Hydra Tool

Hydra Description

The National Security Agency released the source code of Ghidra, its reverse engineering tool, April 4, 2019. This source code repository includes instructions to build on all supported platforms (macOS, Linux, and Windows). With this release, developers will be able to collaborate by creating patches, and extending the tool to fit their. Hydra Tool MTK Module - Mediatek Overtake. Hydra MTK v1.0.3.30 Added BROM Port-Dump Preloader Flash Init.This function will fix booting issue, if. The lightweight Hydra-Tool (60 lb. Base unit) can be easily moved around the workplace. 37° Flaring The Hydra-Tool is capable of completing 37° flares on steel, stainless steel, copper and aluminum tube from 1/4' (6mm) through 2' (50mm) outside diameters. Presetting The Hydra-Tool is capable of presetting Ferulok. Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to.

A very fast network logon cracker which support many different services.

Currently this tool supports the following protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Homepage: https://www.thc.org/thc-hydra/

Author: Van Hauser, Roland Kessler

License: AGPL-3.0

Hydra Help

Syntax:

Options:

Hydra bruteforce password generation option usage:

Examples:

Hydra Supported Protocols

Supported protocols:

  • asterisk
  • afp
  • cisco
  • cisco-enable
  • cvs
  • firebird
  • ftp
  • ftps
  • http-head
  • https-head
  • http-get
  • https-get
  • http-post
  • https-post
  • http-get-form
  • https-get-form
  • http-post-form
  • https-post-form
  • http-proxy
  • http-proxy-urlenum
  • icq
  • imap
  • imaps
  • irc
  • ldap2
  • ldap2s
  • ldap3
  • ldap3s
  • ldap3-crammd5
  • ldap3-crammd5s
  • ldap3-digestmd5
  • ldap3-digestmd5s
  • mssql
  • mysql
  • nntp
  • oracle-listener
  • oracle-sid
  • pcanywhere
  • pcnfs
  • pop3
  • pop3s
  • postgres
  • rdp
  • redis
  • rexec
  • rlogin
  • rsh
  • rtsp
  • s7-300
  • sip
  • smb
  • smtp
  • smtps
  • smtp-enum
  • snmp
  • socks5
  • ssh
  • sshkey
  • svn
  • teamspeak
  • telnet
  • telnets
  • vmauthd
  • vnc
  • xmpp

Options of Hydra Supported protocols

cisco

Module cisco is optionally taking the keyword ENTER, it then sends an initial ENTER when connecting to the service.

cisco-enable

Module cisco-enable is optionally taking the logon password for the cisco device

Note: if AAA authentication is used, use the -l option for the username and the optional parameter for the password of the user.

Examples:

cvs

Module cvs is optionally taking the repository name to attack, default is '/root'

firebird

Module firebird is optionally taking the database path to attack, default is 'C:Program FilesFirebirdFirebird_1_5security.fdb'

http-get, https-get, http-post, https-post

Module http-get requires the page to authenticate.

For example: '/secret' or 'http://bla.com/foo/bar' or 'https://test.com:8080/members'

http-get-form, https-get-form, http-post-form, https-post-form

Module http-get-form requires the page and the parameters for the web form.

By default this module is configured to follow a maximum of 5 redirections in a row. It always gathers a new cookie from the same URL without variables The parameters take three ':' separated values, plus optional values.

(Note: if you need a colon in the option string as value, escape it with ':', but do not escape a ' with '.)

Syntax:

  • First is the page on the server to GET or POST to (URL).
  • Second is the POST/GET variables (taken from either the browser, proxy, etc. with usernames and passwords being replaced in the '^USER^' and '^PASS^' placeholders (FORM PARAMETERS)
  • Third is the string that it checks for an *invalid* login (by default). Invalid condition login check can be preceded by 'F=', successful condition login check must be preceded by 'S='. This is where most people get it wrong. You have to check the webapp what a failed string looks like and put it in this parameter!

The following parameters are optional:

C=/page/uri

to define a different page to gather initial cookies from

(h|H)=My-Hdr: foo

to send a user defined HTTP header with each request

^USER^ and ^PASS^ can also be put into these headers!

