Password Cracking With THC–Hydra

I read a brief article on Hydra last week and it reminded my just what a great tool this is for remote password cracking. I use it on many of my assessments. The first thing you need to do is make certain that you have separate, special, permission to run these tests. Password cracking is usually a welcomed addition to any assessment, provided you tell the customer exactly what is happening and when.

Setup and Configuration

The first step is to download and compile THC-Hydra, which you can get [ here]. And important thing to note when setting up this utility is that you must pay attention to the build process. THC-Hydra will require libraries in order to crack various services. For example, in order to crack SSH, you much have the appropriate SSH libraries, otherwise this feature will be disabled. Take the following as an example:

Starting hydra auto configuration ...
Checking for openssl (libssl/ssl.h) ...
... found
Checking for Postgres (libpq) ...
... NOT found, module postgres disabled
Checking for SVN (ibsvn_client-1 ...
... NOT found, module svn disabled
Checking for SAP/R3 (librfc/saprfc.h) ...
... NOT found, module sapr3 disabled
Get it from
Checking for libssh (libssh/libssh.h) ...
... NOT found, module ssh2 disabled
Get it from - use v0.11!
Hydra will be installed into .../bin of: /usr/local
(change this by running ./configure --prefix=path)
Writing ...
ARM/PalmPilot users: please run ./configure-arm or ./configure-palm respectivly

In the above output Hydra has told us that it cannot find the libraries for Postgres, SVN, SAP, or SSH2). Refer to your distribution for the appropriate library installation. Now we are ready to run make and make install. I like to create a directory called /etc/hydra/ where I will store my configuration and dictionaries.

Obtaining Dictionaries

The most important component to any password cracking is the username and password dictionaries. You will need both, as most services will require both a username and a password. Where do you get these? You have to find them for yourself :) (Please do not ask me as I will not share them). In all seriousness, Google is your friend. Here are a few links to get you started:

I tend to have 2-3 different password databases that I start with. The first and most basic are all the stupid passwords (secret, ciso, etc..). The second level will layer on top of that all of the default password lists. The third layer includes everything mentioned before, and adds a nice english dictionary. These will typically range from 100 or so passwords, to 40,000+ passwords. I also keep at least two different username databases, one with common defaults (root, administrator) and one with many more. Then, layered on top of all of those will be my own customizations based on the customer (gleaning from the web site, dumping the LDAP database, etc…).

Cracking Passwords

The next step is to identify the services that you will to test. I try to choose clear-text protocols if they are available, as they will go faster. For example, if the target has OWA (Outlook Web Access) available using HTTPS, but also provides POP3 services without SSL, I target POP3. The usernames and passwords will typically be the same (as from the banners you can figure out that its running on the same exchange/Windoze environment and associated domain). The POP3 service is quicker in this case because it does not have to complete the SSL handshake.
When running Hydra, there are a few options that are significant and should always be used:

-R        restore a previous aborted/crashed session

Basically, always use this option. Services that you are cracking could crash (yea, it happens), so being able to pick-up where you leave off is key.

-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE

Unless I am only testing one username, I use this option and give it my username list.

-p PASS  or -P FILE try password PASS, or load several passwords from FILE

This is where you specify your password database.

-e ns     additional checks, "n" for null password, "s" try login as pass

ALWAYS use this option for every scan against every service. You may get lucky.

-o FILE   write found login/password pairs to FILE instead of stdout

Always do this too, just in case you get disconnected from the server you are running hydra on.

-w TIME   defines the max wait time in seconds for responses (default: 30)

Adjust this as neccessary. If a service is being picky I tend to monitor with tcpdump to be certain I am seeing what is expected and not overwhelming the host. Also, its a good idea to monitor this anyway, to be certain that there is no account lockout. If there is, you will need to adjust this value to try to slip under the lockout timers, which will greatly extend the length of your scan.

server    the target server (use either this OR the -M option)

I either use this, or provide a list of servers with -M. It depends on the test.

service    the service to crack. Supported protocols: telnet ftp pop3[-ntlm]   imap[-ntlm] smb smbnt http[s]-{head|get} http-{get|post}-form http-proxy cisco  cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5   rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh2 smtp-auth[-ntlm] pcanywhere  teamspeak sip vmauthd

Specify the service to crack. Important thing to note, if you are testing a cisco router with usernames and passwords you will need to use the standard telnet module. Here are some examples:

hydra -L myusernames -P my.passwds -e s -e n -f -o cisco.username.out telnet
hydra -l myusernames -P my.passwds -e s -e n -t 1 -M pop3.servers -o cracked_pop3.out  pop3

Now go forth, WITH PERMISSION, and crack the planet for the benefit of system and network administrators everywhere.



Paul Asadoorian

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.