How to hack web services with Xhydra – Hacking SSH server
If you wanted to know how to crack the passwords of websites by using a tool like Hydra, this tutorial is perfect for you. Today we will show you how to use Xhydra the GUI version of hydra and crack passwords for websites and services such as ssh that are online with an online password cracking tool.
What exactly are THC hydra and Xhydra?
THC Hydra is the best option for brute force attacks on any website or online service you want to attack. Luckily for us, it is preinstalled in Kali Linux, so you do not have to worry about installing it. Xhydra is the GUI version of the same password cracking tool. This is beginner-friendly, and I will show you exactly how to use it
Unlike John the ripper is an offline password cracking tool. Hydra can also crack passwords and logins of websites as well as services on the internet. For this tutorial, we will be using xhydra to hack ssh passwords for my demo target.
Type of Attacks THC Hydra can do :
- Parallel dictionary attacks (16 threads by default can be increased as needed)
- Brute force/Hybrid attacks for cracking passwords
- Check for null, reversed, same as username passwords.
- Ability to add wordlists and default passwords for cracking
- Manipulate the process of attack- prevent detection- by IPS (Intrusion Prevention System)
- Parallel attack of different servers at the same time
Must read: How to hack routers with routersploit
Cracking Online Passwords using THC Hydra
Step 1: Scanning for the target
To hack the target system, we first need to find open ports on the system. So let’s do a nmap scan to find the open ports and services on the target system.
To do this type the following
nmap -T4 -F 192.168.182.138
Make sure you replace the IP address with your target IP Address. As you can see, you will get a list of all running services on the system. In my case, I will crack the ssh service on port 22, as shown below. Do note you need the service name, port, and IP address of the target for this attack to work.
Step 2: Setting up Xhydra
Let’s start by opening Xhydra
Type xhydra in the Kali Linux terminal. And the GUI version of hydra will be opened as shown.
Now you need to fill the following settings on each panel:
On target panel: Select your target, and the service and port number you want to hack.
On password panel: Select the username and password list for hacking. Make sure to select the last 3 options. You won’t believe how many people keep the default settings. The options are login as password, empty password, and reverse login.
Tuning panel: This panel is for controlling the number of attempts and using proxies while hacking. As you can guess, you can be very stealthy bu using a proxy.
Start panel: The start panel is used to start and stop the attack. Kind of obvious, I know.
Step 3: Filling the information
Now you need to fill all the panels in step 2 with the relevant information we collected in step 1. After that, we need to make sure that all the settings are as per our desires as well.
So once the information is filled the panels will look like this:
Step 4: Start the attack
Once you have done step 3, you can now start the attack for hacking SSH service on the server.
Click start, and the attack will begin. As you can see my Linux server was easily hacked and the passwords are shown below:
This is how easy it is to hack servers these days. Now with the same method, you can hack many of the other protocols. Just replace the protocol you want to hack with the correct information. You can learn more about the supported protocols in the what more can I hack with xhydra section.
Step 5: Exploit the server with the credentials
Congratulations, you now have the ssh username and password of the target server. So lets login to the hacked server and see what we can do.
To login to the exploited system type the following command in the Kali Linux terminal:
ssh 192.168.182.138 -l msfadmin
Here replace IP Address and username with the ones you find in step 4
For more info regarding ssh just type
in the kali terminal for more info regarding parameters to pass.
Now once you successfully log in, you will see something similar to this.
Congratulations, you have successfully hacked a server running SSH with hydra.
Don`t Miss: How to hack windows with Fatrat
What more can I hack with Xhydra?
It can perform fast and calculated dictionary attacks against more than 50 protocols, which are most commonly used on the internet. Some of the popular protocols supported by THC Hydra are:
Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MongoDB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
If you just realized the power of this tool, you are not alone. It can basically hack all these services provided one of the following conditions are met:
- The services are not properly configured
- The service has a weak password.
- The password is present in the dictionary or wordlist
- Password is plain text
- There is no limit to login attempts on the service
Commonly asked questions about hacking with Hydra.
Q1. Can Hydra hack any server password?
Technically speaking, yes, it can be provided you meet all of its requirements. For example, if the password is complicated but is present in the wordlist dictionary you use, then it can easily be hacked. There is no such perfect hacking tool that can hack anything.
Q2. Is this tool free to use?
Yes, this version is free to use. There are no limitations as such.
Q.3 Can you use this tool online?
Yes, this is an online password cracking tool. It can perform online password cracking attacks with ease.
I hope you had fun hacking servers with hydra. If you have any questions about Hydra, do mention them in the comment section. Do note is an online password cracking tool. I hope you liked the article share and donate to support the site. Happy Hacking.
How can I make XHydra uses GPU power to crack ?