Hydra — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

Network login brute-forcer for 50+ protocols — SSH, RDP, FTP, SMB, HTTP forms, telnet.

Use case: Password CrackingDifficulty: BeginnerHomepage: https://github.com/vanhauser-thc/thc-hydra

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Linux (apt)

sudo apt install hydra

macOS (brew)

brew install hydra

Source

git clone https://github.com/vanhauser-thc/thc-hydra && cd thc-hydra && ./configure && make && make install

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

SSH single user

hydra -l admin -P passwords.txt 10.0.0.5 ssh

RDP user list + password

hydra -L users.txt -p Spring2026 10.0.0.5 rdp

HTTP POST form

hydra -L users.txt -P passwords.txt 10.0.0.5 http-post-form "/login:user=^USER^&pass=^PASS^:F=Invalid"

SMB

hydra -L users.txt -P passwords.txt 10.0.0.5 smb

Multi-target from file

hydra -L users.txt -P passwords.txt -M targets.txt ssh

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • -t 16 threads default. SSH/RDP servers throttle hard — 4-8 threads safer.
  • -W 5 waits 5s between attempts — defeats time-based rate-limit but slows everything.
  • -V verbose — see every attempt (useful but spammy).
  • -f stops after first valid pair found per target — bulk scans should use -F instead (stop after any host).
  • -o output.txt saves successful pairs — diff before/after to see what new auth surfaces appeared.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • Account lockout: spraying SSH/RDP without throttle = locked admin in 30 seconds. Always check policy.
  • HTTP forms with CSRF tokens: hydra doesn’t handle dynamic tokens — use Burp Intruder or hydra with Cookie capture preprocessor.
  • Some protocols need extra modules: hydra http-form-mfa doesn’t exist — multi-factor sites need different tooling (e.g., Selenium).
  • Connection refused errors silently degrade success — verify port reachable first with nmap.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • Medusa — slightly different protocol set.
  • NetExec — for SMB / WinRM specifically, much smarter.
  • kerbrute — Kerberos-only username enum and brute.

India context and engagement notes

Hydra is loud and triggers alerts. For modern engagements use NetExec / kerbrute / patator instead. Hydra still wins for one-off “is this default password set?” checks where stealth doesn’t matter.


⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants