Title: How to install and use THC Hydra?

Excerpt: Passwords can keep our systems, social media, devices, etc. safe. However,
these are also considered as the weakest links, cracking it would be possible with the
use of THC Hydra, which’s rapid and can brute force several protocols. Learn how to
install and use THC Hydra by reading this article.

Permalink: how-to-install-and-use-thc-hydra

Category: security
Passwords are the weakest links. If someone gets ahold of your password, it’s game
over! As such, passwords are the most important security weaknesses. There are many
tools that allow you to attempt username:password combinations throughout,
however, none of them are as potent as THC Hydra. This is because it’s both rapid
and offers a large number of protocols to brute force. In fact, it can deal with about 55
different protocols. Moreover, there are two versions of THC Hydra: a GUI version
and a CLI version.

Installing THC Hydra

Download THC hydra from https://github.com/vanhauser-thc/thc-hydra.

Once downloaded, extract the files, and execute the following:

cd thc-hydra-master/
./configure
make
make install

If you’re using Ubuntu/Debian, type the following as well:

apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \

libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \
firebird-dev libmemcached-dev libgpg-error-dev \
libgcrypt11-dev libgcrypt20-dev

CLI Usage
Here, we examine how to use hydra with common protocols.

SSH/FTP/RDP/TELNET/MYSQL

One must remember that Hydra can deal with approximately 55 different protocols.
These are but a few examples of the most dealt-with protocols, such as ssh, ftp, rdp,
telnet, and mysql. However, the same principle applies to the remaining protocols.

In order to get Hydra to work with a protocol, you’ll need either a username (-l) or a
list of usernames (-L), a list of passwords (a password file), and the target IP address
associated with the protocol. You can add further parameters if you wish. For
example, -V for verbosity.

hydra -l <username> -P <password> <protocol>://<ip>

Alternatively, you can also format it as follows:

hydra -l <username> -P <password file> -s <port> -V <ip> <protocol>

-l or -L: username or list of usernames to attempt
-P: password list
-s: port
-V: verbose
<protocol>: ftp/rdp/ssh/telnet/mysql/etc…
<ip>: ip address
For example, for FTP:

hydra -V -f -l <username> -P <password> ftp://<ip>

Or

hydra -l <username> -P <password file> -s 21 -V <ip> ftp

HTTP-GET-FORM

Depending on the type of request, GET or POST, you can use either http-get-form or
http-post-form. Under the inspect element, you can figure out whether the page is a
GET or POST. You can then use the http-get-form when attempting to find the
password to a username:password combination on the web (for instance, a website).

hydra -l <username> -P <password> -V -f <ip> http-get-form “a:b:c:d”

-l or -L: username or list of usernames to attempt

-P: password list
-f : stop when the password is found
-V: verbose
a: login page
b: username/password combination
c: error message received if login fails
d: H=session cookie

For example, suppose we wish to hack DVWA (Damn Vulnerable Web Application).
Once online using apache2, it should be at your local IP. In my case, it’s at
http://10.0.2.15.

So, the:
<ip>: 10.0.2.15
a: /vulnerabilities/brute/

Next, we need b and c. So, let’s try to login with fake credentials (anything here will
do). The site displays this message: “Username or password incorrect.” Therefore, we
will use the message c:

c: username or password incorrect

So, b will be as follows:

b: username=^USER^&password=^PASS^&Login=Login#
Replace the credentials inputted with ^USER^ and ^PASS^. If this was a POST
request, you would find this information under the inspect element > Request tab.

Next, under inspect element, copy the cookie. This will be d:

d: H=Cookie:PHPSESSID=3046g4jmq4i504ai0gnvsv0ri2;security=low

So, for example:

hydra -l admin -P /home/kalyani/rockyou.txt -V -f 10.0.2.15 http-get-form

“/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login
#:username or password incorrect:
H=Cookie:PHPSESSID=3046g4jmq4i504ai0gnvsv0ri2;security=low”

When you run this, and if the password is in the list, then it will find it for you.

However, if this proves to be too much work for you, no need to stress out because
there’s a GUI version as well. It is a lot simpler than the CLI version. The GUI
version of THC hydra is called Hydra GTK.

Installing Hydra GTK

In Ubuntu, you can simply install Hydra GTK using the following command:

sudo apt-get install hydra-gtk -y

Once installed, you will need the following:

(i) A target or list of targets: This is the IP address of the protocol you wish to attack
(ii) Port number: the port number associated with the protocol
(iii) Protocol: ssh, ftp, mysql, etc…
(iv) Username: either input a username or a list of usernames
(v) Password or Password list
Depending on whether you want to hack one or multiple targets, you can either input
one or many targets into the target box. Suppose you’re attacking a single target, an
SSH, located at 999.999.999.999 (a fake IP address, obviously). In the target box,
you’d put 999.999.999.999, and in the port section, you’d put 22. Under the protocol,
you’d put SSH. It would be advisable to tick the “be verbose” and the “show
attempts” boxes as well. The “be verbose” box is equivalent to -v in THC Hydra,
while the “show attempts” box is equivalent to -V in THC Hydra. The plus point
about Hydra is that it can deal with a large number of protocols.
In the next tab, input the username you desire or a list of usernames (the location of
the list of usernames in this case). For instance, in the “username list”, I would put
“/home/kalyani/usernamelist.txt”. The same is true for passwords. The location of the
password file is inputted in the box called “password list”. Once these have been
filled in, the rest is easy. You can leave the tuning and specific tabs as is and click on
the start button under the start tab.

Hydra GTK is a lot easier to use than THC Hydra, even though they are the same
thing. Whether you use THC Hydra or Hydra GTK, both are great tools to crack
passwords. The problem typically encountered will come in the form of the password
list used. You can obviously use other programs such as crunch and wordlist
generators to tailor your password list to your liking. However, if you can also tailor
the password list to your use, Hydra can become a very powerful ally.

Happy Hacking!