Note: 'h' will add the user-defined header at the end regardless it's already being sent by Hydra or not.

'H' will replace the value of that header if it exists, by the one supplied by the user, or add the header at the end.

Note that if you are going to put colons (:) in your headers you should escape them with a backslash (). All colons that are not option separators should be escaped (see the examples above and below).

You can specify a header without escaping the colons, but that way you will not be able to put colons in the header value itself, as they will be interpreted by hydra as option separators.

Examples:

http-proxy

Module http-proxy is optionally taking the page to authenticate at.

Default is http://www.microsoft.com/)

Basic, DIGEST-MD5 and NTLM are supported and negotiated automatically.

http-proxy-urlenum

Module http-proxy-urlenum only uses the -L option, not -x or -p/-P option. The -L loginfile must contain the URL list to try through the proxy. The proxy credentials cann be put as the optional parameter, e.g.

imap, imaps

Module imap is optionally taking one authentication type of: CLEAR or APOP (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1, CRAM-SHA256, DIGEST-MD5, NTLM

Additionally TLS encryption via STARTTLS can be enforced with the TLS option.

Example: imap://target/TLS:PLAIN

irc

Module irc is optionally taking the general server password, if the server is requiring one and none is passed the password from -p/-P will be used

ldap2, ldap2s, ldap3, ldap3s, ldap3-crammd5, ldap3-crammd5s, ldap3-digestmd5, ldap3-digestmd5s

Module ldap2 is optionally taking the DN (depending of the auth method choosed

Note: you can also specify the DN as login when Simple auth method is used).

The keyword '^USER^' is replaced with the login.

Special notes for Simple method has 3 operation modes: anonymous, (no user no pass), unauthenticated (user but no pass), user/pass authenticated (user and pass).

So don't forget to set empty string as user/pass to test all modes.

Hint: to authenticate to a windows active directy ldap, this is usually cn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.com

mysql

Module mysql is optionally taking the database to attack, default is 'mysql'

nntp

Module nntp is optionally taking one authentication type of: USER (default), LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, NTLM

oracle-listener

Hydra

Module oracle-listener / tns is optionally taking the mode the password is stored as, could be PLAIN (default) or CLEAR

pop3, pop3s

Module pop3 is optionally taking one authentication type of: CLEAR (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1, CRAM-SHA256, DIGEST-MD5, NTLM.

Additionally TLS encryption via STLS can be enforced with the TLS option.

Example: pop3://target/TLS:PLAIN

postgres

Module postgres is optionally taking the database to attack, default is 'template1'

rdp

Module rdp is optionally taking the windows domain name.

For example:

s7-300

Module S7-300 is for a special Siemens PLC. It either requires only a password or no authentication, so just use the -p or -P option.

Tool

smb

Module smb default value is set to test both local and domain account, using a simple password with NTLM dialect.

Note: you can set the group type using LOCAL or DOMAIN keyword or other_domain:{value} to specify a trusted domain.

You can set the password type using HASH or MACHINE keyword (to use the Machine's NetBIOS name as the password).

You can set the dialect using NTLMV2, NTLM, LMV2, LM keyword.

Example:

smtp, smtps

Module smtp is optionally taking one authentication type of: LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, NTLM

Additionally TLS encryption via STARTTLS can be enforced with the TLS option.

Example: smtp://target/TLS:PLAIN

smtp-enum

Module smtp-enum is optionally taking one SMTP command of: VRFY (default), EXPN, RCPT (which will connect using 'root' account) login parameter is used as username and password parameter as the domain name

For example to test if john@localhost exists on 192.168.0.1:

snmp

Module snmp is optionally taking the following parameters:

To combine the options, use colons (':'), e.g.:

sshkey

Module sshkey does not provide additional options, although the semantic for options -p and -P is changed:

  • -p expects a path to an unencrypted private key in PEM format.
  • -P expects a filename containing a list of path to some unencrypted private keys in PEM format.

svn

Module svn is optionally taking the repository name to attack, default is 'trunk'

telnet, telnets

Module telnet is optionally taking the string which is displayed after a successful login (case insensitive), use if the default in the telnet module produces too many false positives

xmpp

Module xmpp is optionally taking one authentication type of: LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA1

