Learn Basic Hydra Commands

Introduction

In this lab, you will learn the essential commands and techniques for using Hydra, a versatile password-cracking tool. You'll explore basic command structures with key options like username (-l/-L), password (-p/-P), and port (-s) specifications, while practicing a simple SSH attack against a test server.

The exercises will guide you through target configuration, attack execution, and output interpretation. By completing this lab, you'll gain practical experience with Hydra's core functionality for basic brute-force attempts against network services.

Important: This lab is designed for Desktop Interface. DO NOT run the commands in Single-Terminal Interface.

Understand Hydra Command Structure

In this step, we'll explore the fundamental command structure of Hydra, which is a powerful tool for testing password security through brute-force attacks. Before we begin, it's important to understand that Hydra systematically tries different username and password combinations against network services to identify weak credentials.

The basic Hydra command follows this pattern:

hydra [[[-l LOGIN | -L FILE] [-p PASS | -P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [service://server[:PORT][/OPT]]

Let's break down the most commonly used options to understand what each part does:

• -l or -L: These let you specify either a single username (-l) for testing or a file containing multiple usernames (-L)
• -p or -P: Similar to usernames, these allow you to test either a single password (-p) or multiple passwords from a file (-P)
• -t: Controls how many attempts Hydra makes simultaneously (parallel threads)
• -s: Important when the service you're testing doesn't use its standard port number
• -vV: Shows detailed progress information during the attack
• -o: Saves your results to a specified file for later review

To verify Hydra is working correctly and see all available options, we'll start with a simple command that displays the help menu:

hydra -h

After running this, you should see Hydra's complete list of options and commands. This output confirms the tool is properly installed and ready for our security testing exercises. The help menu is also a useful reference when you need to check specific command syntax during your work.

Specify Target Host and Port

In this step, you will learn how to specify the target host and port when using Hydra. This is essential for directing your attack to the correct service. Think of it like addressing an envelope - you need the right destination (IP/hostname) and specific mailbox (port) to deliver your message.

The basic format for specifying target information in Hydra is:

hydra [options] < service > :// < target > [:port]

Let's break down each component:

• <service>: The protocol or service you're attacking (e.g., ssh, ftp, http). This tells Hydra what kind of authentication to attempt.
• <target>: The IP address or hostname of the target server. This is like the building address you're trying to access.
• [:port]: Optional port number. Services usually run on standard ports (like 22 for SSH), but sometimes they're moved to different ports for security.

For practice, we'll use a test SSH server running on localhost (127.0.0.1) on port 22. This means we're attacking our own machine, which is safe for learning. Try this command to verify the target specification:

hydra -vV -l testuser -p testpass ssh://127.0.0.1:22

Here's what's happening in this test command:

• -vV makes Hydra show detailed output so you can see what's happening
• -l testuser specifies a test username
• -p testpass provides a test password
• ssh://127.0.0.1:22 tells Hydra to attempt SSH authentication on our local machine

Note: This is just a test command to demonstrate syntax. We'll use real credentials in later steps when you understand how the pieces fit together.

Use Username and Password Options

In this step, we'll explore how Hydra handles authentication credentials for brute-force attacks. Understanding these options is crucial because Hydra needs to know what combinations to try when attempting to log in to the target system.

Hydra provides three main methods to specify credentials, each suitable for different scenarios:

1. Single Credential Testing (useful for quick verification):

hydra -l username -p password ssh://127.0.0.1

This command tries exactly one username/password combination against the SSH service.

2. List-based Testing (common for dictionary attacks):

hydra -L usernames.txt -P passwords.txt ssh://127.0.0.1

Here, Hydra will try every possible combination between usernames in usernames.txt and passwords in passwords.txt.

3. Paired Credential File (when usernames and passwords are directly linked):

hydra -C creds.txt ssh://127.0.0.1

This uses a file where each line contains a username and password separated by a colon (username:password).

Let's create test files to practice with these options. First, we'll make a simple username list containing common administrative accounts:

echo -e "admin\nroot\ntestuser" > usernames.txt

Next, we'll create a password list with some weak passwords that are often found in real-world systems:

echo -e "password\n123456\nadmin123" > passwords.txt

Now we can run a test command with verbose output (-vV) to see how Hydra processes these files:

hydra -vV -L usernames.txt -P passwords.txt ssh://127.0.0.1

The -vV flags make Hydra show detailed output so you can observe the attack progress and understand what's happening at each step.

Run a Simple SSH Attack Command

In this step, you will combine all previous learnings to execute a complete SSH brute-force attack using Hydra. We'll use the test SSH server running on localhost (127.0.0.1) with the credentials we prepared earlier. This practical exercise will help you understand how Hydra systematically tries different username and password combinations against an SSH service.

Before launching the attack, let's verify our target setup is working properly. We'll attempt a manual SSH connection to confirm the service is running:

ssh [email protected]

(Type "Ctrl+C" when prompted for password to return to your session)

This manual test helps us confirm that the SSH service is active and responding to connection attempts. When Hydra runs, it will make similar connection attempts but automate the process with multiple tries.

LabEx VM provides the password for labex in the environment variable PASSWORD. Let's add it to the password file for testing:

Important: Run the following commands in Desktop Interface, otherwise you will not get the PASSWORD environment variable.

echo "labex" > usernames.txt
echo -e "$PASSWORD" >> passwords.txt

Now let's run the actual Hydra attack command. This is where we put together all the components we've prepared - the username list, password list, and target information:

hydra -vV -L usernames.txt -P passwords.txt -t 4 ssh://127.0.0.1

Let's break down what each parameter does:

• -vV: Enables verbose output so you can see Hydra's progress in real-time
• -L usernames.txt: Specifies the file containing potential usernames to try
• -P passwords.txt: Specifies the file containing potential passwords to test
• -t 4: Sets the number of parallel connections (threads) to use
• ssh://127.0.0.1: Identifies our target as an SSH service on localhost

The command will systematically test all combinations from our username and password lists. In our controlled test environment, this will intentionally fail to find valid credentials, but you'll see exactly how Hydra works through the combinations. The verbose output will show you each attempt Hydra makes, helping you understand the brute-force process.

Notice how Hydra automatically handles failed attempts and continues with the next combination. This demonstrates the power of automated tools compared to manual testing. The process might take a few moments as Hydra works through all possible combinations in our test files.

Check Command Output

In this step, we'll examine how to read and understand Hydra's output after running an SSH attack. This is important because the output tells us whether the attack succeeded and provides valuable debugging information. As a beginner, you'll learn to identify key success indicators in the results.

When you executed the SSH attack command in Step 4, Hydra generated output that looks like this:

[DATA] attacking ssh://127.0.0.1:22/
[VERBOSE] Resolving addresses ... done
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 19 to do in 00:01h
[22][ssh] host: 127.0.0.1   login: testuser   password: testpass
1 of 1 target successfully completed, 1 valid password found

Let's break down what each part means:

1. The [DATA] line shows the target service and address being attacked
2. [STATUS] provides real-time statistics about the attack progress
3. The most important line shows any found credentials in the format: [port][service] host: IP login: username password: password
4. The final line summarizes the attack results

For documentation and later analysis, you can save Hydra's output to a file using the -o option. This creates a permanent record of your test results:

hydra -vV -L usernames.txt -P passwords.txt -t 4 -o results.txt ssh://127.0.0.1

After the command completes, you can view the saved results with:

cat results.txt

This file will contain the same output you saw in the terminal, allowing you to review the findings later or share them with team members.

Summary

In this lab, you have learned the essential commands and techniques for conducting password-cracking attacks using Hydra. The exercises covered core command syntax including username/password specification with -l/-L and -p/-P flags, port configuration with -s, and basic Hydra installation verification.

You have also practiced target specification using the <service>://<target>[:port] format through practical SSH attack examples. These foundational skills enable you to execute basic Hydra operations while understanding proper command structure and target definition.