What are THC Hydra and Xhydra?
THC Hydra is a password cracking utility that comes pre-installed in Kali Linux. Xhydra is a version of the same password cracking tool, but with a graphical user interface, which is more convenient for beginners.
Unlike John the Ripper, it is a standalone tool for password cracking.
Types of attacks that THC Hydra can perform:
Parallel dictionary attacks (16 threads are used by default, but can be increased as needed)
Brute force/hybrid attacks for password cracking
The ability to add wordlists and default passwords for cracking
Attack process management - detection with IPS (Intrusion Prevention System)
Parallel attack on different servers simultaneously
Cracking passwords with THC Hydra
Finding the target
To crack the target system, you first need to find open ports on the system. So, let's conduct an nmap scan to find open ports and services on the target system.
To do this, enter the following
nmap -T4 -F 192.168.182.138
Make sure you replace the IP address with your target IP address. As you can see, you will get a list of all the services running on the system. In our case, we will "crack" the ssh service on port 22, as shown below. Note that you need the service name, port, and target IP address for this attack to work.
Setting up Xhydra
Enter "xhydra" in the Kali Linux terminal. A version of Hydra with a graphical interface will open, as shown in the figure.
Now you need to fill in the following settings on each panel
On the target panel, select the target as well as the service and port number you want to crack.
On the password panel, select a list of usernames and passwords to crack. Be sure to select the last 3 options. These are possible options: login as password, empty password, and reverse login.
The setup panel is used to control the number of attempts and the use of proxies during the attack. For example, you can be anonymous using a proxy.
The starting panel is used to start and stop the attack.
Filling in information
Now you need to fill in all the panels in step 2 with the information we gathered in step 1. After the necessary information has been filled in, the panels will look like this:
Target panel
Password panel
Setup panel
Starting the attack
After you have completed step 3, you can start the attack to crack the SSH service on the server.
Click "Start" and the attack will begin. As you can see, the Linux server was easily hacked and the passwords are displayed below
Now, using the same method, you can crack many other protocols. Just replace the protocol you want to hack.
Using the server with the credentials
Now that you have the login and password for the SSH server, let's log into the hacked server and see what we can do.
To log into the exploited system, enter the following command in the Kali Linux terminal
ssh 192.168.182.138 -l msfadmin
Replace the IP address and username with those you found in step 4.
To get more information about ssh, simply enter
ssh -h
Now that you have successfully logged into the system, you will see something like this.
You have successfully hacked the server running SSH.
THC Hydra is a password cracking utility that comes pre-installed in Kali Linux. Xhydra is a version of the same password cracking tool, but with a graphical user interface, which is more convenient for beginners.
Unlike John the Ripper, it is a standalone tool for password cracking.
Types of attacks that THC Hydra can perform:
Parallel dictionary attacks (16 threads are used by default, but can be increased as needed)
Brute force/hybrid attacks for password cracking
The ability to add wordlists and default passwords for cracking
Attack process management - detection with IPS (Intrusion Prevention System)
Parallel attack on different servers simultaneously
Cracking passwords with THC Hydra
Finding the target
To crack the target system, you first need to find open ports on the system. So, let's conduct an nmap scan to find open ports and services on the target system.
To do this, enter the following
nmap -T4 -F 192.168.182.138
Make sure you replace the IP address with your target IP address. As you can see, you will get a list of all the services running on the system. In our case, we will "crack" the ssh service on port 22, as shown below. Note that you need the service name, port, and target IP address for this attack to work.
Setting up Xhydra
Enter "xhydra" in the Kali Linux terminal. A version of Hydra with a graphical interface will open, as shown in the figure.
Now you need to fill in the following settings on each panel
On the target panel, select the target as well as the service and port number you want to crack.
On the password panel, select a list of usernames and passwords to crack. Be sure to select the last 3 options. These are possible options: login as password, empty password, and reverse login.
The setup panel is used to control the number of attempts and the use of proxies during the attack. For example, you can be anonymous using a proxy.
The starting panel is used to start and stop the attack.
Filling in information
Now you need to fill in all the panels in step 2 with the information we gathered in step 1. After the necessary information has been filled in, the panels will look like this:
Target panel
Password panel
Setup panel
Starting the attack
After you have completed step 3, you can start the attack to crack the SSH service on the server.
Click "Start" and the attack will begin. As you can see, the Linux server was easily hacked and the passwords are displayed below
Now, using the same method, you can crack many other protocols. Just replace the protocol you want to hack.
Using the server with the credentials
Now that you have the login and password for the SSH server, let's log into the hacked server and see what we can do.
To log into the exploited system, enter the following command in the Kali Linux terminal
ssh 192.168.182.138 -l msfadmin
Replace the IP address and username with those you found in step 4.
To get more information about ssh, simply enter
ssh -h
Now that you have successfully logged into the system, you will see something like this.
You have successfully hacked the server running SSH.