Note, the target passed should be a fdqn as the value is used in the Jabber init request, example: hermes.jabber.org

Hydra Usage Example

Attempt to login as the root user (-l root) using a password list (-P /usr/share/wordlists/metasploit/unix_passwords.txt) with 6 threads (-t 6) on the given SSH server (ssh://192.168.1.123):

Attempt to login as the user (-l user) using a password list (-P passlist.txt) on the given FTP server (ftp://192.168.0.1):

Hydra Tool Linux

Attempt to login on the given SSH servers (ssh) from the list (-M targets.txt) using a user list (-L logins.txt) and password list (-P pws.txt):

Attempt to login on the given FTP servers on the given subnet (ftp://[192.168.0.0/24]/) as the user admin (-l admin) and the password password (-p password):

Attempt to login on the given mail server (imap://192.168.0.1/), using IMAP protocol with a user list (-L userlist.txt) and the password defaultpw (-p defaultpw), taking the authentication type PLAIN:

Attempt to login on the given mail server using POP3S on the given IPv6 (-6) address 2001:db8::1, on port 143 using the credential list 'login:password' from the defaults.txt file (-C defaults.txt) taking the authentication type DIGEST-MD5 and enforced TLS encryption via STLS (TLS).

xHydra (GUI for THC-Hydra)

xhydra is Gtk+2 frontend for thc-hydra.

To start xHydra GUI issue:

Tools included in the hydra package

  • hydra – Very fast network logon cracker
  • pw-inspector – Reads passwords in and prints those which meet the requirements

Help pw-inspector

PW-Inspector reads passwords in and prints those which meet the requirements. The return code is the number of valid passwords found, 0 if none was found. Use for security: check passwords, if 0 is returned, reject password choice.

Use for hacking: trim your dictionary file to the pw requirements of the target.

Syntax:

How to install Hydra

The program is pre-installed on Kali Linux.

Installation on Linux (Debian, Mint, Ubuntu)

Hydra Screenshots

Hydra Tutorials

Coming soon…

Related tools

  • patator (97.3%)
  • oclHashcat (52.9%)
  • hashcat (Hashcat & oclHashcat) (52.9%)
  • Medusa (52.9%)
  • John the Ripper (52.9%)
  • CUPP (RANDOM - 50.9%)

Recommended for you:

Hydra Description

A very fast network logon cracker which support many different services.

Currently this tool supports the following protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Homepage: https://www.thc.org/thc-hydra/

Author: Van Hauser, Roland Kessler

License: AGPL-3.0

Hydra Help

Syntax:

Options:

Hydra bruteforce password generation option usage:

Examples:

Hydra Supported Protocols

Supported protocols:

  • asterisk
  • afp
  • cisco
  • cisco-enable
  • cvs
  • firebird
  • ftp
  • ftps
  • http-head
  • https-head
  • http-get
  • https-get
  • http-post
  • https-post
  • http-get-form
  • https-get-form
  • http-post-form
  • https-post-form
  • http-proxy
  • http-proxy-urlenum
  • icq
  • imap
  • imaps
  • irc
  • ldap2
  • ldap2s
  • ldap3
  • ldap3s
  • ldap3-crammd5
  • ldap3-crammd5s
  • ldap3-digestmd5
  • ldap3-digestmd5s
  • mssql
  • mysql
  • nntp
  • oracle-listener
  • oracle-sid
  • pcanywhere
  • pcnfs
  • pop3
  • pop3s
  • postgres
  • rdp
  • redis
  • rexec
  • rlogin
  • rsh
  • rtsp
  • s7-300
  • sip
  • smb
  • smtp
  • smtps
  • smtp-enum
  • snmp
  • socks5
  • ssh
  • sshkey
  • svn
  • teamspeak
  • telnet
  • telnets
  • vmauthd
  • vnc
  • xmpp

Options of Hydra Supported protocols

cisco

Module cisco is optionally taking the keyword ENTER, it then sends an initial ENTER when connecting to the service.

cisco-enable

Module cisco-enable is optionally taking the logon password for the cisco device

Note: if AAA authentication is used, use the -l option for the username and the optional parameter for the password of the user.

