How To Hack Wireless Router admin login Passwords Using Hydra

Leaving your wireless router at its default settings is a bad idea. The sad thing is, most people still do it. Once they’ve penetrated your network, hackers will change your router settings so they’ll have an easy way back in. This allows them to change your network into a shell or proxy so they can forward their traffic anonymously through you when committing other dirty deeds. If you keep your wireless router at the defaults, then hackers can control your firewalls, what ports are forwarded, and more.

But never mind the hackers, what about your kids?

In this Null Byte, we’re going to take a hack at our own wireless routers to see just how secure they really are. We’ll be using Arch Linux and THC Hydra, a brute-forcing tool. Windows users, you can follow along if you use Cygwin.

Step 1: Download & Install Hydra

First we need to go to the Hydra website, download Hyrda, and get everything configured. In this article, a “cmd” refers to a command that has to be entered into a terminal emulator.

  • Download Hydra from THC’s website.
  • Extract Hydra in a nice location. cmd: tar zxvf hydra-7.1-src.tar.gz
  • Change to the newly made directory.

Step 2: Use Hydra on Your Router

Now we’re going to attack our routers. The default IP/URL to reach it at will be, so test that address in a browser to confirm it. If you get a dialog box, you’ve reached your router. This is running HTTP basic authentication. 

Commands & Configuration

  • cmd: xhydra
  • Enter as your target.
  • Use http-get as the method.
  • Port 80.
  • Pick a word list saved on your computer.

Click start!

Congratulations! See how easy it can be? A router won’t block out requests normally, either. So someone could brute-force you for days upon days. Change your password to something greater than 12 characters and maybe review this guide. Most routers have a default username and password. You can get an overview of all the commands used with Hydra by following: “man hydra” (in terminal).

First, you’ll need to scan the open ports on the router. Use the following command: “namp” (this is your router’s IP address). I will use FTP here. Now, run the following command: “hydra -l admin -P password.txt -v -f ftp”

Explanation of the command:

“l” is used for the login username. My default is “admin.” You can use “-L” and give a text file of some usernames if you’re not aware of your router’s admin username. “P” is used for the password list. “v” is used for verbose mode; it shows the login attempts. “f”  tells it to quit after getting the valid username and password pair once.

“” is my router’s configure IP address. “ftp” is the service which I am using to get an open port (you can also use “http-get” and others). Now wait and watch; if it gets a login password pair, then it will show you on the screen. There are many types of services which hydra supports and you can use them for cracking any type of login passwords.

Hydra is popular password cracker which can be used to crack passwords from various services such as http, ftp, telnet etc. Most of our internet is routed through a router which has a http interface. If you are using web browser, try typing or in the web browser and see if the authentication prompt is issues.

If yes, it is prompted most probably from your router. Router web interface is useful to configure port forwarding for torrents or if you want to play multiplayer online games such as AOE etc. If you do not know the password of your router, hacking using hydra can be fun and easy.

For example, if my router web interface is on, the simple command will be- Here password.lst is the password list which contains the list of passwords to be bruteforced. admin is the username we will be trying for. The usernames can also be bruteforced with -L option.

Hydra (better known as “thc-hydra”) is an online password attack tool. It brute forces various combinations on live services like telnet, ssh, http, https, smb, snmp, smtp etc. Hydra supports 30+ protocols including their SSL enabled ones. It brute forces on services we specify by using user-lists & wordlists.

Hydra works in 4 modes :

One username & one password

User-list & One password

One username & Password list

User-list & Password list

Pentesters use this tool to test/audit the password complexity of live services mostly where direct sniffing is not possible. You can open xHydra from the Kali linux menu or terminal.

Target – Settings of various target oprions.

Passwords – Specify password options & wordlists.

Tuning – Secify how fast should hydra work. Other timing options are also available.

Specific – For testing on specific targets like a domain, https proxy etc.

Start – Start/Stop & shows the output.

Breaking an ssh with wordlist attack – Hydra

In this lab we try to break an ssh authentication on a remote has who has IP address Here we do a wordlist attack by using a wordlist containing most common passwords to break into the root account.

Step 1: Open thc-hydra

Step 2: Set Target & protocol in the target table

Step 3: Set the username as root & specify the location for a wordlist in passwords tab. Other wide ranges of wordlist ranging up to 3GB or more are available on the internet. Just google for 5 minutes.

Step 4 : Set no of tasks to 1 in tuning tab since this will reduce congestion & chance of detection. But takes longer to complete. This is also necessary to mitigate account lockout duration

Step 5: Start the thc-hydra from Start tab.

