Master parallelized login cracking for numerous protocols.
getbetterat.work
Tool Deep Dive
How Computers Guess Passwords.
Hydra is a famous computer program. Its main job is to try thousands of passwords in seconds to see
which one works. Let us learn how it works, what it looks for, and how to stop it completely.
What is Hydra?
Imagine a robot standing in front of a locked door. Instead of trying to pick the lock, the
robot has a massive bucket filled with millions of keys. It tries every single key, one after
the other, very fast.
Hydra is that robot, but for computers. It is a tool that tests passwords on login screens. If a
password works, Hydra yells, "I found it!" and lets the user in.
Brute Force
"Brute Force" means using pure power instead of being clever.
When Hydra uses a Brute Force attack, it does not know your password. It simply guesses
every possible mix of letters and numbers. It tries "A", then "B", all the way to
"ZZZZ9999". It takes a long time, but computers never get tired.
The Dictionary Attack
Brute force takes too long. So, instead of guessing random letters, Hydra often uses a
"Dictionary". This is a long text file filled with the most common passwords humans use. It
tries the most obvious guesses first.
TRYING COMMON_WORDS.TXT...
[FAIL]password123
[FAIL]admin
[FAIL]qwerty
[FAIL]letmein
[SUCCESS]ilovedogs99
The Factory Mistake
When you buy a new internet router or a security camera, it comes with a password from the
factory. Usually, the username is admin and the password is admin or
password.
Many people never change these! Hydra has a special list of these "factory defaults" and tries
them first. It works more often than you think.
The Password Scrambler (Hashes)
Smart computer systems do not save your real password. If your password is "Apple", they put
"Apple" through a math blender. It comes out looking like x9K2pQ8. This is
called a Hash.
When you type "Apple" to log in, the computer blends it again and checks if it matches
x9K2pQ8. If bad guys steal the computer's list, they only get the scrambled
mess, not your real password.
APPLE
x9K2pQ8zL1...
Why is it so fast?
Hydra does something called a Parallel Attack. Imagine you have 10 friends.
Instead of you trying 10 keys alone, you give 1 key to each friend. Now, 10 keys are being
tested at the exact same time. Hydra can test hundreds of passwords at once.
5 GUESSES HAPPENING AT ONCE
The Giant Cheat Sheet
Remember the "blender" we talked about earlier? Sometimes attackers use giant text files called
Rainbow Tables. These are massive cheat sheets where someone has already put
every word in the dictionary into the blender and written down the results. This makes finding a
password incredibly fast, without having to do the math every time.
It does not look like a movie. It is just
boring text running very fast.
The Doors It Can Open
In the computer world, there are many different types of "doors" or login screens. Hydra is
flexible because it knows how to knock on almost all of them. These doors are called
Protocols.
SSH
Used to control big server computers from far away.
FTP
Used to send, receive, and store files.
HTTP
Used for regular website login screens.
The Computer's Memory (Logs)
Computers are excellent note-takers. Every time someone tries to open a door and fails, the
computer writes it down in a notebook called a Log File.
If a security worker looks at the notebook and sees 5,000 failed attempts in one minute, they
instantly know a tool like Hydra is attacking them. It is very loud and leaves a massive trail
of evidence.
Why Do They Want In?
Once a tool like Hydra finds a password, the attacker can do bad things. They might read private
emails, lock the computer and demand money (Ransomware), or use that computer to send spam
messages to thousands of other people.
How Security Teams Use It
If this tool breaks into things, why do we like it? Good guys (Security Professionals) use Hydra
on their own systems on purpose. They want to see if their workers are using weak passwords. If
Hydra can break in easily, the security team knows they need to fix the door before a real bad
guy finds it.
How To Defend
More in this series
Master more skills with other tutorials from the Security series.