Examples:

cvs

Module cvs is optionally taking the repository name to attack, default is '/root'

firebird

Module firebird is optionally taking the database path to attack, default is 'C:Program FilesFirebirdFirebird_1_5security.fdb'

http-get, https-get, http-post, https-post

Module http-get requires the page to authenticate.

For example: '/secret' or 'http://bla.com/foo/bar' or 'https://test.com:8080/members'

http-get-form, https-get-form, http-post-form, https-post-form

Module http-get-form requires the page and the parameters for the web form.

By default this module is configured to follow a maximum of 5 redirections in a row. It always gathers a new cookie from the same URL without variables The parameters take three ':' separated values, plus optional values.

(Note: if you need a colon in the option string as value, escape it with ':', but do not escape a ' with '.)

Hydra Tool

Syntax:

  • First is the page on the server to GET or POST to (URL).
  • Second is the POST/GET variables (taken from either the browser, proxy, etc. with usernames and passwords being replaced in the '^USER^' and '^PASS^' placeholders (FORM PARAMETERS)
  • Third is the string that it checks for an *invalid* login (by default). Invalid condition login check can be preceded by 'F=', successful condition login check must be preceded by 'S='. This is where most people get it wrong. You have to check the webapp what a failed string looks like and put it in this parameter!

Hydra Tool Update

The following parameters are optional:

C=/page/uri

to define a different page to gather initial cookies from

(h|H)=My-Hdr: foo

to send a user defined HTTP header with each request

^USER^ and ^PASS^ can also be put into these headers!

Note: 'h' will add the user-defined header at the end regardless it's already being sent by Hydra or not.

'H' will replace the value of that header if it exists, by the one supplied by the user, or add the header at the end.

Note that if you are going to put colons (:) in your headers you should escape them with a backslash (). All colons that are not option separators should be escaped (see the examples above and below).

You can specify a header without escaping the colons, but that way you will not be able to put colons in the header value itself, as they will be interpreted by hydra as option separators.

Examples:

http-proxy

Module http-proxy is optionally taking the page to authenticate at.

Default is http://www.microsoft.com/)

Basic, DIGEST-MD5 and NTLM are supported and negotiated automatically.

http-proxy-urlenum

Module http-proxy-urlenum only uses the -L option, not -x or -p/-P option. The -L loginfile must contain the URL list to try through the proxy. The proxy credentials cann be put as the optional parameter, e.g.

imap, imaps

Module imap is optionally taking one authentication type of: CLEAR or APOP (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1, CRAM-SHA256, DIGEST-MD5, NTLM

Additionally TLS encryption via STARTTLS can be enforced with the TLS option.

Example: imap://target/TLS:PLAIN

irc

Module irc is optionally taking the general server password, if the server is requiring one and none is passed the password from -p/-P will be used

ldap2, ldap2s, ldap3, ldap3s, ldap3-crammd5, ldap3-crammd5s, ldap3-digestmd5, ldap3-digestmd5s

Module ldap2 is optionally taking the DN (depending of the auth method choosed

Note: you can also specify the DN as login when Simple auth method is used).

The keyword '^USER^' is replaced with the login.

Special notes for Simple method has 3 operation modes: anonymous, (no user no pass), unauthenticated (user but no pass), user/pass authenticated (user and pass).

So don't forget to set empty string as user/pass to test all modes.

Hint: to authenticate to a windows active directy ldap, this is usually cn=^USER^,cn=users,dc=foo,dc=bar,dc=com for domain foo.bar.com

mysql

Module mysql is optionally taking the database to attack, default is 'mysql'

nntp

Module nntp is optionally taking one authentication type of: USER (default), LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, NTLM

oracle-listener

Module oracle-listener / tns is optionally taking the mode the password is stored as, could be PLAIN (default) or CLEAR

pop3, pop3s

Module pop3 is optionally taking one authentication type of: CLEAR (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1, CRAM-SHA256, DIGEST-MD5, NTLM.

Additionally TLS encryption via STLS can be enforced with the TLS option.

Example: pop3://target/TLS:PLAIN

Hydra tool crack without dongle

postgres

Module postgres is optionally taking the database to attack, default is 'template1'

rdp

Module rdp is optionally taking the windows domain name.

For example:

s7-300

Module S7-300 is for a special Siemens PLC. It either requires only a password or no authentication, so just use the -p or -P option.

smb

Module smb default value is set to test both local and domain account, using a simple password with NTLM dialect.

Note: you can set the group type using LOCAL or DOMAIN keyword or other_domain:{value} to specify a trusted domain.

You can set the password type using HASH or MACHINE keyword (to use the Machine's NetBIOS name as the password).

You can set the dialect using NTLMV2, NTLM, LMV2, LM keyword.

Example:

smtp, smtps

Module smtp is optionally taking one authentication type of: LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, NTLM

Additionally TLS encryption via STARTTLS can be enforced with the TLS option.

Example: smtp://target/TLS:PLAIN

smtp-enum

Module smtp-enum is optionally taking one SMTP command of: VRFY (default), EXPN, RCPT (which will connect using 'root' account) login parameter is used as username and password parameter as the domain name

For example to test if john@localhost exists on 192.168.0.1:

snmp

Module snmp is optionally taking the following parameters:

To combine the options, use colons (':'), e.g.:

sshkey

Module sshkey does not provide additional options, although the semantic for options -p and -P is changed:

  • -p expects a path to an unencrypted private key in PEM format.
  • -P expects a filename containing a list of path to some unencrypted private keys in PEM format.

svn

Module svn is optionally taking the repository name to attack, default is 'trunk'

telnet, telnets

Module telnet is optionally taking the string which is displayed after a successful login (case insensitive), use if the default in the telnet module produces too many false positives

xmpp

Module xmpp is optionally taking one authentication type of: LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, SCRAM-SHA1

Note, the target passed should be a fdqn as the value is used in the Jabber init request, example: hermes.jabber.org

Hydra Usage Example

Attempt to login as the root user (-l root) using a password list (-P /usr/share/wordlists/metasploit/unix_passwords.txt) with 6 threads (-t 6) on the given SSH server (ssh://192.168.1.123):

Attempt to login as the user (-l user) using a password list (-P passlist.txt) on the given FTP server (ftp://192.168.0.1):

Attempt to login on the given SSH servers (ssh) from the list (-M targets.txt) using a user list (-L logins.txt) and password list (-P pws.txt):

Attempt to login on the given FTP servers on the given subnet (ftp://[192.168.0.0/24]/) as the user admin (-l admin) and the password password (-p password):

Attempt to login on the given mail server (imap://192.168.0.1/), using IMAP protocol with a user list (-L userlist.txt) and the password defaultpw (-p defaultpw), taking the authentication type PLAIN:

Attempt to login on the given mail server using POP3S on the given IPv6 (-6) address 2001:db8::1, on port 143 using the credential list 'login:password' from the defaults.txt file (-C defaults.txt) taking the authentication type DIGEST-MD5 and enforced TLS encryption via STLS (TLS).

xHydra (GUI for THC-Hydra)

xhydra is Gtk+2 frontend for thc-hydra.

To start xHydra GUI issue:

Hydra Tool

Tools included in the hydra package

  • hydra – Very fast network logon cracker
  • pw-inspector – Reads passwords in and prints those which meet the requirements

Help pw-inspector

PW-Inspector reads passwords in and prints those which meet the requirements. The return code is the number of valid passwords found, 0 if none was found. Use for security: check passwords, if 0 is returned, reject password choice.

Use for hacking: trim your dictionary file to the pw requirements of the target.

Syntax:

How to install Hydra

The program is pre-installed on Kali Linux.

Installation on Linux (Debian, Mint, Ubuntu)

Hydrapools.com

Hydra Screenshots

Hydra Tutorials

Coming soon…

Related tools

Hydra Tool Company

  • patator (97.3%)
  • oclHashcat (52.9%)
  • hashcat (Hashcat & oclHashcat) (52.9%)
  • Medusa (52.9%)
  • John the Ripper (52.9%)
  • CUPP (RANDOM - 50.9%)

Recommended for you: