THC Hydra stands as one of the earliest password-cracking tools, originating from the hacker community. Its extensive protocol coverage surpasses that of any other password-cracking tool to the best of my knowledge. Moreover, it is compatible with nearly all modern operating systems. In my penetration tests, I frequently employ Hydra, although I refrain from using it for brute force authentication due to the availability of more effective tools, which will be discussed in our exploration of web hacking.
For those inclined towards graphical user interfaces (GUIs), a version of Hydra is included by default in Kali Linux. Activating it is as simple as entering "X Hydra" in the command line. In this video, our objective is to delve into the functionality of both Hydra and X Hydra. It is important to note that unauthorized hacking is illegal, and as a demonstration, I have performed these actions on my Metasploitable server within a virtual box.
To install Hydra, refer to the provided video by clicking the information button.
As you can observe, my Metasploitable server is active, and you can ascertain its IP address using the "ifconfig" command.
To access Hydra, navigate to the applications and type "Hydra," or use the command line by directly typing "Hydra." The terminal console will open, displaying the help desk. Experiment with various flags and an example is presented at the end of the terminal.
Moving on to the attack on our Metasploitable server, we will perform a brute force on its FTP service with the IP address 192.168.56.102. Create two-word lists using tools like Crunch or Tri-Cup (refer to separate videos). Verify the existence of the word list using the "ls" command.
To initiate the attack, use the following command:
Hydra -b -L <username_file> -P <password_file> -t 16 <target_IP> ftp
The successful password match is revealed, and you can attempt to log in using Telnet with the identified password.
For an alternative approach, attempt the crack using X-Hydra. Open it by searching, inputting the target, choosing the protocol, enabling showing attempts, navigating to the password tab, selecting the word list source, configuring tuning, and initiating the attack.
Conclude the process by clicking on the start tab. Experiment with these steps independently. If any doubts or queries arise, feel free to express them in the comments section below.
