LabEx
Log InJoin Free

Generate Passwords with Hydra Brute-Force

HydraBeginner
Practice Now

Introduction

In this lab, you will learn how to use Hydra to generate passwords for brute-force attacks using various password generation techniques. You will focus on using Hydra's -x option to create passwords based on different criteria such as length, character sets, and common password patterns.

The lab will guide you through multiple password generation scenarios including basic character sets, mixed character combinations, numeric patterns, and real-world password structures. You will target a dummy FTP server on localhost to practice these techniques and learn how to analyze the output of brute-force attacks effectively.

Generate Passwords with -x Option

In this step, you will learn how to use the -x option in Hydra to generate passwords based on a specified format. This is useful when you have some information about the potential password structure, such as a known length range or character set.

Hydra's -x option allows you to define a minimum and maximum length for the generated passwords, along with a character set to use. The syntax is -x min:max:charset.

Let's start with a simple example. You will generate passwords that are between 6 and 8 characters long, using only lowercase letters.

First, ensure you are in the ~/project directory. This is the default directory when you start the lab.

cd ~/project

Now, you will use Hydra to generate passwords. For demonstration purposes, you will target SSH service on localhost. This will allow you to see the password generation without actually performing a successful attack (since we're using a non-existent user).

Execute the following command in the terminal:

hydra -l testuser -vV -x 3:5:a-z localhost ssh

Let's break down this command:

  • hydra: The command to execute the Hydra tool.
  • -l testuser: Specifies the username to use. You are using "testuser" here as a placeholder (this user likely doesn't exist).
  • -vV: Enables verbose output, showing each attempt.
  • -x 3:5:a-z: This is the key part. It tells Hydra to generate passwords with:
    • 3: Minimum length of 3 characters.
    • 5: Maximum length of 5 characters.
    • a-z: Use only lowercase letters (a-z). Other options include A-Z (uppercase), 0-9 (digits), and you can combine them, e.g., a-zA-Z0-9 for lowercase, uppercase, and digits.
  • localhost: The target host.
  • ssh: The SSH service to target.

You will see Hydra attempting connections with generated passwords like "aaa", "aaaa", "aaaaa", "aab", and so on. When using the -x option, Hydra automatically generates passwords based on the specified criteria.

Note: The combination count for 3-5 character passwords using lowercase letters is manageable: 26³ + 26⁴ + 26⁵ = 17,576 + 456,976 + 11,881,376 ≈ 12.4 million combinations, which is within Hydra's limits.

Important: Use Ctrl+C to stop the attack, because it will take a long time to complete.

The output will show the generated passwords as Hydra attempts to connect to the SSH service.

Hydra v[...] (c) 2023 by van Hauser / THCO
...
[ATTEMPT] target 127.0.0.1 - login "testuser" - pass "aaa" - 1 of 1 [child 0] (0/0)
[ATTEMPT] target 127.0.0.1 - login "testuser" - pass "aaaa" - 1 of 1 [child 0] (0/0)
[ATTEMPT] target 127.0.0.1 - login "testuser" - pass "aaaaa" - 1 of 1 [child 0] (0/0)
[ATTEMPT] target 127.0.0.1 - login "testuser" - pass "aab" - 1 of 1 [child 0] (0/0)
...

Important: Password Combination Limits

When using Hydra's -x option, it's crucial to consider the total number of password combinations that will be generated. Hydra has a built-in limit of 4 billion passwords to prevent impractical brute-force attempts.

Here are some examples of combination counts:

  • 3-5 chars, lowercase only (a-z): ~12.4 million combinations ✓
  • 4-6 chars, lowercase only (a-z): ~321 million combinations ✓
  • 6-8 chars, lowercase only (a-z): ~217 billion combinations ✗ (exceeds limit)
  • 4-6 chars, alphanumeric (a-zA-Z0-9): ~57 billion combinations ✗ (exceeds limit)

Always calculate the combination count before running: charset_size^min_length + ... + charset_size^max_length

Attack FTP with Generated Passwords

In this step, you will use the password generation capabilities of Hydra to attack a dummy FTP server. You will use a password list generated "on-the-fly" with the -x option.

First, you need to set up a simple FTP server for testing. You will use python3-pyftpdlib, which is a lightweight FTP server library for Python.

Install python3-pyftpdlib if it is not already installed:

sudo apt update
sudo apt install -y python3-pyftpdlib

Start the FTP server in the background on port 2121, serving files from the ~/project directory. The -w option allows write access.

nohup python3 -m pyftpdlib -p 2121 -w -u testuser -P secret ~/project > /dev/null 2>&1 &

The nohup ... & part runs the command in the background and prevents it from stopping if you close the terminal. > /dev/null 2>&1 redirects standard output and standard error to /dev/null, keeping your terminal clean. The -u testuser -P secret options set up an user with password "secret" that can access the server.

Now, you will use Hydra to attack this FTP server. You will use the -x option to generate passwords and attempt to log in as the user "testuser".

Execute the following command in the terminal:

hydra -l testuser -vV -x 4:6:a-z 127.0.0.1 ftp -s 2121

Let's break down this command:

  • hydra: The Hydra command-line tool.
  • -l testuser: Specifies the username to use: "testuser".
  • -vV: Enables verbose output, showing each login attempt.
  • -x 4:6:a-z: This tells Hydra to generate passwords with:
    • 4: Minimum length of 4 characters.
    • 6: Maximum length of 6 characters.
    • a-z: Use only lowercase letters (a-z).
  • 127.0.0.1: The target host (localhost). You use 127.0.0.1 instead of localhost to avoid potential DNS resolution issues within the container.
  • ftp: The service to attack (FTP).
  • -s 2121: Specifies the port number. You are targeting the FTP server running on port 2121.

You should see Hydra attempting logins with generated passwords. Since the FTP server is configured with specific credentials (username: testuser, password: secret), Hydra will find the correct password when it generates "secret" during its brute-force attempts.

Important: Use Ctrl+C to stop the attack, because it will take a long time to complete.

The output will show the login attempts and eventually a successful login message.

Hydra v[...] (c) 2023 by van Hauser / THCO
...
[ATTEMPT]  target 127.0.0.1:2121 service ftp on device eth0 - login testuser password aaaa
[ATTEMPT]  target 127.0.0.1:2121 service ftp on device eth0 - login testuser password aaab
...
[2121][ftp] host: 127.0.0.1   login: testuser   password: secret

Now, let's try a slightly more complex example, combining lowercase letters and digits:

hydra -l testuser -vV -x 3:5:a-z0-9 127.0.0.1 ftp -s 2121

This will generate passwords like "aaa", "aab", "aac", and so on, systematically going through all 3-character combinations first, then 4-character combinations, and finally 5-character combinations. Observe the output to see the generated passwords and the successful login.

Hydra v[...] (c) 2023 by van Hauser / THCO
...
[ATTEMPT]  target 127.0.0.1:2121 service ftp on device eth0 - login testuser password aaa
[ATTEMPT]  target 127.0.0.1:2121 service ftp on device eth0 - login testuser password aab
...
[2121][ftp] host: 127.0.0.1   login: testuser   password: secret

This step demonstrated how to use Hydra with the -x option to generate passwords and attack an FTP server. Remember to use these techniques responsibly and ethically.

Mixed Case Password Generation

In this step, you will learn how to generate passwords using both uppercase and lowercase letters. This is a common password pattern that many users employ, making it an effective brute-force strategy.

Many users create passwords with mixed case letters to meet password complexity requirements. Understanding this pattern can significantly improve your brute-force success rate.

Ensure you are in the ~/project directory and that your FTP server is still running:

cd ~/project

Let's generate passwords using mixed case letters. Execute the following command:

hydra -l testuser -vV -x 3:4:a-zA-Z 127.0.0.1 ftp -s 2121

This command generates passwords using:

  • a-z: lowercase letters (a-z)
  • A-Z: uppercase letters (A-Z)

You'll see passwords like "aaa", "Aaa", "aAa", "AAa", "aaA", "AaA", "aAA", "AAA", "aab", "Aab", etc. Notice how Hydra systematically combines uppercase and lowercase letters.

Let's try the 3-4 character range to see the pattern more clearly:

hydra -l testuser -vV -x 3:4:a-zA-Z 127.0.0.1 ftp -s 2121

This will generate 3-4 character passwords with mixed case. You can observe how the combinations progress:

  • 3 characters: "aaa", "Aaa", "aAa", "AAa", "aaA", "AaA", "aAA", "AAA", "aab", "Aab", etc.
  • 4 characters: "aaaa", "Aaaa", "aAaa", "AAaa", "aaaA", "AaaA", "aAaA", "AAaA", etc.

Understanding the Pattern:

Mixed case password generation follows a systematic approach where Hydra tries all possible combinations of uppercase and lowercase letters. This is particularly effective because:

  1. Many password policies require mixed case
  2. Users often capitalize the first letter or random letters
  3. Common patterns include capitalizing the first letter of words

This step demonstrated how to use mixed case letter generation for brute-force attacks, which is effective against passwords that use both uppercase and lowercase letters.

Alphanumeric Password Generation

In this step, you will learn how to generate passwords that combine letters and numbers. Alphanumeric passwords are extremely common as they balance security with memorability.

Alphanumeric passwords are one of the most common password types because they:

  • Meet most password complexity requirements
  • Are easier to remember than purely random strings
  • Are often used in corporate environments

Let's generate alphanumeric passwords using Hydra:

hydra -l testuser -vV -x 3:4:a-zA-Z0-9 127.0.0.1 ftp -s 2121

This generates passwords with:

  • a-z: lowercase letters (a-z)
  • A-Z: uppercase letters (A-Z)
  • 0-9: digits (0-9)

Examples of generated passwords: "abc", "A2b", "123", "aB1", "Te1", etc.

Let's try a more focused approach with just lowercase letters and digits:

hydra -l testuser -vV -x 3:4:a-z0-9 127.0.0.1 ftp -s 2121

This will generate passwords like "aaa", "aa1", "a12", "123", "test", etc.

Common Alphanumeric Patterns:

Users often follow predictable patterns when creating alphanumeric passwords:

  1. Word + numbers (e.g., "pass123")
  2. Numbers + word (e.g., "123pass")
  3. Alternating letters and numbers (e.g., "a1b2")

Let's simulate a pattern where users might use short alphanumeric combinations:

hydra -l testuser -vV -x 4:5:a-z0-9 127.0.0.1 ftp -s 2121

This step demonstrated how to generate alphanumeric passwords, which are among the most common password types in real-world scenarios.

Numeric-Only Password Generation

In this step, you will learn how to generate purely numeric passwords. These are common for PINs, simple passwords, and systems with numeric-only requirements.

Numeric passwords are frequently used in:

  • PIN codes for devices and accounts
  • Simple passwords for basic systems
  • Temporary passwords
  • Legacy systems with numeric-only requirements

Let's generate numeric-only passwords:

hydra -l testuser -vV -x 3:6:0-9 127.0.0.1 ftp -s 2121

This generates purely numeric passwords like "123", "1234", "0000", "9999", "5678", etc.

For PIN-like passwords (typically 4-6 digits), try:

hydra -l testuser -vV -x 4:4:0-9 127.0.0.1 ftp -s 2121

This generates exactly 4-digit combinations that could represent:

  • Years (1990, 2000, 2023, etc.)
  • Common PINs (1234, 0000, 1111, etc.)
  • Birth years
  • Significant dates

Let's try a 6-digit pattern common for longer PINs:

hydra -l testuser -vV -x 6:6:0-9 127.0.0.1 ftp -s 2121

Common Numeric Patterns:

Users often choose predictable numeric passwords:

  1. Sequential numbers: 123456, 654321
  2. Repeated digits: 111111, 000000
  3. Dates: birth years, current year
  4. Simple patterns: 121212, 123123

Real-World Application:

Numeric password generation is especially useful when targeting:

  • Mobile device PINs
  • ATM PINs
  • Simple system passwords
  • Temporary access codes

This step demonstrated how to generate numeric-only passwords, which are commonly used in many systems.

Custom Character Sets with Symbols

In this step, you will learn how to create custom character sets that include specific symbols. This is useful when you know or suspect that the target uses certain special characters in their passwords.

Many password policies require special characters, and users often choose common symbols that are easy to type. Understanding which symbols to include can make your brute-force attacks more efficient.

Let's generate passwords with custom character sets that include specific symbols:

hydra -l testuser -vV -x '3:4:a-z0-9!@#' 127.0.0.1 ftp -s 2121

This generates passwords using:

  • a-z: lowercase letters (a-z)
  • 0-9: digits (0-9)
  • !@#: specific symbols

Examples: "abc!", "a1@", "te#", "12!", etc.

Let's try a different set of common symbols:

hydra -l testuser -vV -x '3:4:a-z$%&' 127.0.0.1 ftp -s 2121

This uses lowercase letters and the symbols $, %, &.

For passwords that might include more complex symbols:

hydra -l testuser -vV -x '3:4:a-zA-Z0-9!@#$%^&*' 127.0.0.1 ftp -s 2121

This creates a comprehensive character set with:

  • Lowercase and uppercase letters
  • Digits
  • Common symbols: !@#$%^&*

Most Common Password Symbols:

Based on password analysis, these symbols are most frequently used:

  1. ! - Exclamation mark
  2. @ - At symbol
  3. # - Hash/pound
  4. $ - Dollar sign
  5. % - Percent
  6. ^ - Caret
  7. & - Ampersand
  8. * - Asterisk

Strategic Symbol Selection:

When creating custom character sets, consider:

  • Keyboard accessibility (symbols on number row are common)
  • Password policy requirements
  • Cultural preferences (some symbols are more common in certain regions)
  • System limitations (some systems don't allow certain symbols)

Targeted Symbol Sets:

For specific scenarios, you might use targeted symbol sets:

## Common punctuation
hydra -l testuser -vV -x '3:4:a-z0-9.,;:' 127.0.0.1 ftp -s 2121

## Bracket symbols
hydra -l testuser -vV -x '3:4:a-z0-9()[]{}' 127.0.0.1 ftp -s 2121

## Mathematical symbols
hydra -l testuser -vV -x '3:4:a-z0-9+-=/' 127.0.0.1 ftp -s 2121

This step demonstrated how to create custom character sets with specific symbols, allowing you to tailor your brute-force attacks based on known or suspected password patterns.

Summary

In this lab, you learned how to use Hydra to generate passwords for brute-force attacks through a comprehensive step-by-step approach. You explored Hydra's -x option extensively across multiple dedicated scenarios, each focusing on specific password generation techniques.

You practiced distinct password generation strategies including:

  • Basic password generation: Understanding the -x option syntax and fundamental concepts
  • FTP attack scenarios: Applying password generation against real services
  • Mixed case letters: Combining uppercase and lowercase letters for common password patterns
  • Alphanumeric passwords: Using letters and numbers, the most common password type in real-world scenarios
  • Numeric-only passwords: Targeting PINs and simple numeric passwords with high crack efficiency
  • Custom character sets with symbols: Creating targeted symbol combinations based on common usage patterns
Related Hydra Courses
Hydra for Beginners

Hydra for Beginners

cybersecurityhydrakali
Hydra Cybersecurity Attack Labs

Hydra Cybersecurity Attack Labs

cybersecurityhydrakali