If you’re looking for a no-nonsense guide on how to use Hydra, you’ve found the right place. Hydra is a command-line tool to guess valid pairs of usernames and passwords. Unlike John the Ripper, an offline password cracker, Hydra is geared towards online applications, making it suitable for web-based penetration testing.
Like its many-headed namesake, Hydra targets many services as a password cracker. In this brief tutorial, we’ll review the basic usage of Hydra and four use cases: Website Logins, SSH, FTP, and Other Web Services. Whether learning about or brushing up on Hydra, this guide is handy and invaluable.
We want to be absolutely clear on the importance of adhering to applicable laws regarding web application vulnerability scanning and exploitation. Before conducting any form of ethical hacking or penetration testing on a system, ensure that you have obtained explicit permission from the system or network owner.
Unauthorized hacking or scanning may seem trivial, but it can carry severe legal consequences, including fines or imprisonment, depending on your jurisdiction. Do not do it. Some of the laws that govern this activity include:
- The Computer Fraud and Abuse Act (United States)
- Sections 184, 342.1, 380, and 430 of the Criminal Code of Canada (Canada)
- Computer Misuse Act 1990 (England)
- Sec. 202a and 202b of the German Criminal Code (Germany)
- Information Technology Act Sec. 43 and 66 (India)
- The Act on the Prohibition of Unauthorized Computer Access (Japan)
If you doubt whether you’re acting in the clear, consult the agreement or scope of your authorized activities with a specific entity or review the code of conduct or disclosure guidelines with any of the bug bounty programs mentioned at the end of this article.
Hydra Command Generator
Say goodbye to the hassle of trying to remember the exact syntax for your Hydra commands! With our Hydra Command Generator, you can simply say what you need Hydra to do, and we will generate the command for you.
Basic Usage of Hydra
Hydra (or THC-Hydra) is a parallelized password cracker that supports numerous protocols to conduct brute-force attacks. It’s fast and flexible, and new modules are easy to add. This tool enables cyber security researchers and consultants to demonstrate how easy it is to gain unauthorized access to a remote system. It comes pre-installed on the Kali Linux operating system.
Each Hydra command begins with the keyword hydra followed by a series of command-line options specifying how Hydra should conduct its password attacks. Some of these options have mandatory parameters.
Here’s the syntax to specify a username and password for a brute-force attack against a single service on a server:
hydra -l <username> -p <password> <server> <service>
An alternative syntax for the server and service portion of the Hydra command is:
hydra -l <username> -p <password> <service>://<server>
If you want Hydra to choose usernames and passwords from given lists to conduct a dictionary attack, use the following command syntax:
hydra -L <username_list_file.ext> -P <password_list_file.ext> <server> <service>
Sometimes you may be familiar with certain username and password pairings on your server. You may include them in a separate text file, each line formatted as username:password, and use the -C (combo entries) option to speed up the cracking:
hydra -C <username_password_pairings_file.ext> <server> <service>
To attack multiple servers, save the server IP addresses into a file and use the -M command syntax below:
hydra [-l <username> | -L <username_list_file.ext>] [-p <password> | -P <password_list_file.ext>] -M <server_IP_addresses_file.ext> <service>
If you want Hydra to quit after finding the first username/password pair, use the -F option:
Use the syntax below if the service you’ve chosen has a non-default port number:
hydra [-l <username> | -L <username_list_file.ext>] [-p <password> | -P <password_list_file.ext>] <server> <service> -F
Use the syntax below if the service you’ve chosen has a non-default port number:
hydra [-l <username> | -L <username_list_file.ext>] [-p <password> | -P <password_list_file.ext>] <server> -s <new_port_number> <service>
Hydra runs on a CPU and supports multithreading—testing multiple logins simultaneously. Use the -t flag below to speed up your password cracking. The default number of threads is 16:
hydra [-l <username> | -L <username_list_file.ext>] [-p <password> | -P <password_list_file.ext>] -t <number_of_threads> <server> <service>
To save the output to a file, refer to this command syntax:
hydra [-l <username> | -L <username_list_file.ext>] [-p <password> | -P <password_list_file.ext>] -o <output_file.ext> <server> <service>
If you want to toggle verbose mode, which displays the username/password pair for each brute force attempt, use the -V flag:
hydra [-l <username> | -L <username_list_file.ext>] [-p <password> | -P <password_list_file.ext>] <server> <service> -V
The -d flag, which stands for “debug mode,” shows the complete details of the Hydra attack:
hydra [-l <username> | -L <username_list_file.ext>] [-p <password> | -P <password_list_file.ext>] <server> <service> -d
To check for three trivial passwords, use the -e nsr option, where n stands for a null password (empty string), s means that the password is the same as the username, and r refers to the password being the username reversed:
hydra [-l <username> | -L <username_list_file.ext>] [-p <password> | -P <password_list_file.ext>] <server> <service> -e nsr
Your Hydra session may face interruptions for unexpected reasons. Fear not; Hydra has a built-in resumption function callable with the -R option:
This command is only valid if you have previously executed one or more Hydra commands above which didn’t reach completion.
