Security

How to install and use THC Hydra?

Passwords are the weakest links. If someone gets ahold of your password, it’s game over! As such, passwords are the most important security weaknesses. There are many tools that allow you to attempt username:password combinations throughout, however, none of them are as potent as THC Hydra. This is because it’s both rapid and offers a large number of protocols to brute force. In fact, it can deal with about 55 different protocols. Moreover, there are two versions of THC Hydra: a GUI version and a CLI version.

Installing THC Hydra

Download THC hydra from https://github.com/vanhauser-thc/thc-hydra.

Once downloaded, extract the files, and execute the following:

cd thc-hydra-master/
./configure
make
make install

If you’re using Ubuntu/Debian, type the following as well:

apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \
                libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \
                firebird-dev libmemcached-dev libgpg-error-dev \
                libgcrypt11-dev libgcrypt20-dev

CLI Usage

Here, we examine how to use hydra with common protocols.

SSH/FTP/RDP/TELNET/MYSQL

One must remember that Hydra can deal with approximately 55 different protocols. These are but a few examples of the most dealt-with protocols, such as ssh, ftp, rdp, telnet, and mysql. However, the same principle applies to the remaining protocols.

In order to get Hydra to work with a protocol, you’ll need either a username (-l) or a list of usernames (-L), a list of passwords (a password file), and the target IP address associated with the protocol. You can add further parameters if you wish. For example, -V for verbosity.

hydra -l <username> -P <password> <protocol>://<ip>

Alternatively, you can also format it as follows:

hydra -l <username> -P <password file> -s <port> -V <ip> <protocol>

-l or -L: username or list of usernames to attempt
-P: password list
-s: port
-V: verbose
<protocol>: ftp/rdp/ssh/telnet/mysql/etc…
<ip>: ip address

For example, for FTP:

hydra -V -f -l <username> -P <password> ftp://&lt;ip>

Or

hydra -l <username> -P <password file> -s 21 -V &lt;ip> ftp

HTTP-GET-FORM

Depending on the type of request, GET or POST, you can use either http-get-form or http-post-form. Under the inspect element, you can figure out whether the page is a GET or POST. You can then use the http-get-form when attempting to find the password to a username:password combination on the web (for instance, a website).

hydra -l <username> -P <password> -V -f <ip> http-get-form “a:b:c:d”

-l or -L: username or list of usernames to attempt
-P: password list
-f : stop when the password is found
-V: verbose
a: login page
b: username/password combination
c: error message received if login fails
d: H=session cookie

For example, suppose we wish to hack DVWA (Damn Vulnerable Web Application). Once online using apache2, it should be at your local IP. In my case, it’s at http://10.0.2.15.

So, the:
<ip>: 10.0.2.15
a: /vulnerabilities/brute/

Next, we need b and c. So, let’s try to login with fake credentials (anything here will do). The site displays this message: “Username or password incorrect.” Therefore, we will use the message c:

c: username or password incorrect

So, b will be as follows:

b: username=^USER^&password=^PASS^&Login=Login#

Replace the credentials inputted with ^USER^ and ^PASS^. If this was a POST request, you would find this information under the inspect element > Request tab.

Next, under inspect element, copy the cookie. This will be d:

d: H=Cookie:PHPSESSID=3046g4jmq4i504ai0gnvsv0ri2;security=low

So, for example:

hydra -l admin -P /home/kalyani/rockyou.txt -V -f 10.0.2.15 http-get-form<br /><span style="color: #0000ff" data-darkreader-inline>/vulnerabilities/</span>brute/:username=^USER^&password=^PASS^&Login=Login<br />#:username or password incorrect:<br /> H=Cookie:PHPSESSID=3046g4jmq4i504ai0gnvsv0ri2;security=low”

When you run this, and if the password is in the list, then it will find it for you.

However, if this proves to be too much work for you, no need to stress out because there’s a GUI version as well. It is a lot simpler than the CLI version. The GUI version of THC hydra is called Hydra GTK.

Installing Hydra GTK

In Ubuntu, you can simply install Hydra GTK using the following command:

sudo apt-get install hydra-gtk -y

Once installed, you will need the following:

  1. A target or list of targets: This is the IP address of the protocol you wish to attack
  2. Port number: the port number associated with the protocol
  3. Protocol: ssh, ftp, mysql, etc…
  4. Username: either input a username or a list of usernames
  5. Password or Password list

Depending on whether you want to hack one or multiple targets, you can either input one or many targets into the target box. Suppose you’re attacking a single target, an SSH, located at 999.999.999.999 (a fake IP address, obviously). In the target box, you’d put 999.999.999.999, and in the port section, you’d put 22. Under the protocol, you’d put SSH. It would be advisable to tick the “be verbose” and the “show attempts” boxes as well. The “be verbose” box is equivalent to -v in THC Hydra, while the “show attempts” box is equivalent to -V in THC Hydra. The plus point about Hydra is that it can deal with a large number of protocols.

In the next tab, input the username you desire or a list of usernames (the location of the list of usernames in this case). For instance, in the “username list”, I would put “/home/kalyani/usernamelist.txt”. The same is true for passwords. The location of the password file is inputted in the box called “password list”. Once these have been filled in, the rest is easy. You can leave the tuning and specific tabs as is and click on the start button under the start tab.

Hydra GTK is a lot easier to use than THC Hydra, even though they are the same thing. Whether you use THC Hydra or Hydra GTK, both are great tools to crack passwords. The problem typically encountered will come in the form of the password list used. You can obviously use other programs such as crunch and wordlist generators to tailor your password list to your liking. However, if you can also tailor the password list to your use, Hydra can become a very powerful ally.

Happy Hacking!

About the author

Kalyani Rajalingham

Kalyani Rajalingham

I'm a linux and code lover.