Brute force attack & dictionary password cracking using hydra

Brute force attack and Dictionary password cracking attack is still effective. Brute force attack can be more effective if the hacker has good knowledge in password profiling,information gathering. Today, i will shortly explain that how a hacker can crack password using hydra brute force attack or dictionary attack. Before that let me give you a short definition of Brute force and dictionary attack.

Brute force attack

Brute force attack is combination of all character a-z,A-Z,1-3 and other special characters.

Dictionary password attack

Dictionary attack is a list of common password. For example, you know “admin” is used as password to protect various confidential resource. So you put the “admin” word in your dictionary file. You also can download free password list from various source(Google search!). If the hacker is lucky then password will be in the list.

I will explain how a hacker can make brute force attack using hydra to crack various online accounts.

Brute Force Attack

If hackers decide to make pure brute force then they need to exclude the option ‘-P’ and use ‘-x min:max:char’, for example ‘-x 3:3:a’ :

The hydra syntax:
-t = How many parallel attempt at a time(1/5/10/100 ?). Don’t use too much otherwise you will get false result
-V = Show output
-f = Stop when found the password.
-l = The Username (-L for username from file)
-P= Dictionary file
IP-address-or-domain module-such-as-http-form

Cracking the RDP password

We know the default username of windows is “administrator” So we can brute force the password only:

I did it on vmware workstation and was too slow!

Cracking FTP password

Hacker knows the user name of the FTP is 'root' , So hacker make a quick password guessing with following command:

Here the password is ftpadmin!

Cracking SSH password with hydra

MySQL password cracking using hydra

In this case we are going to crack a empty password of mysql. Some Peoples still does not use password to protect their database server. We can make brute force attack like this:

Attention to the option of hydra: -e ns .

Web Form brute forcing

I have coded a simple html login form for this test. Hydra can brute force web form faster and effectively than other tools. But it requires you to understand that how the form is being handled. So the hacker need to have basic understanding of html too. Also the hacker/you need to find out the correct username otherwise it will be failed or will need to brute force the  user name which is really bad idea.

The login form:

We actually need to brute force the name=”password” . “password” is the name of the password field which need to match with an string from database or from php hard coded string. For your better understanding i am pasting the log.php too:

In the php code $passGet=$_POST[“password”]; getting field string by post method and comparing with variable $pass . If you input yourpass in password field then it will say success otherwise fail.

Imagine, We don’t know the password so we are going to brute force it using hydra. We have following information:

URL: http://http://localhost/login/ (Optional?)
Action page: http://localhost/login/log.php   (Required)
User: admin
Form parameter:  user=admin&password=brute-force-here   (see the html!)

Let us now brute force the password using thc-hydra.

Hydra command 1:

Here is output:

Hydra command 2:


In this command brute forced the page with fail string. When input bad password , the page generate “fail” message. So we tell the thc-hydra that keep attacking whenever you see the message “fail” . So hydra won’t stop until it see other strings instead “fail”.  But we need to be careful that if in the success page has “fail” string in somewhere then hydra will give you false results.  Depend on the situation ! For example a success page might have following welcome message:

Welcome User! We are not responsible if you are fail to protect your confidential information. Be careful from hacker!

In this case hydra will give false result. So think , how you want to set fail string!

Some tips against brute force:
1. Use strong password.
2. Login page should have captcha.
3. Server should be counting the fail attempt and block the ip after few fail attempt of login.

Hope you enjoyed!