A simple Hydra SSH example Here is a simple example of running a Hydra attack against an SSH server. hydra 192.168.1.26 ssh2 -s 22 -P pass.txt -L users.txt -e ns -t 10 This will attack the system 192.1.68.1.26, on port 22 with the SSH protocol, 10 threads at a time, and try all the combinations of usernames and passwords supplied in the files user.txt and pass.txt (+ empty passwords and passwords the same as the username) Web-based login forms prerequisites You need to know: The hostname/IP and URL Whether it is a HTTPS or HTTP service Whether the form supports GET or POST (or both) The parameters of the request The difference in response between success and failure Whether any session cookies are required to be set or maintained What lockout features and thresholds are enabled (if any) For the parameters of the request, you can intercept and examine a normal login attempt with a web proxy (such as owasp-zap, webscarab or burpsuite) or use a browser plugin (such as tamperdata) or just look at the HTML form. An example attack http://192.168.1.69/w3af/bruteforce/form_login/ The important parts of the HTML form are:
Username: Password: If we put in one wrong username and password combination we get: Bad login, stop bruteforcing me!Bad u/p combination for user: a So, now we have the information we need to attack this login form, we can use this info to construct a Hydra brute-force attack as follows: hydra 192.168.1.69 http-form-post "/w3af/bruteforce/form_login/dataReceptor.php:user=^USER^&pass=^PASS^:Bad login" -L users.txt -P pass.txt -t 10 -w 30 -o hydra-http-post-attack.txt If we break this up Host = 192.168.1.69 Method = http-form-post URL = /w3af/bruteforce/form_login/dataReceptor.php Form parameters = user=^USER^&pass=^PASS^ Failure response = Bad login Users file = users.txt Password file = pass.txt Threads = -t 10 Wait for timeout = -w 30 Output file = -o hydra-http-post-attack.txt Other examples HTTPS forms can be brute-forced in exactly the same way by changing the method to "https-form-post". Similarly there are the GET equivalents, of "http-get-form" and "https-get-form", though this type of method is really not recommended for web-based login forms (due to confidential information being passed in the URL, which can appear in proxy-logs, and browser history). Some forms do exist out there that use this. Sometimes you need to look for text that appears meaning "success" rather than the absence of text meaning "failure". This can be done if you put "S=" in front of the failure string variable, it becomes a success string check, for example "/login.php:user=^USER^&pass=^PASS^:S=successful" Remember that the "failure" or "success" string does not have to be part of the HTML of the page. These strings could be information in the response headers, such as cookies being set, or locations of redirects. There are flexible options for dealing with pretty much any type of response, as long as it is repeatable, and there are distinct differences between success and failure. Other more complex examples may be where you need to specify particular header values, or use an additional page to obtain set browser cookies before the form is submitted. These can be done by adding the additional parameters "C=" and "H=" on the end: "/foo.php:user=^USER^&pass=^PASS^:S=success:C=/page/cookie:H=X-Foo: Foo"