Hydra
Hydra.md
Hydra
Overview
THC-Hydra is a fast, parallelized, online password cracking tool that supports a massive number of protocols. It is the go-to tool for brute-forcing remote authentication services during penetration tests.
Category
#gaining-access #credential-attacks #brute-force
Phase
Gaining Access
Developer
The Hacker’s Choice (THC) — github.com/vanhauser-thc/thc-hydra
Install
# Kali Linux — pre-installed
hydra -h
# Debian/Ubuntu
sudo apt install hydra
# macOS
brew install hydra
Supported Protocols (partial list)
FTP, SSH, Telnet, SMTP, HTTP/HTTPS (GET/POST forms), POP3, IMAP, SMB, RDP, LDAP, MySQL, PostgreSQL, MSSQL, Oracle, VNC, XMPP, IRC, and many more.
Core Syntax
hydra [options] target protocol
Common Usage Examples
# SSH brute force with wordlist
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.10
# SSH with username list
hydra -L users.txt -P passwords.txt ssh://192.168.1.10
# FTP
hydra -l admin -P rockyou.txt ftp://192.168.1.10
# RDP (Windows Remote Desktop)
hydra -l administrator -P rockyou.txt rdp://192.168.1.10
# HTTP POST form login
hydra -l admin -P rockyou.txt \
192.168.1.10 http-post-form \
"/login.php:username=^USER^&password=^PASS^:Invalid credentials"
# HTTP GET Basic Auth
hydra -l admin -P rockyou.txt http-get://192.168.1.10/admin
# MySQL
hydra -l root -P rockyou.txt mysql://192.168.1.10
# SMTP
hydra -l user@example.com -P rockyou.txt smtp://mail.example.com
# Verbose output + save results
hydra -l admin -P rockyou.txt ssh://192.168.1.10 -V -o results.txt
Key Flags
| Flag | Description |
|---|---|
-l |
Single username |
-L |
Username wordlist |
-p |
Single password |
-P |
Password wordlist |
-t |
Threads per target (default 16) |
-T |
Total concurrent targets |
-s |
Custom port |
-f |
Stop after first valid credential found |
-V |
Verbose — show each attempt |
-v |
Show login attempts (less verbose) |
-o |
Output file |
-e nsr |
Also try: n=null, s=same as user, r=reverse of user |
-x min:max:charset |
Generate passwords on the fly |
Wordlists
# Common locations on Kali
/usr/share/wordlists/rockyou.txt # Classic 14M password list
/usr/share/wordlists/metasploit/ # Various protocol-specific lists
/usr/share/seclists/Passwords/ # SecLists (install separately)
# Install SecLists
sudo apt install seclists
HTTP Form Syntax Breakdown
"<path>:<form_params>:<failure_string>"
# Example:
"/login.php:username=^USER^&password=^PASS^:Login failed"
^path ^POST body with ^USER^ and ^PASS^ placeholders
^string that appears on failed login
Use browser DevTools (Network tab) to capture the exact POST body and failure message.
OPSEC Notes
Hydra generates massive numbers of login attempts — immediately visible in auth logs and will trigger account lockouts. Always:
- Check lockout policies before brute-forcing
- Use
-t 4or lower for stealth- Prefer targeted/credential-stuffing attacks over full wordlists
- Only attack systems you are authorized to test
Related Tools
- Metasploit — Contains brute-force auxiliary modules for many protocols
- SQLmap — If credentials get you to a web app with a DB backend
- Netcat — Once credentials are obtained, nc can be used for simple connections
- Nmap — Identify which services are running before choosing Hydra protocol
Tags
#ethical-hacking #gaining-access #brute-force #credentials #password-cracking