Last updated: April 26, 2026
Hydra is the canonical brute-force tool for network services — SSH, FTP, MySQL, RDP, web logins. In 2026, brute-force is rarely the first attack a pentester runs (rate limiting, account lockouts, Captchas all push back). But against legacy services, internal-facing infrastructure, and weak default-credentials environments, Hydra still produces results in minutes. This article covers the practitioner workflow that doesn’t trip lockouts and the defender controls that close the entire technique.
The Hydra basics
# SSH brute-force with username + password lists
hydra -L users.txt -P passwords.txt -t 4 ssh://10.0.0.5
# Single user, password list
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://10.0.0.5
# RDP
hydra -l Administrator -P passwords.txt rdp://10.0.0.5
# HTTP form (POST)
hydra -L users.txt -P passwords.txt 10.0.0.5 \
http-post-form "/login:username=^USER^&password=^PASS^:F=Invalid"
# Use -t to control parallelism (1-32)
# Use -W to wait between attempts (avoid lockout)
The 2026 reality check
Stock Hydra against modern services usually fails:
- Account lockouts after 5 failed attempts
- Source IP rate limiting
- Captchas after threshold
- Detection rules in SIEM that page on-call within minutes
Where it still works:
- Internal services — internal SSH, MySQL, MSSQL, network device admin interfaces. Often no rate limiting at all.
- Legacy applications — old web apps without modern lockout / rate limit controls.
- Default credentials — small wordlist of common defaults (admin/admin, root/root, admin/password) catches SOHO routers and consumer-grade devices routinely.
- Password spraying (one password against many users) — bypasses per-user lockouts.
Modern brute-force workflow
1. Password spraying instead of brute force
Spraying tries one common password (Welcome2024!, CompanyName@2024) against many usernames. Each user sees one failed attempt; lockouts don’t trigger.
hydra -L users.txt -p 'Welcome@2024' -t 1 -W 30 ssh://10.0.0.5
For AD environments, dedicated tools (kerbrute, msfconsole’s auxiliary modules) are stealthier.
2. Slow-and-low timing
# 1 attempt every 30 seconds; uses -t 1 -W 30
# Stays under most rate-limiting thresholds
3. Distributed attempts
If account-lockout policies allow X attempts per IP, distribute attempts across multiple source IPs (proxychains + multiple residential IPs, BurpSuite IP rotation, or AWS Lambda fan-out).
4. Wordlist intelligence
- Use targeted wordlists, not generic rockyou-style.
- For Indian targets: company name + year, common Indian password patterns (Password@1234, Welcome@123).
- OSINT-derived: pet names, family names from social media.
- For specific sectors: “Bank@2024”, “PayZapp@123”, domain-specific patterns.
Defender side
- Account lockout: 5-10 failures, 15-30 minute lockout. Standard practice; surprisingly often missing on internal services.
- Rate limiting per source IP: 5 attempts per minute baseline.
- Captchas after threshold (3-5 failures).
- SIEM alerts for failed-auth volume spikes per source IP / per user.
- Block known credential-stuffing IPs (commercial threat-intel feeds list active brute-force sources).
- MFA on every authentication where possible. Brute-force becomes irrelevant.
- Password complexity that prevents the common-pattern password from being valid.
The takeaway
Brute-force in 2026 is rarely your first attack vector. But internal services, legacy applications, and SOHO devices remain exposed. Test your own internal SSH, RDP, and admin interfaces with a small targeted wordlist. The findings — accounts with default or company-name passwords — are quick wins for both attacker and remediation backlog.
Get a VAPT scoping call
Senior practitioner-led VAPT — not a checklist run by juniors. CVSS-scored findings, free retest, attestation letter. India's SMBs and SaaS teams.