LabEx
Log InJoin For Free

Prepare Files for Hydra Attacks

HydraHydraBeginner
Practice Now

Introduction

In this lab, you will learn how to prepare essential files for Hydra brute-force attacks by creating and modifying username and password lists. You'll generate text files containing common credentials and customize them with additional variations to enhance testing effectiveness.

The exercise covers creating usernames.txt and passwords.txt files, expanding them with more entries, and verifying Hydra's ability to properly load these files. These prepared lists will serve as the foundation for subsequent authentication cracking attempts.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL hydra(("Hydra")) -.-> hydra/HydraGroup(["Hydra"]) hydra/HydraGroup -.-> hydra/password_creation("Password List Creation") hydra/HydraGroup -.-> hydra/username_creation("Username List Creation") hydra/HydraGroup -.-> hydra/single_username("Single Username Attack") hydra/HydraGroup -.-> hydra/single_password("Single Password Attack") hydra/HydraGroup -.-> hydra/output_saving("Output File Saving") hydra/HydraGroup -.-> hydra/verbose_mode("Verbose Mode Usage") subgraph Lab Skills hydra/password_creation -.-> lab-549920{{"Prepare Files for Hydra Attacks"}} hydra/username_creation -.-> lab-549920{{"Prepare Files for Hydra Attacks"}} hydra/single_username -.-> lab-549920{{"Prepare Files for Hydra Attacks"}} hydra/single_password -.-> lab-549920{{"Prepare Files for Hydra Attacks"}} hydra/output_saving -.-> lab-549920{{"Prepare Files for Hydra Attacks"}} hydra/verbose_mode -.-> lab-549920{{"Prepare Files for Hydra Attacks"}} end

Create a Username List File

In this step, you will create a text file containing a list of common usernames that can be used for testing authentication systems. This username list is essential for Hydra attacks as it provides the tool with potential account names to attempt during brute-force or dictionary attacks.

  1. First, ensure you are in the correct working directory. The cd command changes your current directory, and we're using ~/project as our working directory for this lab:
cd ~/project
  1. Create a new text file named usernames.txt using nano, which is a simple command-line text editor. The command below will either create a new file or open an existing one:
nano usernames.txt
  1. Now you'll add common usernames that are frequently used as default credentials in various systems. Type or paste these usernames, each on its own line:
admin
root
user
test
guest
administrator
  1. To save your changes in nano:
  • Press Ctrl+O (Write Out) to save
  • Press Enter to confirm the filename (usernames.txt)
  • Press Ctrl+X to exit the editor
  1. Verify the file was created correctly by displaying its contents with the cat command. This shows you exactly what's stored in the file:
cat usernames.txt

You should see the list of usernames you entered, each on a separate line. This file will serve as input for Hydra in subsequent steps, where the tool will systematically try each username (combined with passwords from another file) to test authentication systems.

Create a Password List File

In this step, you will create a text file containing common passwords that will be used alongside the username list from Step 1 for testing authentication systems with Hydra. Password lists are essential for brute-force attacks as they contain commonly used credentials that systems might be vulnerable to.

  1. First, ensure you're in the correct working directory (if not already there). The ~/project directory is where we'll store all our attack files to keep them organized:
cd ~/project
  1. Create a new text file named passwords.txt using nano. Nano is a simple text editor that comes pre-installed in most Linux distributions, perfect for beginners:
nano passwords.txt
  1. Add the following common passwords to the file (one per line). These are among the most frequently used weak passwords according to security research:
password
123456
admin
12345678
qwerty
123456789
  1. Save the file by pressing:
  • Ctrl+O (Write Out) - This saves your changes
  • Press Enter to confirm the filename
  • Ctrl+X to exit nano and return to the terminal
  1. Verify the file was created correctly by displaying its contents. The cat command is a quick way to check file contents without opening an editor:
cat passwords.txt

You should see the list of passwords you entered, each on a separate line. This password list will be combined with the username list from Step 1 when running Hydra in later steps. Having both files properly formatted ensures Hydra can systematically test all possible username-password combinations during the attack.

Edit Lists with Common Credentials

In this step, you will enhance both the username and password lists created in previous steps by adding more common credentials that are frequently used in authentication systems. These additions are important because real-world systems often have default or commonly used credentials that can be vulnerable to brute-force attacks.

  1. First, ensure you're in the correct working directory where your credential files are stored. This ensures all your edits are made in the right location:
cd ~/project
  1. Open the username list for editing using the nano text editor. Nano is a simple command-line editor that's perfect for beginners:
nano usernames.txt
  1. Add these additional common usernames to the existing list. These are typical default accounts that many systems use, making them good candidates for testing:
sysadmin
webmaster
support
backup
oracle
mysql

  1. Save the file by pressing Ctrl+O (write out), then Enter to confirm, and finally Ctrl+X to exit nano. These keyboard shortcuts are essential for working with command-line editors.

  2. Now open the password list for editing using the same process:

nano passwords.txt
  1. Add these additional common passwords to the existing list. These are weak passwords that users frequently choose, which makes them important to include in your testing:
letmein
welcome
password1
123123
12345
111111

  1. Save the password file using the same method: Ctrl+O, Enter, then Ctrl+X.

  2. Verify both files contain the updated credentials by displaying their contents. The && echo "---" part adds a visual separator between the two files when displayed:

cat usernames.txt && echo "---" && cat passwords.txt

You should see both lists now contain more comprehensive sets of credentials. These enhanced lists will provide better coverage when testing authentication systems with Hydra, as they include both default system accounts and commonly used weak passwords that are often found in real-world scenarios.

Save Lists in Accessible Directory

In this step, you will learn how to properly organize your credential lists for Hydra attacks by creating a dedicated directory and setting correct file permissions. This is important because Hydra needs to be able to access these files during password cracking attempts.

  1. First, navigate to your project directory if not already there. This ensures all your files stay organized in one place:
cd ~/project
  1. Create a new directory called hydra_lists specifically for storing your credential files. Using separate directories helps keep your workspace clean and makes files easier to find:
mkdir hydra_lists
  1. Move both your username and password files into this new directory. The mv command will physically relocate the files from their current location to the new directory:
mv usernames.txt passwords.txt hydra_lists/
  1. Verify the files were moved successfully by listing the directory contents. The -l flag shows detailed information including file permissions:
ls -l hydra_lists/

You should see both usernames.txt and passwords.txt listed with their permissions.

  1. Set appropriate permissions to ensure Hydra can read these files. The 644 permission means the owner can read/write while others can only read:
chmod 644 hydra_lists/*
  1. Confirm the permissions are correct by checking the directory again. The -rw-r--r-- permission string indicates the files are properly configured:
ls -l hydra_lists/

The output should show -rw-r--r-- for both files, which means they are readable by all users but only writable by the owner - the ideal permission setting for credential files used in Hydra attacks.

Verify Files Load in Hydra

In this final step, you will verify that Hydra can properly read and process the credential files you created in previous steps. This is an important check before launching actual attacks, as it ensures your username and password lists are formatted correctly and accessible to Hydra.

  1. First, ensure you're in the correct working directory where your credential files are stored. This is crucial because Hydra needs to know where to find your username and password lists:
cd ~/project
  1. Now we'll run Hydra in test mode using the -V flag for verbose output. This command tells Hydra to:
    • Use the username list (-L hydra_lists/usernames.txt)
    • Use the password list (-P hydra_lists/passwords.txt)
    • Test against localhost's SSH service
    • Use only 1 thread (-t 1) for testing purposes
hydra -L hydra_lists/usernames.txt -P hydra_lists/passwords.txt -V -t 1 localhost ssh
  1. When the command runs successfully, you should see output similar to this. The key information here is the "login tries" count which confirms Hydra has read both files:
Hydra v9.2 (c) 2022 by van Hauser/THC & David Maciejak
[DATA] max 1 task per 1 server, overall 1 task, 42 login tries (l:6/p:7), ~42 tries per task
[DATA] attacking ssh://localhost:22/
[VERBOSE] Resolving addresses ... done

  1. After verifying the output, press Ctrl+C to stop the test. There's no need to let it complete since we're just testing file loading.

  2. To confirm both files were properly read, check the number of login tries shown in the output. This number should equal the number of usernames multiplied by the number of passwords in your lists. For example, if you have 6 usernames and 7 passwords, you should see 42 login tries (6×7=42). This multiplication confirms Hydra is correctly combining all possible credential pairs from your files.

Summary

In this lab, you have learned how to prepare username and password lists for Hydra attacks by creating and managing text files in Linux. The exercises covered creating usernames.txt and passwords.txt using nano, populating them with common credentials, and verifying contents with cat commands.

You also practiced essential Linux file operations including directory navigation, text editing, and file validation. These skills form the foundation for setting up effective brute-force attacks, as properly formatted credential lists are crucial for Hydra's security testing capabilities.