Ethical Hacking Series: 6.OWASP Exercises- Dictionary Attack using Hydra

Share At:

Top 9 Cybersecurity Threats and Vulnerabilities - Compuquip


Attackers constantly try to crack the passwords of other people in order to gain access to their accounts. The dictionaryattack is one of the most common ways of attempting to crack a user’s password. The attack works by attempting to use all of the words in a given dictionary file as the password for the user. If the user’s password is in the dictionary used in the attack, the attacker is able to gain access. Hydra is a well-known tool for performing dictionary attacks.

In this lab, you will use Hydra to perform a dictionary attack on a locally hosted website.

Learning Objectives

Upon completion of this lab you will be able to:

  • Set up Hydra to perform a dictionary attack on a website

Intended Audience

This lab is intended for:

  • Individuals who want to learn how to defend against dictionary attacks on websites
  • Security engineers who want to understand the security level of the passwords they are using inside their company
  • Individuals who want to understand how a dictionary attack is performed

Load the Virtual Machines (Kali & Hydra)


In this lab step, you will load the two virtual machines you will need in the lab. You will open a Kali Linux VM and a Hydra VM.

  1. Start up the Kali VM by double-clicking on it in the list and press “Start” in the window that will appear:
  1. You should now be presented with the desktop:
  1.  Go back to the Hyper-V Manager and make sure the Hydra VM is in Running state:

Conduct the Dictionary Attack


In this lab step, you will use Hydra to perform a dictionary attack on a website to retrieve the administrator’s password and login.


1. In the Kali VM launch the Firefox browser:

2. Navigate to the Hydra VM‘s IP address:
  1. If you click the link on the page, it will prompt you for a username and password:

The hint on the webpage informs you that the username is admin, but it doesn’t give away the password. You will use Hydra to try to brute-force the password.

  1. Open the terminal window and type:
hydra -l admin -P /usr/share/wordlists/rockyou.txt.gz -V http-get “/secure”

The /usr/share/wordlists/rockyou.txt.gz file is the dictionary used for this attack. Leave Hydra to run for a few minutes and record the cracked password.

Warning: The command will output a few errors, don't pay attention to them, they don't compromise the result of the lab.

5. Return to the Firefox browser and try the credentials you have discovered to see if you can now log in:

In this lab step, you have cracked the website password using a dictionary attack.

Happy Learning !!

Share At:
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Back To Top

Contact Us