A Deep Dive into Hydra: The Powerful, Parallelized Network Logon Cracker

Hydra, officially known as thc-hydra, stands out in security research and penetration testing as a robust, proof-of-concept tool designed to highlight the persistent vulnerability posed by weak passwords. Authored primarily by van Hauser / THC, with contributions from David Maciejak and BFG code by Jan Dlabal, Hydra offers security consultants and researchers the capability to demonstrate how easily unauthorized access might be gained remotely to a system.

It is critical to note that the creators explicitly state this tool is for legal purposes only. Licensed under AGPLv3, the authors express a wish that Hydra not be used by military or secret service organizations or for illegal activities.

Key Features and Parallelized Power

What distinguishes Hydra from other available login hacking tools is its capacity for parallelized connects and its comprehensive support for a vast number of protocols. This parallelization feature is key to its performance, making it a very fast password cracker. Users can leverage the task option (-t) to experiment and optimize attack speed, keeping in mind that while higher tasks generally mean faster results, setting it too high may disable the service being targeted.

According to timing statistics provided by the authors, speed depends heavily on the protocol, with POP3 and FTP generally yielding the fastest results. For instance, tests run against a SuSE Linux 7.2 environment showed that while FTP took 45:54 minutes with 1 task, it dropped to just 0:32 minutes with 128 parallel tasks.

Extensive Protocol Support

Hydra boasts support for an extensive range of network services. Currently supported protocols include:

• Database & Core Services: MYSQL, MS-SQL, POSTGRES, Firebird, Oracle (Listener, SID, Oracle), LDAP, MEMCACHED, MONGODB.
• Remote Access & Control: SSH (v1 and v2), SSHKEY, Telnet, RDP, Rexec, Rlogin, Rsh, PC-Anywhere, Radmin, VNC.
• Web & Proxies: HTTP/HTTPS (including FORM-GET, FORM-POST, GET, HEAD, POST), and HTTP-PROXY.
• Messaging & Mail: SMTP (and Enum), POP3, IMAP, IRC, ICQ, XMPP, Teamspeak (TS2).
• Networking & File Sharing: FTP, SMB, SOCKS5, NNTP, AFP, CVS, Subversion, NCP, SNMP v1+v2+v3, Cisco AAA/auth/enable, RTSP, VMware-Auth, SIP, and various specialized modules like SAP/R3 and Asterisk.

The architecture is designed to allow easy development of new modules, and contributions are highly encouraged.

Platform and Installation

Hydra is widely supported and tested to compile cleanly across multiple operating systems, including Linux, Windows/Cygwin, Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10), and MacOS.

Supported Platforms:

• All UNIX platforms (Linux, *BSD, Solaris, etc.).
• MacOS (described as a BSD clone).
• Windows using Cygwin (supporting both IPv4 and IPv6).
• Mobile systems based on Linux, MacOS, or QNX (e.g., Android, iPhone, Blackberry 10).

For instant access, the most current development state can be directly pulled via Docker: docker pull vanhauser/hydra.

For those compiling from source, the standard procedure is ./configure, make, and make install. On systems like Ubuntu/Debian, several supplementary libraries are necessary to enable all optional modules, such as libssl-dev, libssh-dev, libpq-dev, and libgtk2.0-dev.

Usage Syntax and Target Specification

Hydra offers both a command-line interface and a GTK GUI for Linux users, accessible via ./xhydra.

Specifying Targets

Targets can be defined in three ways:

1. Single Target: IP or DNS address directly on the command line.
2. Network Range: Using CIDR notation, such as "192.168.0.0/24".
3. Target List: A text file containing one host per line, using the old syntax mode.

Hydra operates primarily with IPv4, but to attack IPv6 addresses, the -6 command-line option must be added. When specifying IPv6 addresses, they must be enclosed in brackets [ ] on the command line or within the targets file.

Command-Line Modes

Hydra supports two command line syntaxes:

1. New :// Style: hydra [options] PROTOCOL://TARGET:PORT/MODULE-OPTIONS.
2. Old Mode: hydra [options] [-s PORT] TARGET PROTOCOL [MODULE-OPTIONS]. This mode is required if targets are specified via a text file.

Protocol is the service being attacked (e.g., ftp, http-get), and if no port is supplied, Hydra uses the default common port for that protocol.

Login and Password Attack Modes

Hydra provides comprehensive options for defining attack credentials.

Option	Functionality	Example Usage
-l	Specify a single login.	hydra -l admin -p password ftp://localhost/
-p	Specify a single password.	hydra -l admin -p password ftp://localhost/
-L	Supply a file of logins.	hydra -L logins.txt -P passwords.txt ftp://localhost/
-P	Supply a file of passwords.	hydra -L logins.txt -P passwords.txt ftp://localhost/
-C	Use a colon-separated file of login:password pairs. Cannot be used with -l/-L/-p/-P.	hydra -C default_accounts.txt ftp://localhost/
-x	Brute-force mode based on character sets and length. Cannot be used with -p/-P/-C.	hydra -l ftp -x 3:3:a ftp://localhost/ (Length 3, lowercase letters)

The brute-force mode (-x) uses a format of minimum_length:maximum_length:charset. Character sets include a (lowercase), A (uppercase), and 1 (numbers).

Additionally, the -e option allows for trying special password variations based on the login:

• s: Try the login as the password.
• n: Try an empty password.
• r: Reverse the login and try it as the password.

Advanced Functionality and Output

Working with Proxies

Hydra allows scanning and cracking sessions to be routed through proxies using environment variables.

• For HTTP services only, the HYDRA_PROXY_HTTP variable is used. This supports standard URL formats, including those with embedded login/password credentials, or specifying a text file containing up to 64 proxies.
• For all other services, the HYDRA_PROXY variable is used. This variable supports connect, socks4, or socks5 protocols.

Session Restoration

If Hydra is aborted (via Control-C), killed, or crashes, it automatically saves critical session information in a file called hydra.restore. This file is updated every five minutes and allows the session to be restored. However, it is important to note that the hydra.restore file is platform-specific and cannot be copied between different platforms (e.g., Solaris to AIX).

Optimization Hints

To enhance the speed and efficiency of attacks, the sources suggest several key practices:

• Sort password files by likelihood and use the -u option.
• Use uniq to clean dictionary files: cat words.txt | sort | uniq > dictionary.txt.
• If the target system enforces a password policy (e.g., minimum length or required character types), use the companion tool, pw-inspector, to filter the password list accordingly.

Results Output

By default, results are output to standard I/O. Using the -o option, results can be written to a file, and the format can be controlled via the -b option.

Supported output formats are:

• text (plain text).
• jsonv1.
• json (the latest schema, currently version 1).

When using JSON output, the schema provides detailed fields, including errormessages, generator details (software version, command line used), and the success parameter. Note that the success parameter indicates if Hydra ran correctly without error, not if passwords were successfully detected. The number of username+password combinations discovered is shown in the quantityfound field.

Community and Codebase

Hydra is hosted publicly on GitHub under the repository vanhauser-thc/thc-hydra. The repository is a popular project, boasting 10.9k stars and 2.3k forks. The codebase is predominantly written in C (94.5%), with smaller amounts of Makefile (2.5%) and Shell script (2.2%). Those interested in contributing or reporting bugs are encouraged to email the authors, optionally using PGP encryption.