Hydra is a bruteforcing tool used primarily for password cracking. It can be used against multiple services and can perform fast dictionary attacks against site and system credentials using pre-defined wordlists such as default or common passwords.
<aside>
💡 Hydra can be installed from the command line with the following:
sudo apt update && sudo apt install hydra
</aside>
While it has multiple potential uses, for most purposes, we are going to use this syntax most of the time:
hydra -l root -P /Documents/SecLists/Passwords/Common-Credentials/10k-most-common.txt ssh://10.0.2.10:22 -t 4 -V
This translates to run Hydra as root user with password list 10k-most-common against our target on port 22 (SSH service) limit the speed to 4 and give us a more verbose output.
This is a useful tool, but it's worth considering the noise this approach may take, as well as the fact that there may often be better approaches than a brute force effort.
That's not to say brute-forcing does not have its place; human nature being what it is, default and common passwords are still among some of the most common weak points in a security chain.