Hydra User Guide

https://github.com/vanhauser-thc/thc-hydra

Installation

sudo apt-get -y install hydra

Basic Syntax

hydra [login_options] [password_options] [attack_options] [service_options]

Options Table

Option

Description

Example

-l LOGIN

Single username

hydra -l admin ...

-L FILE

Username list file

hydra -L users.txt ...

-p PASS

Single password

hydra -p password123 ...

-P FILE

Password list file

hydra -P passwords.txt ...

-t TASKS

Parallel tasks (threads)

hydra -t 4 ...

-f

Stop after first valid login

hydra -f ...

-F

Stop after first valid login (global)

hydra -F ...

-s PORT

Non-default port

hydra -s 2222 ...

-v / -V

Verbose / Very verbose

hydra -V ...

-M FILE

List of target servers

hydra -M targets.txt ...

-x MIN:MAX:CHARSET

Generate passwords

hydra -x 6:8:a1 ...

Services Table

Service

Protocol

Example

ssh

SSH

hydra -l root -P pass.txt ssh://192.168.1.100

ftp

FTP

hydra -l admin -P pass.txt ftp://192.168.1.100

http-get

HTTP Basic Auth

hydra -L users.txt -P pass.txt example.com http-get /

http-post-form

Web Login Form (HTTP)

See below

https-post-form

Web Login Form (HTTPS)

Same syntax as http-post-form, use for HTTPS

rdp

Remote Desktop

hydra -l admin -P pass.txt rdp://192.168.1.100

smb

SMB

hydra -l admin -P pass.txt 192.168.1.100 smb

mysql

MySQL

hydra -l root -P pass.txt mysql://192.168.1.100

mssql

MS SQL Server

hydra -l sa -P pass.txt mssql://192.168.1.100

vnc

VNC

hydra -P pass.txt vnc://192.168.1.100

pop3

POP3 Mail

hydra -l user -P pass.txt pop3://mail.server.com

imap

IMAP Mail

hydra -l user -P pass.txt imap://mail.server.com

smtp

SMTP Mail

hydra -l user -P pass.txt smtp://mail.server.com

ldap2

LDAP

hydra -L users.txt -P pass.txt 192.168.1.100 ldap2

snmp

SNMP

hydra -P pass.txt 192.168.1.100 snmp

Hydra Syntax

The correct hydra syntax is depended upon the service you are going after. For example if we want to hit ftp we should use:

FTP

hydra -l user -P passlist.txt ftp://10.10.10.10 -F

SSH

hydra -l <username> -P /usr/share/wordlists/rockyou.txt 10.10.10.10. -t 4 ssh

-l is to specify the username
P is to specify a password list
-t is to specify the number of threads to run hydra with.
Note: Hydra recommends no more than 4 threads, however you can run it faster with -t 16.
-F means stop when you find your first valid password, highly recommend this option

hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://$host -f
hydra -l admin -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt ssh://$host -f -s 2222
hydra -L user.txt -P password.txt -f ssh://10.10.15.2:31294 -t 4 -w 15 -F

POST Web Form

Hydra can be used to brute force web logins as well.
Step 1: Determine the request made to the form (POST/GET)
Identify this in the network tab (developer tools), view the source code, or use Burp Suite.

Syntax

hydra [options] target http-post-form "path:params:condition_string"

Success vs Failure Conditions

Condition

Description

Example

F=string

Failure - Text in response when login fails

F=Invalid credentials

S=string

Success - Text in response when login works

S=Dashboard

S=302

Success - HTTP redirect on successful login

S=302

Use F= when you know the failure message (most common):

hydra -l admin -P pass.txt example.com http-post-form "/login:user=^USER^&pass=^PASS^:F=Invalid credentials"
# HTTPS form (e.g. phpLiteAdmin), limit threads for stability
hydra -l admin -P /usr/share/seclists/Passwords/2023-200_most_used_passwords.txt TARGET_IP https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password." -t 3

Use S= when you know what success looks like:

hydra -l admin -P pass.txt example.com http-post-form "/login:user=^USER^&pass=^PASS^:S=302"
hydra -l admin -P pass.txt example.com http-post-form "/login:user=^USER^&pass=^PASS^:S=Welcome"

Full Example

hydra -l <username> -P /usr/share/wordlists/rockyou.txt 10.10.211.150 http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -vV

http-post-form specifies the type of form
/login url the login page URL i.e. http://dont-brute-force-me.com/login.php
:username the form field name for the username
^USER^ this tells hydra to use the username you specified
password the form field name for the password
^PASS^ the password list specified in the command
F=incorrect the word that appears on the page if the login fails
-vV specifies very verbose output
Hydra non default ssh port:

hydra -t 16 -l sam -P /usr/share/wordlists/rockyou.txt 10.10.80.187 ssh -s 4567 -vV

HTTP-GET

Basic Authentication HTTP-GET

hydra -vV -l administrator -P 2023-200_most_used_passwords.txt 10.13.38.11 http-get /admin/ 
hydra -vV -t 2 -l administrator -P /usr/share/seclists/Passwords/seasons.txt 10.13.38.11 http-get /admin/

Example Syntax

#Hydra brute force against SNMP
hydra -P password-file.txt -v $ip snmp	
#Hydra FTP known user and rockyou password list
hydra -t 1 -l admin -P /usr/share/wordlists/rockyou.txt -vV $ip ftp	
#Hydra SSH using list of users and passwords
hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh	
#Hydra SSH using a known password and a username list
hydra -v -V -u -L users.txt -p "" -t 1 -u $ip ssh
#Hydra SSH Against Known username on port 22
hydra $ip -s 22 ssh -l -P big_wordlist.txt	
#Hydra POP3 Brute Force
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V	
#Hydra SMTP Brute Force
hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V	
#Hydra attack http get 401 login with a dictionary
hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin	
#Hydra attack Windows Remote Desktop with rockyou
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip	
#Hydra brute force SMB user with rockyou
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb	
#Hydra brute force a Wordpress admin
hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'	 login
#SMB Brute Forcing
hydra -L usernames.txt -P passwords.txt $ip smb -V -f	
#LDAP Brute Forcing
hydra -L users.txt -P passwords.txt $ip ldap2 -V -f

Additional Syntax Formats

sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password!"
sudo hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.211.150 http-post-form "/login:username=molly&password=^PASS^:F=incorrect" -V
sudo hydra 10.0.0.1 http-post-form "/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid" -P /usr/share/wordlists/rockyou.txt -l admin
hydra -l lazie -P /opt/rockyou.txt imap://10.10.251.142 -vV

PreviousHashcat NextJohn

Last updated 20 days ago

hashtagInstallation

hashtagBasic Syntax

hashtagOptions Table

hashtagServices Table

hashtagHydra Syntax

hashtagFTP

hashtagSSH

hashtagPOST Web Form

hashtagSyntax

hashtagSuccess vs Failure Conditions

hashtagFull Example

hashtagHTTP-GET

hashtagExample Syntax

hashtagAdditional Syntax Formats

Installation

Basic Syntax

Options Table

Services Table

Hydra Syntax

FTP

SSH

POST Web Form

Syntax

Success vs Failure Conditions

Full Example

HTTP-GET

Example Syntax

Additional Syntax Formats