Consider generating passwords of a certain format on the fly to test against a service. The syntax is:
hydra [-l <username> | -L <username_list_file.ext>] [-p <password> | -P <password_list_file.ext>] -x min:max:charset <server> <service>
Explanation of the parameter min:max:charset:
- min specifies the minimum number of characters in each password.
- max specifies the maximum number of characters in each password.
- charset is a string. This string can contain 1 for numbers, a for lowercase, and A for uppercase characters. To include additional characters, append them to charset at the end. For example, if the charset is 5:7:a1#$, then the command will generate passwords of length 5 to 7 and contain lowercase letters, numbers, and any number of # and $ characters.
For help on other Hydra options, use this command:
Hydra also supports environment variables such as that of an HTTP proxy.
To learn about the specific parameters accompanying a service supported by Hydra, use the following command:
hydra <service> -U
Brute Forcing a Website Login
Suppose you want to log in to a website server but need to know the username, password, or both. You can use Hydra to barge into the POST form, where you find the username and password fields and their id/name attributes in the HTTP source.
The command syntax is (assuming the id/name attributes of the username and password fields are userField and passwordField, respectively):
hydra [-l <username> | -L <username_list_file.ext>] [-p <password> | -P <password_list_file.ext>] <server> http-post-form "/path/to/web/login/index.php:userField=^USER^:passwordField=^PASS^"
Notice the additional string argument at the end, specifying the portion in the address bar immediately after the server hostname or IP address. For more information on the creation of that string, use the command below
hydra http-post-form -U
In the demonstration below, we use DVWA, a web app designed for neophyte pentesters. According to the developer console, its vulnerable login username and password fields have username and password as their name attributes, respectively.
Notice the URL is http://127.0.0.0/DVWA/vulnerabilities/brute/index.php, and so the command syntax for brute-forcing this DVWA login becomes:
hydra [-l <username> | -L <username_list_file.ext>] [-p <password> | -P <password_list_file.ext>] 127.0.0.1 http-post-form "/DVWA/vulnerabilities/brute/index.php:userField=^USER^:passwordField=^PASS^"
Now we crack this web app with Hydra and look at the passwords we’ve found for a single username.
As an exercise, you can use Hydra to brute force website logins on vulnerable virtual machines like Mr. Robot (VulnHub).
Brute Forcing SSH
SSH (short for “Secure Shell” or “Secure Socket Shell”) is a network protocol for accessing network services securely over unsecured networks. It includes the suite of utilities implementing it, such as:
- ssh-keygen: for creating new authentication key pairs for SSH;
- SCP (Secure Copy Protocol): for copying files between hosts on a network;
- SFTP (Secure File Transfer Protocol): for sending and receiving files. It’s an SSH-secured version of FTP (File Transfer Protocol), and it has replaced FTP and FTPS (FTP Secure) as the preferred mechanism for file sharing over the Internet.
An SSH server, by default, listens for connections on the standard Transmission Control Protocol (TCP) port 22. Your applications may listen for SSH connections on other ports.
SSH lets you securely manage remote systems and applications, such as logging in to another computer over a network, executing commands, and moving files from one computer to another. An advanced SSH functionality is the creation of secure tunnels to run other application protocols remotely.
The command syntax is:
hydra [-l <username> | -L <username_list_file.ext>] [-p <password> | -P <password_list_file.ext>] <server> ssh
Here is an example of using Hydra on the VulnHub box Lampião to brute force an SSH login:
(We guessed the username is “tiago” because the developer’s first name is Tiago and created a password list from text on the target’s website.)
Brute Forcing FTP
FTP (File Transfer Protocol) is a client-server protocol for sending and receiving files between computers over Transmission Control Protocol/Internet Protocol (TCP/IP) connections. Its TLS/SSL-secured counterpart is FTP over TLS/SSL (FTPS).
FTP consists of two channels between the client and server: a command channel (default port 21) for controlling the conversation and a data channel (default port 20) for transmitting file content. For FTPS, the default control and data ports are 990 and 989, respectively.
Here’s how a typical FTP transfer works:
- A user typically needs to log on to the FTP server (unless it’s an anonymous FTP server which requires no login).
- When the user requests to download a file, the client initiates a conversation with the server.
- A connected FTP client can add, amend, download, and delete files on a server.
The command syntax is:
hydra [-l <username> | -L <username_list_file.ext>] [-p <password> | -P <password_list_file.ext>] <server> ftp
The following is an example of using Hydra to brute force an FTP login:
For further practice, you can brute force with Hydra on VulnHub box Chili 1.
Brute Forcing Other Services
As you can see from the examples above, the command syntax for Hydra is rather straightforward: in most cases, once you know the set of usernames and passwords you’ll use, you only need to specify the server and the service.
Hydra can also crack passwords by brute force on other web services, such as SMTP, POP3, IMAP, and Telnet. The services you choose may require additional options and parameters to work, such as brute-forcing a website.
Here are two examples of Hydra cracking passwords on POP3 on the dynamic port 55007 (hence the use of the -s flag):
We hope this guide on how to use Hydra the brute-forcer has benefited you and helped you advance your learning or career goals. If you want to learn more about website hacking and penetration testing, check out our hacking articles, our guide to another password cracker John the Ripper, and our courses below: