Hydra-GTK Online Attack

Online Password Bruteforce with Hydra-GTK

Hydra(better known as “thc-hydra”) is an online password attack tool. It brute forces various combinations on live services like telnet, ssh, http, https, smb, snmp, smtp etc. Hydra supports 30+ protocols including their SSL enabled ones. It brute forces on services we specify by using user-lists & wordlists. Hydra works in 4 modes:

  • One username & one password
  • User-list & One password
  • One username & Password list
  • User-list & Password list

Pentesters use this tool to test/audit the password complexity of live services mostly where direct sniffing is not possible. We discuss th gui of the tool in the following tutorial. In future the command line mode will be discussed.

Hydra Homepage : https://www.thc.org/thc-hydra/

Options

You can open xHydra from the Kali linux menu or terminal.

hydra
Target Settings

Target- Settings of various target oprions

Passwords – Specify password options & wordlists

Tuning – Secify how fast should hydra work. Other timing options are also available.

Specific – For testing on specific targets like a domain, https proxy etc.

Start – Start/Stop & shows the output.

Lab 1 :Breaking an ssh with wordlist attack

In this lab we try to break an ssh authentication on a remote has who has IP address 192.168.0.103. Here we do a wordlist attack by using a wordlist containing most common passwords to break into the root account.

Step 1: Open Hydra

Step 2: Set Target & protocol in the target tab.<here 192.168.0.103><use your target>

hydra
Setting the Target

Step 3: Set the username as root & specify the location for a wordlist in passwords tab.

Note: Kali linux comes with built in wordlists. Search them using command: locate *.lst in terminal.

command: locate *.lst

Other wide range of wordlist ranging upto 3GB or more are available in the internet. Just goole for 5 minutes.

hydra
Setting Password Options

Step 4: Set no of tasks to 1 in tuning tab scince this will reduce congestion & chance of detection. But takes longer to complete. This is also necessary to mitigate account lockout duration.

hydra
Tuning Options

Step 5: Start the hydra from Start tab.

hydra
Starting the Attack

Step 6: Scrooll Down & Wait until the password gets cracked

hydra
Password Loggged in UI of Hydra
Facebook Comments

4 thoughts on “Hydra-GTK Online Attack

  • April 8, 2016 at 10:59 pm
    Permalink

    im using it for smtp. It gives me a password after completion. What should i do with that? i tried to open with that password but showing that is not correct. what else to do with that?

    Reply
    • April 10, 2016 at 3:36 pm
      Permalink

      try configuring outlook or thunderbird with corresponding username & this password. Use the smtp server you attacked as your mail server. Try it.

      Reply
  • February 6, 2016 at 9:21 pm
    Permalink

    do we need staci ip for the this attack

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: