Hydra & xHydra — Online Password Brute-force tool

xHydra is the graphical version of hydra, and it is easy to use. Hydra and xHydra comes pre-installed in Kali Linux.

Hydra supports these protocols: Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Hydra works in 4 modes:

• One username & one password
• User-list & One password
• One username & Password list
• User-list & Password list

We can check the options of hydra by using following command in our Kali Linux terminal:

hydra -h

The screenshot of the command is following:

We need a username of list of usernames and a password or list of passwords to login on web services. We can found the wordlist files in the /usr/share/wodlists directory of Kali Linux.

If we want to make custom wordlists then we can use crunch. For a ftp login in our localhost we can use following command:

hydra -l username -p password ftp://192.168.xx.xx

Here xx refers to our target IP address. The screenshot is following:

Here we have used flags -l and -p for single username and password but we also can use -L and -P for wordlists of username and password.

Then the command will be like following:

hydra -L /path/of/usernames.txt -P /path/of/pasword.txt ftp://192.168.1.1

In the way of cybersecurity after scanning with nmap if we find ftp port is open then we can try hydra to bruteforce the ftp login.

xHydra — Hydra with graphical interface

There is a graphical version of hydra, it’s called xHydra. It is also comes pre-installed in our Kali Linux machine.

You can open xHydra from the Kali Linux terminal by using xhydra command:

xhydra

This command will open the xhydra as we can see in the following screenshot:

The above screenshot is xhydra’s target tab. Let’s know about all the tabs and it’s works.

• Target – Specify the target
• Passwords – Specify password options & wordlists
• Tuning – Specify how fast should hydra work. Other timing options also available.
• Specific – For testing on specific targets like a domain, https proxy etc.
• Start – Start and Stop the attack & shows the output.

In the following screenshot we have selected a a target and a protocol in the target tab.

Then in the passwords tab we can enter a username or a username list and a password or a password list. Check the cxample in the following screenshot:

Then comes tuning tab, we put 1 in the field of “Number of tasks“

Then we go to the “Start” tab and choose the start option on the bottom-left corner. The screenshot is following:

Then the process will started. Whenever xHydra crack the SSH we can see the username and password below, as shown in the following screenshot:

This is how we can brute-force online passwords using hydra and xHydra in Kali Linux. This is a very old and useful tool for penetration testers.

For more tutorials like this visit our website regularly and for quick updates follow us on Twitter and join our Telegram Family. For any kind of problem or suggestion comment down we always replay.