Network login brute-forcer for 50+ protocols — SSH, RDP, FTP, SMB, HTTP forms, telnet.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
Linux (apt)
sudo apt install hydra
macOS (brew)
brew install hydra
Source
git clone https://github.com/vanhauser-thc/thc-hydra && cd thc-hydra && ./configure && make && make install
Core commands
The handful of invocations you’ll actually run on 90% of engagements:
SSH single user
hydra -l admin -P passwords.txt 10.0.0.5 ssh
RDP user list + password
hydra -L users.txt -p Spring2026 10.0.0.5 rdp
HTTP POST form
hydra -L users.txt -P passwords.txt 10.0.0.5 http-post-form "/login:user=^USER^&pass=^PASS^:F=Invalid"
SMB
hydra -L users.txt -P passwords.txt 10.0.0.5 smb
Multi-target from file
hydra -L users.txt -P passwords.txt -M targets.txt ssh
Performance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
-t 16threads default. SSH/RDP servers throttle hard — 4-8 threads safer.-W 5waits 5s between attempts — defeats time-based rate-limit but slows everything.-Vverbose — see every attempt (useful but spammy).-fstops after first valid pair found per target — bulk scans should use-Finstead (stop after any host).-o output.txtsaves successful pairs — diff before/after to see what new auth surfaces appeared.
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- Account lockout: spraying SSH/RDP without throttle = locked admin in 30 seconds. Always check policy.
- HTTP forms with CSRF tokens: hydra doesn’t handle dynamic tokens — use Burp Intruder or hydra with Cookie capture preprocessor.
- Some protocols need extra modules:
hydra http-form-mfadoesn’t exist — multi-factor sites need different tooling (e.g., Selenium). Connection refusederrors silently degrade success — verify port reachable first with nmap.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- Medusa — slightly different protocol set.
- NetExec — for SMB / WinRM specifically, much smarter.
- kerbrute — Kerberos-only username enum and brute.
India context and engagement notes
Hydra is loud and triggers alerts. For modern engagements use NetExec / kerbrute / patator instead. Hydra still wins for one-off “is this default password set?” checks where stealth doesn’t matter.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.