xHydra is a GUI frontend for the password cracker called Hydra. Hydra can be used for both offline and online password cracking. Hydra can be used for many types of online attacks, including attacks against MySQL, SMB, MSSQL, and many types of HTTP/HTTPS logins, just to name a few.

We are going to use xHydra to attack a running MySQL service on a machine running a Wordpress site. Since the machine is running a Wordpress site and a MySQL service, it is an easy guess that the database login's user name is wordpress the default Admin account. By default, MySQL doesn't block brute force attacks, so we know we stand a good chance for this attack.

To start xHydra in Kali Version 1.x, you go to Applications | Kali Linux | Password Attacks | Online Attacks | hydra-gtk. The hydra-gtk will start xHydra:

In Kali Version 2.0, xHydra is not in the menu structure at all, though it is available from the command line. As you may remember, in Kali, as in any other Linux distribution, you can either open a terminal and type your command at the prompt, or you can open a command dialog by hitting ALT + F2. In the two images that follow, we are showing how to find xHydra, # locate xhydra, how to launch it from a command line in the terminal with just the name xhydra, and how it looks when you invoke a command from the ALT + F2 keyboard shortcut:

You can also open xhydra from the command line, by typing the following:

 xhydra &

The ampersand command (&) tells the bash terminal to background the application, and it gives you back the command prompt. If you do not add the ampersand, you have locked up your terminal window until you finish using xHydra:

When xHydra is opened, we get the following window. The first tab, Target, is for setting the targets and protocols for the attack. You can attack a single IP address, or a target list of hosts from a text file. The Protocol field is to pick the type of protocol. Note that at the bottom of the window is the command-line string that would be used if running the attack from the command line. This is a helpful learning tool to learn the command line options and how they work:

We are attacking a single host, so we add the IP address, set the port to 3306, the default MySQL service port, and pick MySQL for the protocol.

Notice there are several nice options in the options section of this window. If SSL was enabled on the MySQL server, you would place a check in the box for SSL. This would also be checked for any other service using SSL such as SSMTP, SIMAP, or SLDAP. The Be Verbose checkbox will give you a more detailed output while running. The Show Attempts while running will show you the actual passwords being run against the system. This is interesting to watch but produces a lot of output:

Click on the Password tab to set up the password part of the attack. Here we add the user root and pick the Generate radio button and change the field to 1:8:a. At the bottom field, you might want to check Try login as password and Try password as empty field.

In the Generate field we have added 1:8:a; this tells Hydra to run passwords from one to eight characters. The lower case a tells Hydra to run lower case letters only. If we add the string 1:8:aA1% ., this will generate passwords from one to eight characters, including upper and lower case letters, numbers, percent sign, and spaces (yes, there is a space between the % and the comma) and dots. Mix and match from here.

Here again, you will find the check box field for Try login for password, which will try the login name as also the password, like admin:admin, and the check box for blank passwords. You will also find here a check box for reversing the login name, such as nimda for the password for the admin login:

Set up the Tuning tab next:

You will find later that the tasks set may be lower than the actual running tasks. We have set it to 8, but later we will see that the actual running tasks is 4. Four running threads is all the server will handle, so that's all we get. The running threads can change based on other things happening on the Kali attack workstation as loads change, so it is best to set it for more than the running load. Be aware that setting it too high from the actual running tasks, for example, setting it to 16, will cause the application to hang. This number may also be higher or lower depending on the type of service being exploited:

The Specific tab for the MySQL attack will stay with the defaults:

Now we are ready to click on the Start tab, and we see we are running four threads against that one server. This might take a while:

Hmmm. We have 217,180,146,596 password combinations to try still and an estimated time up of 199,661,463 days and 22 hours. It may be time to get a beefier Kali workstation. This is going to take a while. Maybe a 546,659-year vacation is the best decision for the evil hackers.

Luckily, the estimate is high. Below, we see that our test has now run for 70 hours and 39 minutes without cracking a password of 5 characters in length. During this time, the run has attempted 75,754 passwords, leaving 12,280,876 to go, with an estimated run time of 11,454 days and 13 hours. So for the benefit of the book we are stopping the test here, with an estimated 32 years left:

The speed of this test is mainly determined by the resources and setup of the victim server. Our victim server here is a low-rent VM, so this is one reason for such a slow test. Also, at the first part of this run, we got a warning that MySQL doesn't like a lot of parallel connections. The speed will increase against a target server running more resources. Another limiting factor is that the target server may be so weak that a sustained brute-force attack might knock the machine off the network. Even a strong server with large amounts of resources available might experience a denial of service condition (DoS). When doing brute-force attacks, you might want to aim for low and slow rates of attack speed. As an attacker, you do not want to alert the administrators to the attack.

This test also demonstrates that capturing the hashes and cracking them offline is usually faster than performing the attack online. Another thing to remember is that if any intrusion services are running on the system, your attack will be noticed sometime in the years it runs.

So let's try a password list attack on the same system. Notice we have changed the settings from Generate to Password List and selected the rockyou.txt password list from the many password lists included in Kali. The following image lists the directories and shows the rockyou.txt file compressed. You will need to uncompress it for use:

Then, we have selected the uncompressed file and we are ready to go:

Through the modern miracle of Hollywood, we see we have cracked the password evil1. After 562 tries and 31 hours, we have it. This is a lot of time for the amount of tries. Again, the speed of the service accepting the passwords is the defining factor and takes a while. Software firewalls and password-attempt limits on the target server can make it take longer, or even impossible.

If the correct password was farther down the password list, it would have taken longer: