Number one of the biggest security holes are passwords, as every password security study shows.
Hydra is a parallized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast.
Hydra was tested to compile on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1, OpenBSD, OSX, QNX/Blackberry, and is made available under GPLv3 with a special OpenSSL license expansion.
Currently this tool supports:
Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, S7-300, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
For HTTP, POP3, IMAP and SMTP, several login mechanisms like plain and MD5 digest etc. are supported.
This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.
The program was written van Hauser and is additiionally supported by David Maciejak.
Download
https://www.thc.org/thc-hydra/
Examples
General usage and options:
https://www.aldeid.com/wiki/Thc-hydra
https://resources.infosecinstitute.com/online-dictionary-attack-with-hydra/
HTTP basic auth:
https://www.owasp.org/index.php/Testing_for_Brute_Force_%28OWASP-AT-004%29
https://www.sillychicken.co.nz/Security/how-to-brute-force-your-router-in-windows.html
HTTP form based auth:
https://www.art0.org/security/performing-a-dictionary-attack-on-an-http-login-form-using-hydra
https://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html
https://www.sillychicken.co.nz/Security/how-to-brute-force-http-forms-in-windows.html
https://www.owasp.org/index.php/Testing_for_Brute_Force_%28OWASP-AT-004%29
Multiple protocols:
https://wiki.bywire.org/Hydra
https://www.attackvector.org/brute-force-with-thc-hydra/
https://www.madirish.net/content/hydra-brute-force-utility
Telnet:
https://www.theprohack.com/2009/04/basics-of-cracking-ftp-and-telnet.html
https://www.adeptus-mechanicus.com/codex/bflog/bflog.html