Cloud Academy

OWASP Exercises: Dictionary Attack using Hydra

Developed with

Lab Steps

Logging into the Microsoft Azure Portal
Connecting to the Lab Host Virtual Machine Using RDP
Load the Virtual Machines (Kali & Hydra)
Conduct the Dictionary Attack

Ready for the real environment experience?

Time Limit40m
star star star star star-border


Attackers constantly try to crack the passwords of other people in order to gain access to their accounts. The dictionary attack is one of the most common ways of attempting to crack a user's password. The attack works by attempting to use all of the words in a given dictionary file as the password for the user. If the user's password is in the dictionary used in the attack, the attacker is able to gain access. Hydra is a well-known tool for performing dictionary attacks.

In this lab, you will use Hydra to perform a dictionary attack on a locally hosted website.

Learning Objectives

Upon completion of this lab you will be able to:

  • Set up Hydra to perform a dictionary attack on a website

Intended Audience

This lab is intended for:

  • Individuals who want to learn how to defend against dictionary attacks on websites
  • Security engineers who want to understand the security level of the passwords they are using inside their company
  • Individuals who want to understand how a dictionary attack is performed


This lab has no prerequisites.

Environment before
Environment after

About the Author

Richard Beck is Head of Cyber Security at QA, responsible for the entire Cyber Security portfolio. He works with customers to build effective and successful security training solutions tailored to business needs. Richard has over 10 years' experience in senior Information Security roles. Prior to QA, Richard was Head of Information Security for four years at Arqiva, which underpin 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts at CPP, GEC, Pearson and the Royal Air Force. Richard sits on the IBM European Board of Security Advisors and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI).