This blog is NOT OFFICIAL website of Kali Linux. We just share Tutorials to learn Cybersecurity.

Hydra & xHydra -- Online Password Brute-force tool

Home
Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

Hydra & xHydra -- Online Password Brute-force tool

xHydra is the graphical version of hydra, and it is easy to use. Hydra and xHydra comes pre-installed in Kali Linux.

Hydra supports these protocols: Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.


Hydra works in 4 modes:
  • One username & one password
  • User-list & One password
  • One username & Password list
  • User-list & Password list
We can check the options of hydra by using following command in our Kali Linux terminal:
hydra -h
The screenshot of the command is following:


We need a username of list of usernames and a password or list of passwords to login on web services. We can found the wordlist files in the /usr/share/wodlists directory of Kali Linux.

If we want to make custom wordlists then we can use crunch. For a ftp login in our localhost we can use following command:
hydra -l username -p password ftp://192.168.xx.xx
Here xx refers to our target IP address. The screenshot is following:


Here we have used flags -l and -p for single username and password but we also can use -L and -P for wordlists of username and password.

Then the command will be like following:
hydra -L /path/of/usernames.txt -P /path/of/pasword.txt ftp://192.168.1.1
In the way of cybersecurity after scanning with nmap if we find ftp port is open then we can try hydra to bruteforce the ftp login.

xHydra -- Hydra with graphical interface

There is a graphical version of hydra, it's called xHydra. It is also comes pre-installed in our Kali Linux machine.

You can open xHydra from the Kali Linux terminal by using xhydra command:
xhydra
This command will open the xhydra as we can see in the following screenshot:

xhydra

The above screenshot is xhydra's target tab. Let's know about all the tabs and it's works.
  • Target - Specify the target
  • Passwords – Specify password options & wordlists
  • Tuning – Specify how fast should hydra work. Other timing options also available.
  • Specific – For testing on specific targets like a domain, https proxy etc.
  • Start – Start and Stop the attack & shows the output.
In the following screenshot we have selected a a target and a protocol in the target tab.

xhydra target

Then in the passwords tab we can enter a username or a username list and a password or a password list. Check the cxample in the following screenshot:

xhydra passwords

Then comes tuning tab, we put 1 in the field of "Number of tasks"

xhydra tuning

Then we go to the "Start" tab and choose the start option on the bottom-left corner. The screenshot is following:

xhydra start

Then the process will started. Whenever xHydra crack the SSH we can see the username and password below, as shown in the following screenshot:

xhydra username and password

This is how we can brute-force online passwords using hydra and xHydra in Kali Linux. This is a very old and useful tool for penetration testers.

For more tutorials like this visit our website regularly and for quick updates follow us on Twitter and join our Telegram Family. For any kind of problem or suggestion comment down we always replay.
author-img
Kali Linux

Comments

19 comments
Post a Comment
  • Unknown photo
    UnknownJuly 4, 2020 at 8:04 PM

    sir i want to become a hacker but i now how to start .....

    Delete Comment
    • Kali Linux photo
      Kali LinuxJuly 6, 2020 at 9:26 AM

      Gain knowledge in networking, learn how everything works. Learn the use of Linux and some programming language like python php bash etc. You can start from using Linux and learn bash. To learn Linux quickly you can uninstall Windows and do your all daily job and everything on Linux (It's our tested way).

      Delete Comment
    • Faizan photo
      FaizanOctober 1, 2020 at 2:04 AM

      It proved to be Very helpful to me and I am sure to all the commentators here! BandarQQ

      Delete Comment
      • Prashant Kadam photo
        Prashant KadamNovember 4, 2020 at 12:43 AM

        how to crack .encfs6.xml file

        Delete Comment
      • Faizan photo
        FaizanDecember 20, 2020 at 11:36 PM

        New web site is looking good. Thanks for the great effort. dewa poker

        Delete Comment
        • sparklingstars photo
          sparklingstarsJanuary 12, 2021 at 11:50 AM

          im unable to find gmail password using xhydra gui tool ..ive attched 10million pawdlist even i dint get can you help me

          Delete Comment
          • Kali Linux photo
            Kali LinuxJanuary 12, 2021 at 12:40 PM

            Brute forcing a gmail account will not be beneficial. Because after some wrong try Google will notice you and you will be not able to anything much. Google is smarter enough. Phishing will be a good option or MITM.

            In simple words we can't get gmail password using bruteforce. not even using proxy or tor.

            Delete Comment
          • friend photo
            friendFebruary 2, 2021 at 4:20 PM

            Any tips for rediffmail account? user name is known. passwords are between 6-12 characters. so brute force is not beneficial. Can you please suggest? It is an unused account so phishing also not helpful.

            Delete Comment
            • Kali Linux photo
              Kali LinuxFebruary 2, 2021 at 6:07 PM

              Hi, brute-force is not possible here. because after some wrong password attempts the account will be locked by rediffmail.

              Delete Comment
              • friend photo
                friendFebruary 2, 2021 at 7:35 PM

                so what are the options? Any other suggestions, please.

                Delete Comment
                • Kali Linux photo
                  Kali LinuxFebruary 3, 2021 at 10:02 AM

                  Try some recovery options.

                  Delete Comment
                  • friend photo
                    friendFebruary 4, 2021 at 8:52 PM

                    Is there a tool for intercepting SMS for android? Thanks for your patience.

                    I learnt to use GHunt from your pages. Hope to become a well informed person soon. Your tutorials are simple and understandable.

                    Delete Comment
                    • friend photo
                      friendFebruary 4, 2021 at 8:54 PM

                      Asking because only a phone number is available for recovery.

                      Delete Comment
                      • Kali Linux photo
                        Kali LinuxFebruary 5, 2021 at 6:35 PM

                        Thanks for you kind talks. You motivate us a lot. Intercepting SMS on android?? You need to try some spyware of payload. You can try our Telegram Group if you like to join with us. Thanks.

                        Delete Comment
                      • Unknown photo
                        UnknownFebruary 24, 2021 at 4:50 AM

                        theres no download button

                        Delete Comment
                      • AnonymousJuly 2, 2023 at 12:47 AM

                        Where do i put the passwordfile, i have in .txt format

                        Delete Comment
                        • AnonymousJuly 2, 2023 at 4:17 PM

                          Wherever your password file is that doesn't matter. You need to mention your file's location. Thanks for comment. It means a lot for us.

                          Delete Comment
                        google-playkhamsatmostaqltradent