惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Hacker News
The Hacker News
Google Online Security Blog
Google Online Security Blog
K
Kaspersky official blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
S
Schneier on Security
C
Cybersecurity and Infrastructure Security Agency CISA
Security Archives - TechRepublic
Security Archives - TechRepublic
Hacker News - Newest:
Hacker News - Newest: "LLM"
Cisco Talos Blog
Cisco Talos Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Cyberwarzone
Cyberwarzone
L
LINUX DO - 最新话题
PCI Perspectives
PCI Perspectives
酷 壳 – CoolShell
酷 壳 – CoolShell
云风的 BLOG
云风的 BLOG
N
News and Events Feed by Topic
N
News and Events Feed by Topic
V
Vulnerabilities – Threatpost
T
Troy Hunt's Blog
GbyAI
GbyAI
C
CERT Recently Published Vulnerability Notes
G
Google Developers Blog
Microsoft Azure Blog
Microsoft Azure Blog
量子位
Scott Helme
Scott Helme
月光博客
月光博客
Attack and Defense Labs
Attack and Defense Labs
aimingoo的专栏
aimingoo的专栏
博客园 - 聂微东
Project Zero
Project Zero
G
GRAHAM CLULEY
博客园 - 【当耐特】
Recorded Future
Recorded Future
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
小众软件
小众软件
D
DataBreaches.Net
T
The Blog of Author Tim Ferriss
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
O
OpenAI News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
V
V2EX
Stack Overflow Blog
Stack Overflow Blog
爱范儿
爱范儿
S
Security @ Cisco Blogs
The Last Watchdog
The Last Watchdog
MongoDB | Blog
MongoDB | Blog
H
Hacker News: Front Page
Latest news
Latest news
P
Proofpoint News Feed

Black Hills Information Security, Inc.

Bad Habits: An ANTISOC Operation Same Problem, Different Angles: When Red Team and Blue Team Actually Talk to Each Other How to Identify and Exploit New Vulnerabilities Swapper – A Pure Regex Match/Replace Burp Extension A Practical Guide to BloodHound Data Collection Network Engineering Basics Signed, Trusted, and Abused: Proxy Execution via WebView2 Getting Started In Pentesting – Advice From The BHIS Pentest Lead Cloud Security: Tips and Resources for Securing the Cloud Lessons From A Chatbot Incident How to Lead Effective Tabletops Understanding GRC: How to Navigate Risks and Compliance Standards The “P” in PAM is for Persistence: Linux Persistence Technique Malware Analysis: How to Analyze and Understand Malware OSINT: How to Find, Use, and Control Open-Source Intelligence What to Do with Your First Home Lab When the SOC Goes to Deadwood: A Night to Remember Social Engineering and Microsoft SSPR: The Road to Pwnage is Paved with Good Intentions Common Cyber Threats Finding the Right Penetration Testing Company Deceptive-Auditing: An Active Directory Honeypots Tool The Curious Case of the Comburglar How to Set Smart Goals (That Actually Work For You) Inside the BHIS SOC: A Conversation with Hayden Covington Abusing Delegation with Impacket (Part 3): Resource-Based Constrained Delegation Why You Got Hacked – 2025 Super Edition Abusing Delegation with Impacket (Part 2): Constrained Delegation Abusing Delegation with Impacket (Part 1): Unconstrained Delegation GoSpoof – Turning Attacks into Intel Model Context Protocol (MCP) Bypassing WAFs Using Oversized Requests Getting Started with AI Hacking Part 2: Prompt Injection Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2) DomCat: A Domain Categorization Tool Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 1) Microsoft Store and WinGet: Security Risks for Corporate Environments Default Web Content MailFail Commonly Abused Administrative Utilities: A Hidden Risk to Enterprise Security Stop Spoofing Yourself! Disabling M365 Direct Send Bypassing CSP with JSONP: Introducing JSONPeek and CSP B Gone Offensive Tooling Cheatsheets: An Infosec Survival Guide Resource DNS Triage Cheatsheet GraphRunner Cheatsheet Burp Suite Cheatsheet Impacket Cheatsheet Wireshark Cheatsheet Hashcat Cheatsheet EyeWitness Cheatsheet Nmap Cheatsheet Netcat (nc) Cheatsheet Hunt for Weak Spots in Your Wireless Network with Airodump-ng from the Aircrack-ng Suite Detecting ADCS Privilege Escalation Vulnerability Scanning with Nmap Getting Started with NetExec: Streamlining Network Discovery and Access How to Use Dirsearch Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 3: Arcanum Cyber Security Bot How to Design and Execute Effective Social Engineering Attacks by Phone Abusing S4U2Self for Active Directory Pivoting Why Use a Macro Pad? Espanso: Text Replacement, the Easy Way Caging Copilot: Lessons Learned in LLM Security Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 2: Copilot Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 1: Burpference Intercepting Traffic for Mobile Applications that Bypass the System Proxy How to Root Android Phones Communicating Security to the C-Suite: A Strategic Approach Offline Memory Forensics With Volatility Getting Started with AI Hacking: Part 1 Go-Spoof: A Tool for Cyber Deception How to Test Adversary-in-the-Middle Without Hacking Tools Canary in the Code: Alert()-ing on XSS Exploits How to Hack Wi-Fi with No Wi-Fi Why Your Org Needs a Penetration Test Program Burp Suite Extension: Copy For Light at the End of the Dark Web Wi-Fi Forge: Practice Wi-Fi Security Without Hardware Avoiding Dirty RAGs: Retrieval-Augmented Generation with Ollama and LangChain Gone Phishing: Installing GoPhish and Creating a Campaign 5 Things We Are Going to Continue to Ignore in 2025 John Strand’s 5 Phase Plan For Starting in Computer Security Questions From a Beginner Threat Hunter GRC for Security Managers: From Checklists to Influence AI Large Language Models and Supervised Fine Tuning Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan One Active Directory Account Can Be Your Best Early Warning Introduction to Zeek Log Analysis Indecent Exposure: Your Secrets are Showing Creating Burp Extensions: A Beginner’s Guide Pitting AI Against AI: Using PyRIT to Assess Large Language Models (LLMs) The Top Ten List of Why You Got Hacked This Year (2023/2024) ICS Hard Knocks: Mitigations to Scenarios Found in ICS/OT Backdoors & Breaches Intro to Data Analytics Using SQL Finding Access Control Vulnerabilities with Autorize The Detection Engineering Process Cyber Risk Lessons We Can Learn From Hurricane Preparedness Intro to Desktop Application Testing Methodology What Is Penetration Testing? Adversary in the Middle (AitM): Post-Exploitation Pentesting, Threat Hunting, and SOC: An Overview
Hacking with Hydra
BHIS · 2024-02-16 · via Black Hills Information Security, Inc.

John Malone is a penetration tester for Black Hills Information Security. He regularly performs external, internal, and social engineering-based assessments. His favorite tools are confidence and charisma.

What is Hydra?

Hydra is a tool that can be used for password spraying. Let’s begin by defining the term “password spray.” A password spray is where an attacker defines one password, such as “Winter2024” and tries it against a list of obtained usernames. If one of these accounts uses “Winter2024” as a password, then the attacker may be able to access that resource.

Password spraying and brute force attacks are commonly used by attackers who wish to access resources that are exposed on the internet or on internal networks. A good password spray will use passwords that are commonly used or that encompass traits that concern the organization or resource that you are attacking.

Moving forward in this article, we will explore applicable situations for performing a brute force attack and password sprays with Hydra. As always, make sure you have proper permission before performing password attacks against targets that you do not own.

Performing a Brute Force Attack

AI-generated image

For this step, we are going to look at performing a password spray against a vulnerable web application that is hosted on Try Hack Me, known as Mr. Robot CTF, which has a theme related to the TV show of the same name. While this will not serve as a full CTF walkthrough, the concept used here is sufficient enough to demonstrate a brute force attack in action and how it would work in a real-life setting.

During this exercise, the tester is required to perform a password-based attack to gain access.

In the below screenshot, we can observe that we have arrived at a WordPress login portal. Seeing how this is a website, we can use Hydra to password spray with HTTP POST requests.

WordPress Login Portal

To capture the request, we can simply open our browser’s developer console and then issue a simple username and password request, such as admin/admin, into the login form in the browser. Upon submitting, we are informed that our username is invalid. Additionally, our developer console can now be used to view the POST request along with the payload that was used to make it. The keen eye may also observe that the username is verbose in nature, which can allow us to make the assumption that username enumeration may be possible.

Invalid Username Error

Seeing how this is a Mr. Robot themed CTF box, we can test this by trying a variety of names from the Mr. Robot TV show.

  • angela
  • darlene
  • elliot
  • irving
  • joanna
  • robot
  • trenton
  • tyrell
  • whiterose

After submitting the credentials, our developer console now contains the following payload, which contains the log and pwd parameters that display our entered credentials:

log=admin&pwd=admin&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.192.106%2Fwp-admin%2F&testcookie=1
Developer Console Contains Request Payload

This payload can be inserted into a command with the following changes to instruct Hydra to perform username enumeration. The below command uses Hydra’s -L flag to specify our list of users, -p to use a chosen password, and the http-post-form switch to instruct Hydra to use our captured HTTP POST request. It should be noted that the http-post-form switch contains a value that is made up of:

  • the target page for spraying, which is necessary to complete our request.
  • the request itself, which consists of the payload from our developer console.
  • the error message that presents. This instructs Hydra to look for results that do not contain the “Invalid Username” error.
hydra -L users.txt -p admin 10.10.192.106 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.192.106%2Fwp-admin%2F&testcookie=1:Invalid Username"

This returns feedback from Hydra that shows that elliot returned an error that did not match “Invalid Username.” However, Hydra will claim that we have a match for the password. This is not true, however. We are likely receiving a different error than “Invalid Username.” We can visit the browser and try this manually to verify our findings.

