Hydra is a very fast and effective network login cracker. It will help you perform brute force attacks against SSH servers, VNC, and other services. When you launch Hydra it will launch the GUI in Kali, however in this tutorial we will use xHydra, which is the command line version of the tool.
The command line version of the tool gives you much for flexibility in how to use the tool.
Wordlists
This attack requires a wordlist. You can locate the default wordlist. This demo works well with the rockyou word list located at /usr/share/wordlists/rockyou.txt.gz in Kali. You will need to extract it first before using it. You can also use Aamir Lakhani’s Dr. Chaos guide to creating your wordlists with this tutorial http://www.drchaos.com/creating-custom-dictionary-files-using-cewl/
If you want the mother of all dictionary files, here is my 4.5Gb (13Gb uncompressed) dictionary file: https://mega.nz/#!vgRTXIoa!1QdZLw4BtFCpLX3boPG0xzR9e_4KhVOJXvepI7aML-8
Scanning for SSH Servers using NMAP
The first thing we will do is scan for SSH services listening on port 22. We are going to scan for the entire 10.1.100/24 subnet, but we could also scan for single host or a range.
Here’s a simple example that will scan all computers on the subnet and report any devices listening on port 22. . All of this along with the version of SSH that the server is running is output to a text file ssh_hosts:
nmap –p 22 –open –sV 10.1.100.0/24 > ssh_hosts
We could have also scanned it this way
nmap -p22 –open -PN -sV -oG ssh_hosts 10.1.100.0/24
Or another way, this presents a list if IPs that have SSH up:
nmap -p 22 10.44.46.0/27|awk ‘/scan report for/ {print $0}’|grep -Eo ‘[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}’
Next I am going to use Hydra. Hydra is very well-known and respected network log on cracker which can support many different services. (Similar projects and tools include medusa and John The Ripper). Hydra is able to use external files for passwords, usernames, or username and password combinations.
Hydra can be used to brute-force the following services:As a password/ log on cracker (hacking tool) – Hydra has been tested on the multiple protocols. We are going to enter the command:hydra -l root -P /root/password.txt 192.168.0.128 ssh T
he options in Hydra are very straightforward: -l telling Hydra you will provide a static login (you can use a file for multiple usernames instead). -P password file, or (lowercase) -p for (static) password-t TASKS of number of connected in parallel (per host, default is 16).ssh – you can specify the protocol being used. special thanks to Clay Nakamura and Tyler Nakamura for their updates on Sept 3rd, 2016
Hydra example to local host
