins
hydra -l admin -P passwords.txt ssh://192.168.1.100 2>/dev/null | grep '\[.*\] host:'

HTTP Form Attacks

Web Login Form

# Identify form fields (View Source)
# Username field: username
# Password field: password
# Submit button: login
# Error message: "Login Failed" or similar

hydra -l admin -P passwords.txt http-post-form://web.example.com:80 \
  "/login.php:username=^USER^&password=^PASS^:F=Failed"

# With HTTPS
hydra -l admin -P passwords.txt https-post-form://web.example.com \
  "/login.php:username=^USER^&password=^PASS^:F=Failed"

# Complex form with additional fields
hydra -l admin -P passwords.txt http-post-form://web.example.com \
  "/login.php:user=^USER^&pass=^PASS^&csrf=token&submit=Login:F=Invalid"

HTTP Basic Authentication

# Basic auth
hydra -l admin -P passwords.txt http-get://web.example.com/protected/

# With path
hydra -l admin -P passwords.txt http-get://web.example.com/admin/:Admin:

# On specific port
hydra -l admin -P passwords.txt -s 8080 http-get://192.168.1.100/admin/

Database Attacks

MySQL

# Standard port
hydra -l root -P passwords.txt mysql://192.168.1.100

# Custom port
hydra -l root -P passwords.txt -s 3307 mysql://192.168.1.100

# Multiple users
hydra -L users.txt -P passwords.txt mysql://192.168.1.100

PostgreSQL

# Connect to postgres
hydra -l postgres -P passwords.txt postgres://192.168.1.100

# Custom port
hydra -l postgres -P passwords.txt -s 5433 postgres://192.168.1.100

# Database parameter (if supported)
hydra -l postgres -P passwords.txt postgres://192.168.1.100 -m "database=dbname"

Advanced Techniques

Combo File (user:pass)

# Create combo file
cat << EOF > combo.txt
admin:password123
user:letmein
guest:guest123
EOF

# Use combo file
hydra -C combo.txt ssh://192.168.1.100

# Show format: login:password
hydra -C credentials.txt mysql://192.168.1.100

Reverse Attack (password as username)

# Try password as username
hydra -P passwords.txt -l password ssh://192.168.1.100

# Useful for finding accounts with known passwords
hydra -P common_passwords.txt -l ^PASS^ ssh://192.168.1.100

Generate Passwords

# Generate passwords (min 6, max 8 chars, lowercase + numbers)
hydra -l admin -x 6:8:a1 ssh://192.168.1.100

# Lowercase letters
hydra -l admin -x 6:8:a ssh://192.168.1.100

# Uppercase letters
hydra -l admin -x 6:8:A ssh://192.168.1.100

# Numbers
hydra -l admin -x 6:8:1 ssh://192.168.1.100

# Combined (takes very long)
hydra -l admin -x 6:8:aA1!@# ssh://192.168.1.100 -s 22

Multiple Targets

Batch Processing

# Multiple hosts from file
hydra -l admin -P passwords.txt -M hosts.txt ssh

# Single host, multiple ports
hydra -l admin -P passwords.txt -p ssh://192.168.1.100:22,2222,22000

# Create hosts file
cat << EOF > hosts.txt
192.168.1.100
192.168.1.101
192.168.1.102
EOF

hydra -l admin -P passwords.txt -M hosts.txt ssh

Practical Examples

SSH Server Brute Force

# Full example
hydra -v -L users.txt -P passwords.txt \
  -t 4 \
  -f \
  ssh://target.example.com

Web Application Login

# Identify target URL and form
# http://web.example.com/admin/login
# Username field: admin_user
# Password field: admin_pass
# Error: "Invalid login"

hydra -l admin -P wordlist.txt \
  http-post-form://web.example.com:80 \
  "/admin/login:admin_user=^USER^&admin_pass=^PASS^:F=Invalid" \
  -t 5 -v

SQL Server Attack

# Setup
# mssql://192.168.1.100 (default port 1433)

hydra -l sa -P passwords.txt \
  mssql://192.168.1.100 \
  -t 5

Special Options

Exit Options

# Stop after first successful login
hydra -f -l admin -P passwords.txt ssh://192.168.1.100

# Stop after finding specified number
hydra -F -l admin -P passwords.txt ssh://192.168.1.100

# Continue until all attempts complete
hydra -l admin -P passwords.txt ssh://192.168.1.100

Miscellaneous

# Wait after successful attempt
hydra -w 30 -l admin -P passwords.txt ssh://192.168.1.100

# Suppress banners
hydra -q -l admin -P passwords.txt ssh://192.168.1.100

# Use specific server
hydra -S -l admin -P passwords.txt ftp://192.168.1.100

# Dry run (test without connecting)
hydra -y -l admin -P passwords.txt ssh://192.168.1.100

Wordlist Management

Create Wordlists

# Common patterns
cat << EOF > passwords.txt
password
123456
password123
admin
letmein
welcome
monkey
dragon
EOF

# Extract from existing lists
grep "^admin" /usr/share/wordlists/rockyou.txt > admin_passwords.txt

# Remove duplicates
sort passwords.txt | uniq > passwords_unique.txt

# Count entries
wc -l passwords.txt

Troubleshooting

Common Issues

Connection Refused

# Verify target is reachable
nc -zv 192.168.1.100 22

# Try different port
hydra -s 2222 -l admin -P passwords.txt ssh://192.168.1.100

Slow Performance

# Increase threads
hydra -t 16 -l admin -P passwords.txt ssh://192.168.1.100

# Reduce wordlist
head -100 passwords.txt > passwords_small.txt
hydra -l admin -P passwords_small.txt ssh://192.168.1.100

False Negatives

# Increase timeout
hydra -o timeout=10 -l admin -P passwords.txt ssh://192.168.1.100

# Try verbose to see details
hydra -vv -l admin -P passwords.txt ssh://192.168.1.100

Security Notes

  • Only test authorized systems
  • Use appropriate delays to avoid lockout
  • Monitor for IDS/WAF triggers
  • Document all testing
  • Consider legal implications
  • Implement comprehensive logging
  • Test during agreed windows

Last updated: 2025-03-30