So you are here for a reason and want to learn how to audit a system exposed online. After detecting systems and services with passive fingerprinting (Shodan, Censys) or active fingerprinting with nmap and discovering interesting paths, automated password testing of the system may be a next step to consider.
Hydra is a well known tool can help a lot with this stuff. But, why and what it is intended for?
Hydra is a powerful brute-forcing tool that supports multiple protocols and brute-force attacks. It is used in pentesting to test login security since it supports multiple services, including SSH, RDP, FTP, MySQL, and more. If you have Kali Linux, you should do nothing but going on reading.
To have an idea of its power, let's get through the features from the help itself:
So yes. You discover a SSH, FTP, RDP, MongoDB, MySQL in a pentest? Yes, you have a tool to try to start bruteforcing it then. That's why you probably receive such a bunch of incoming connections in your server exposed to the internet or your VPS trying to login almost immediately using root or admin. There are tools that make it really easy to start doing things for script kiddies like us.
So, let's see how does this work with examples from the same help:
Interesting points on candidate username-password pairs:
- So you have identified that "root" is a good candidate username to test? Try it with "-l root".
- So wait, you thing that it's nice to use "root", "admin", "user"? Add them to a "userlist.txt", one per line, and change the "-l" for a capitalized "-L" and append the user list.
- The same takes place for passwords "-p admin1234" or "-P mypasswordlist.txt".
An interesting point here: many services will block specific accounts if several passwords are tested against the, That can be noise and end on several account blocks... But what about enumerating 10k corporate users of ACME & Co. and test with each of them ACME2025? Hydra makes it really easy to try this:
Unfortunately, latency may be an issue here. However you have the option of adding parallelism with a single parameter -t plus the number of threads. Note here that you can evolve your bruteforcing test onto a DoS (lmao) by the target server and your own client if this is to high... Up to you to choose.
As a side tip, note that hydra will send requests directly from your VM or system. If you need anonymity you SHOULD consider using a third-party proxy or Tor. But this will come on another post.
Final open question: HTTP POST requests add extra difficulty because attackers will have to identify user-password fields and additional configuration steps to identify error/success. Can you share specific Hydra commands that may have been successful for it?
Hope that this is useful for anyone out there!
Hydra is a well known tool can help a lot with this stuff. But, why and what it is intended for?
Hydra is a powerful brute-forcing tool that supports multiple protocols and brute-force attacks. It is used in pentesting to test login security since it supports multiple services, including SSH, RDP, FTP, MySQL, and more. If you have Kali Linux, you should do nothing but going on reading.
To have an idea of its power, let's get through the features from the help itself:
$ hydra -help
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]
...
Supported services: adam6500 asterisk cisco cisco-enable cobaltstrike cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
..So yes. You discover a SSH, FTP, RDP, MongoDB, MySQL in a pentest? Yes, you have a tool to try to start bruteforcing it then. That's why you probably receive such a bunch of incoming connections in your server exposed to the internet or your VPS trying to login almost immediately using root or admin. There are tools that make it really easy to start doing things for script kiddies like us.
So, let's see how does this work with examples from the same help:
Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt sshInteresting points on candidate username-password pairs:
- So you have identified that "root" is a good candidate username to test? Try it with "-l root".
- So wait, you thing that it's nice to use "root", "admin", "user"? Add them to a "userlist.txt", one per line, and change the "-l" for a capitalized "-L" and append the user list.
- The same takes place for passwords "-p admin1234" or "-P mypasswordlist.txt".
An interesting point here: many services will block specific accounts if several passwords are tested against the, That can be noise and end on several account blocks... But what about enumerating 10k corporate users of ACME & Co. and test with each of them ACME2025? Hydra makes it really easy to try this:
hydra -L enumerated_users.txt -p ACME2025 ftp://ftp.acmecompany.comUnfortunately, latency may be an issue here. However you have the option of adding parallelism with a single parameter -t plus the number of threads. Note here that you can evolve your bruteforcing test onto a DoS (lmao) by the target server and your own client if this is to high... Up to you to choose.
As a side tip, note that hydra will send requests directly from your VM or system. If you need anonymity you SHOULD consider using a third-party proxy or Tor. But this will come on another post.
Final open question: HTTP POST requests add extra difficulty because attackers will have to identify user-password fields and additional configuration steps to identify error/success. Can you share specific Hydra commands that may have been successful for it?
Hope that this is useful for anyone out there!
