How does Hydra work?

A common approach and the approach used by Hydra and many other similar pentesting tools and programs are referred to as Brute Force. I plan to write a ‘Brute Force Hacking’ post in 2020 but since this post is all about Hydra let’s place the brute-force attack concept within this password-guessing tool.👍👍👍

Brute force just means that the program launches a relentless barrage of passwords at login to guess the password. As we know, the majority of users have weak passwords and all too often they are easily guessed. A little bit of social engineering and the chances of finding the correct password for a user are multiplied.

Most people (especially those non-IT savvy, will base their ‘secret’ passwords on words and nouns that they will not easily forget. These words are common: loved ones, children’s names, street addresses, favorite football team, place of birth, etc.

Hydra supports the following protocols:

• Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP,
• HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST,
• HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD,
• HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP,
• Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP,Rexec,
• Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3,SOCKS5,
• SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

git clone https://github.com/vanhauser-thc/thc-hydra
$ cd thc-hydra/
$ ./configure
$ make
$ make install