Using Hydra

author: Nathan Acks
date: 2022-04-03

Hydra can actually brute-force remote services, though I have some skepticism about how useful this is in practice.

hydra -t 4 -l $USER_NAME -P $WORDLIST \

Here $SERVICE is “ssh”, “ftp”, etc. Note that “http” is not used directly; instead use “http-get”, “http-put”, etc.


Attacking API Endpoints Using JSON

Hydra can be used to attack API endpoints that accept JSON (though apparently there can be some problems with the headers that are passed along):

hydra -vV -f -l $USERNAME -P $PASSWORDLIST \
	$HOST http-post-form \
	$ENDPOINT:"$TEMPLATE":F="$INVALID":H="Content-Type\: application/json"

The $TEMPLATE is basically the JSON request body with the special placeholders ^USER^ and ^PASS^ (colons escaped). $INVALID is a string that will appear for login failures (note that this string cannot contain a colon, but fortunately is a substring match). The H parameter at the end allows us to override specific headers (necessary because otherwise Hydra sends a Content-Type of application/x-www-form-urlencoded).