Step 6: Scroll Down & Wait until the password gets cracked THC Hydra is easy-to-use, user-friendly tool. Includes a GUI for those that do not know how to work with the cmd. Hydra is ideal for brute force and dictionary password cracks of over 30 different protocols.

Other common remote authentication tools are Medusa and Ncrack. These perform similar functions as THC Hydra and can also be downloaded online. Speed comparisons reveal that all three tools are relatively similar in output times. Hydra top-ranking because of so many supported protocols. THC Hydra is a great option for performing a brute force/dictionary crack of a remote authentication service.

Recent Articles

Can I play Pokemon Go without internet?

Can I play Pokemon Go without internet? Pokemon Go - Let's Go, Pikachu! and Pokémon: Let's Go, Eevee! bring the experience of a classic classic Pokémon RPG to...

Samsung Galaxy M01 smartphone launched in less than 10,000 price.

South Korea's most famous smartphone company samsung launched a very affordable smartphone in India in the budget of the people. Last year,...

Google algorithm latest update in September 2020.

When analysing some web-pages on Search Engine Optimization tool, seen some volatility in search engines results pages. Is this a sign...

Best You-Tube alternative Apps for iphone

1 TUBE MASTER Tube Master Tube master is a clean interface with a user-friendly design app. It is...

Related Stories


  1. Hello! This is kind of off topic but I need some guidance from an established blog. Is it very difficult to set up your own blog? I’m not very techincal but I can figure things out pretty quick. I’m thinking about setting up my own but I’m not sure where to begin. Do you have any points or suggestions? Cheers

  2. 332797 990606This douche bag loves his illegal bretheren because hes a itiaen of the world and we ought to be ashamed of ourselves I got news for you Asswipe get your asswiping ass back towards the craphole where you came from with all of your illegal beaners 838147

  3. 562506 658483Its a shame you dont have a donate button! Id without a doubt donate to this brilliant blog! I suppose for now ill settle for book-marking and adding your RSS feed to my Google account. I appear forward to fresh updates and will share this blog with my Facebook group. Chat soon! 924835

  4. 450757 587420I just could not go away your site before suggesting that I extremely enjoyed the usual info a person supply to your guests? Is going to be back ceaselessly so that you can inspect new posts. 809003

  5. hello my lovely stopforumspam member

    What are the Types of Loans in Ohio depending on the purpose
    Specific purpose payday loans in Ohio. Funds received in debt may be spent only for a specific purpose specified in the loan agreement.
    Non-purpose loan. The debtor may spend the money received at his discretion.
    Most popular specific purpose payday loans in Ohio are:

    House loan. The most common, of course, is a mortgage when the purchased property acts as collateral for a loan. Sometimes a youth loan is issued, with lighter conditions for debtors. Still quite common is a housing loan that does not imply purchased housing in the form of collateral.
    Car loan – payday loans in Ohio to a car or similar vehicle. The key is often the purchased goods, making the terms of the loan better. Also, loan conditions are improved: car insurance, life and health insurance of the borrower, and receiving a salary to the account of the creditor bank.
    Land loan. To purchase a plot for construction or agricultural activities.
    Consumer. For purchases in modern supermarkets, equipment stores, you can take a personal loan right at the point of sale. Often, specialists located there can contact the bank and get a regular or fast payday loans. Borrowed funds automatically pay for the goods, and the consultant explains when and how to re-pay the debt.
    Educational loan. It is issued to students, as well as to applicants who have passed the competition, to pay for tuition at universities, colleges, etc.
    Broker loan. For the circulation of securities, payday loans in Ohio are issued to an exchange broker, se-curities are purchased securities.
    Others. Objectives not related to those listed, but agreed and approved by the creditor.

  6. hello my lovely stopforumspam member

    Welcome to Grosvenor Casinos, where you can play a wide range of casino games, from slots to poker, blackjack, and roulette! There’s something for everyone here – become a member of the casino to have the best of online casino gaming. Our Sportbook offers a range of sports betting odds and is available for pre event or in play bets 24/7 and 365 days of the year. Whether you’re here for football tournaments or the latest betting odds for horse racing, Tennis, Golf, Cricket and even Rugby Union, you are covered.

  7. 66288 60196I truly dont accept this particular post. Nonetheless, I had searched with Google and Ive located out that you are appropriate and I had been thinking within the improper way. Maintain on creating top quality material similar to this. 839912

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox