Hydra Password Cracking & Brute-Forcing

THC Hydra (often just Hydra) is a high-speed network login cracker used by penetration testers to evaluate how resilient services are to credential-guessing attacks.
Hydra supports dozens of protocols (SSH, FTP, HTTP(S) forms, SMB, RDP, POP3, SMTP, and more) and can use username/password lists, combinations, and basic rules.

This guide teaches you how to use Hydra responsibly: install it, run common attack types in a lab, tune performance, detect/avoid noisy behavior, and implement defenses.

Ethical reminder

Brute-forcing credentials against systems you do not own or explicitly have permission to test is illegal and unethical. Use only in authorized labs or sanctioned engagements.

What Hydra Is Good For

Testing login rate limits and account lockout policies.
Measuring how quickly a service can be abused with credential lists.
Finding weak or reused credentials across services.
Demonstrating the need for multi-factor authentication (MFA) and throttling.

Hydra is not a tool for exploitation, it finds weak credentials; the risk and remediation follow from what those credentials allow.

Installation

Hydra is included in most pentesting distributions (Kali, Parrot). To install on Debian/Ubuntu:

sudo apt update
sudo apt install hydra -y

To build from source (recommended for latest features):

git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra
./configure
make
sudo make install

Verify installation:

hydra -h

Basic Usage Concepts

Hydra syntax follows this pattern:

hydra [options] <target> <module>

Common options:

-L <userlist> — file with usernames (one per line)
-l <user> — single username
-P <passlist> — file with passwords
-p <password> — single password
-t <tasks> — number of parallel tasks (threads)
-s <port> — specify port (if nondefault)
-V — verbose (show tried attempts)
-o <file> — write results to file
-f — exit after first valid login (useful to stop early)
-e nsr — try additional modes (n = null password, s = same as user, r = reverse user)
-W — wait between attempts (seconds) — useful to slow down and avoid lockouts

Example minimal form:

hydra -L users.txt -P passwords.txt ssh://192.168.56.101 -t 4 -o results.txt

Protocol Examples

SSH (Common)

Test SSH logins using a username list and wordlist:

hydra -L /usr/share/wordlists/usernames.txt -P /usr/share/wordlists/rockyou.txt \
  -t 4 -f -o ssh_hits.txt ssh://192.168.56.101

Notes:

Use -t to control parallelism; more threads = faster but noisier.
-f stops Hydra after the first valid credential is found for a target.

FTP

hydra -L users.txt -P passwords.txt ftp://192.168.56.102 -t 6 -o ftp_hits.txt

Hydra supports HTML form-based logins — you must identify form field names and the login POST URL.

Capture the login request (e.g., with Burp or browser devtools). Identify:
- POST URL: http://target/login.php
- username field: user
- password field: pass
- any hidden tokens (if present) — handle or omit as required.
Run Hydra:

hydra -L users.txt -P passwords.txt 192.168.56.103 http-post-form \
  "/login.php:user=^USER^&pass=^PASS^:F=incorrect" -t 8 -o http_hits.txt

Explanation of http-post-form string:

"<path>:<post-data>:<failed-condition>"

^USER^ and ^PASS^ are placeholders Hydra replaces.
F=incorrect is a string Hydra will search in the response to determine a failed login (change to match the app’s error text).
You can also use S=string to look for success indicators.

SMB / Windows (smb)

hydra -L users.txt -P passwords.txt -t 4 smb://192.168.56.104 -vV -o smb_hits.txt

RDP

hydra -L users.txt -P passwords.txt rdp://10.0.0.5 -t 2 -o rdp_hits.txt

Hydra supports many modules — list them with:

hydra -U

Tuning Performance vs Noise

Threads (-t): More threads speed up attacks but increase network traffic and detection probability. Start with -t 4 and adjust.
Parallel Targets: Hydra can target many hosts; use caution across networks.
Timing: Use -W (wait) or scripting to slow down attempts to test lockout policies.
Exit on Success (-f): Stops attempts on first success to reduce noise.
Polite Mode: Although Hydra has no explicit “polite” flag, combine low -t, -W, and per-target limits to be less disruptive.

Detection & Defense (What to Test & How to Harden)

When you run Hydra (ethically), you’re validating defenses. Key defensive controls to implement and verify:

Rate-limiting — per-IP and per-account throttling prevents rapid attempts.
Account Lockout / Progressive Delays — lock after N failed attempts or increase delay progressively.
MFA (Multi-Factor Authentication) — renders password-only attacks ineffective.
IP Reputation & Geo-Blocking — block suspicious sources or unknown geographies.
Login Anomaly Detection — SIEM/EDR alerts on many failed attempts or new IPs.
CAPTCHAs — present after repeated failures to block automated tools.
Strong Password Policies — length, complexity, and banned lists (e.g., against rockyou).
Monitor & Alert — log failed authentication spikes and alert SOC.

Test each control in a lab:

Configure rate-limiting and run Hydra to confirm attempts are throttled.
Test account lockout and ensure lockouts are logged and alerted.

Hands-On Labs (Safe & Local)

Lab A — SSH Brute-Force in a Test VM

Create two VMs: Kali (attacker) and an Ubuntu server (target).
On target, create test users with known weak & strong passwords.
From Kali:

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt -t 4 -f -o ssh_lab_results.txt ssh://192.168.56.101

Observe successful logins and measure how many attempts before lockout (if enabled).

Deploy a simple web login app in a local staging environment that supports account lockout or rate-limiting.
Identify login POST payload and error messages.
Run a slow Hydra attack:

hydra -L users.txt -P small-passwords.txt 192.168.56.103 http-post-form \
"/login.php:user=^USER^&pass=^PASS^:F=Invalid&-w" -t 2 -W 2

Observe whether rate-limits trigger and whether alerts are logged.

Lab C — Test MFA Effectiveness

Enable MFA on a test account.
Attempt a password-only brute force with Hydra.
Confirm that even correct passwords fail without second factor, demonstrates MFA’s value.

Handling Captchas & CSRF Tokens

CAPTCHAs: Hydra cannot bypass CAPTCHAs. If a login triggers CAPTCHA, brute-forcing is effectively blocked unless captcha is bypassed (illegal/complex).
CSRF / Anti-CSRF tokens: For form attacks, you may need to handle dynamic tokens. Common approaches:
- Use a Burp macro to fetch a fresh token per attempt (manual/automated workflows).
- Write a custom script to fetch token, then call Hydra with that token — but this often defeats Hydra’s simplicity and is complex. For lab testing, disable token verification or handle via custom tooling.

Output & Reporting

Hydra writes successful attempts to screen and, if specified, to -o output file.
For reports, include:
- Which services were tested (hosts, ports).
- Username/password pairs found (treat passwords as sensitive).
- Timeframe and number of attempts.
- Defensive controls observed (lockouts, rate-limits, CAPTCHAs).
- Remediation steps (MFA, throttling, password policies).

Sensitive handling: Never publish plaintext credentials in public reports. Provide findings in a secure, internal channel and recommend forced resets and MFA.

Common Pitfalls & Notes

False Positives: Some services reply similarly on success/failure; validate hits manually.
Blocked by WAF / IDS: Web application firewalls may block or distort responses—interpret results carefully.
Network Constraints: Large wordlists + high threads can saturate bandwidth or trigger upstream security devices.
Hydra Limitations: It’s username/password-focused. It doesn’t handle complex multi-step auth flows easily.

Quick Command Cheat Sheet

# SSH: username list + password list
hydra -L users.txt -P passwords.txt -t 4 -f -o ssh_hits.txt ssh://192.168.56.101

# FTP
hydra -L users.txt -P passwords.txt ftp://192.168.56.102 -t 6 -o ftp_hits.txt

# HTTP form (change F= to your app's failure string)
hydra -L users.txt -P passwords.txt 192.168.56.103 http-post-form \
  "/login.php:user=^USER^&pass=^PASS^:F=Invalid username or password" -t 8 -o http_hits.txt

# SMB
hydra -L users.txt -P passwords.txt -t 4 smb://192.168.56.104 -vV -o smb_hits.txt

# Stop after first login per target
hydra -L users.txt -P passwords.txt -f ssh://192.168.56.101

Final Thoughts

Hydra is a practical, fast tool to validate authentication resilience and to demonstrate the value of basic defensive controls like rate-limiting, account lockouts, and MFA. Use it to harden systems — not to attack them. Document tests, obtain authorization, and always handle discovered credentials with strict confidentiality.

What Hydra Is Good For​

Installation​

Basic Usage Concepts​

Protocol Examples​

SSH (Common)​

FTP​

HTTP Form (Web Login)​

SMB / Windows (smb)​

RDP​

Tuning Performance vs Noise​

Detection & Defense (What to Test & How to Harden)​

Hands-On Labs (Safe & Local)​

Lab A — SSH Brute-Force in a Test VM​

Lab B — Test Web Login Rate-Limiting​

Lab C — Test MFA Effectiveness​

Handling Captchas & CSRF Tokens​

Output & Reporting​

Quick Command Cheat Sheet​

Final Thoughts​