Hydra Enumerates the elliot Username as Valid

Entering elliot into our browser reveals another verbose error, but this time it is a different one that concerns password validity.

Verbose Password Error

Now that we know that elliot is a valid user, we can perform a brute force attack against the account. This is done by substituting some switches in our below Hydra command. Notably, the -l switch is used to specify a user, and -P is used to specify our file containing passwords. Additionally, our error message is being changed to look for a response that does not contain the above error. Seeing how a true password match will fail to return an error at all, we can assume that this time we will not be receiving a false positive when a match is discovered.

hydra -l elliot -P passwords.txt 10.10.192.106 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.192.106%2Fwp-admin%2F&testcookie=1:The password you entered for the username"

Upon running this command, we observe that the username elliot is tested repeatedly against a variety of passwords. A positive hit is identified for ER28-0652!

Hydra Brute Forces the Password for elliot

Returning to our login page and entering the password results in us being taken into the webserver’s administrative console. From here, we could examine the version of WordPress and look for vulnerabilities that could allow us to obtain a shell on the system. This is outside the scope of this article though, so we will not be covering it here.

Access Granted!

Performing a Password Spray

AI-generated image

We now have a valid password for elliot. While not an official part of the Mr. Robot CTF challenge on TryHackMe, BHIS created a secondary machine with a similar theme.

Before we progress further, I want to share a best practice for penetration testing that you should strongly consider while performing authorized testing activity or while working on CTFs or a certification. Whenever you obtain a credential or password hash, it never hurts to attempt to use that credential elsewhere 😉. You never know when something just might be a default password or when a user may be reusing the same password across multiple resources. IN SHORT, ALWAYS TRY CREDS EVERYWHERE.

Performing an Nmap scan on the host located at 192.168.80.134, we observe that an SSH port is open.

nmap -Pn -T4 -sV 192.168.80.134
Nmap Discovers Open SSH Port

Performing another Nmap scan with the below command, we are able to observe that the SSH server supports password-based authentication, which will allow us to perform password sprays and brute force attacks with Hydra.

nmap -Pn -T4 -sV --script=ssh-auth-methods.nse 192.168.80.134
SSH Server Supports Password-Based Authentication

Performing a password spray is very similar to performing a brute force attack (except that it is the complete opposite). Instead of testing many passwords against one username, we are testing one password against many usernames.

We can then use the below Hydra command to password spray the list of users we created with the password ER28-0652.

hydra -L users.txt -p ER28-0652 -V ssh://192.168.80.134

This time, we can see that we receive another positive hit for elliot, which tells us that Elliot has been reusing his password across his accounts.

Hydra Performs a Successful Password Spray

We can then perform another password spray with a simpler password, such as “robot.” This time, we observe that multiple accounts are accessed. This suggests that “robot” is a default password for new users.

Multiple Accounts Use Same Password

After finding these credentials, we can log in on an account of our choice.

ssh [email protected]
Access Gained through SSH

On an actual penetration test, this would be an excellent time to perform additional enumeration on the computer’s subnet and to begin looking for privilege escalation and persistence vectors.

Best Practices for Spraying

AI-generated image

Now that we have the demonstration out of the way, let’s briefly touch base on how to find good passwords for spraying. When you are going to password spray, it is best to try and use passwords that are simple in nature and that could be reasonably picked by an unassuming victim. This includes passwords that contain:

  • Simple terms such as “password” “welcome” and “letmein”, which may or may not include leet speak substitutions (password vs passw0rd).
  • The names of seasons – Winter, Spring, Summer, Fall or Autumn
  • The current year or previous year – that being 2023 or 2024 at the time of this article.
  • The name of the state where the organization is headquartered.
  • The name of the organization.
  • Political figures, such as President Trump and President Biden.
  • That use or omit a special character at the end. Using an exclamation point is always a safe bet.

Let’s put a few of these bullets together and come up with a list of passwords to use for password spraying a pretend school based in Illinois that has a peacock as its mascot.

  • PretendSchool2023!
  • Winter2024!
  • Password123!
  • Illinois2024!
  • Peacock2024!
  • Welcome2023
  • Trump2024!
  • Biden2024!
  • Letmein123
  • passw0rd

Always try and use passwords that are associated with the organization or service that you are spraying. These are much more likely to provide results than something like 2349823h9fhu234r$#$$$2SASQUATCH. Lastly, if you’re looking for a solid collection of wordlists, I strongly recommend the SecList collection (https://github.com/danielmiessler/SecLists).

Closing Statements

Password-based attacks are a common attack vector in the wild and are evidence of why multi-factor authentication should be used to protect user resources. Hydra and tools like it are crafted to attack passwords and can be used to gain access to systems where a password is properly guessed. Practicing good password security and using multi-factor authentication is essential, as that will greatly reduce the likelihood of an attacker being able to successfully breach an account.

Happy hacking, and stay safe and legal out there.



Ready to learn more?

Level up your skills with affordable classes from Antisyphon!

Pay-What-You-Can Training

Available live/virtual and on-demand