What Is Hydra?

THC Hydra Is A Classic Brute Force Hacking Tool

Posted by Henry Dalziel  |  December 16, 2019  |   Questions / Comments 23

What Is Hydra?

Cybersecurity Growth Hack Tool Growth Hacking Tool
Henry Dalziel
Henry Dalziel | December 16, 2019

- C|EH, Security+, MSc Marketing Management;
- Based in Hong Kong for the last five years;
- Cybersecurity Pro & Growth Hacker

This is a pretty awesome password cracking software that's been around for a while! THC Hydra specializes in Brute Force hacking.

What is Hydra?
Hydra is a very well-known and respected network logon cracker (password cracking tool) which can support many different services. (Similar projects and tools include medusa and John The Ripper).

Visit our Hacker Tools Directory for more information on hacking tools – and where we list the best and most commonly used password crackers, IP Scanners, Wireless Hacking Tools and more! Each of the tools contains a video tutorial.

afp cisco cisco-enable cvs
firebird ftp http-get http-head
http-proxy https-get https-head https-form-get
https-form-post icq imap imap-ntlm
ldap2 ldap3 mssql mysql
ncp nntp oracle-listener pcanywhere
pcnfs pop3 pop3-ntlm postgres
rexec rlogin rsh sapr3
sip smb smbnt smtp-auth
smtp-auth-ntlm snmp socks5 ssh2
teamspeak telnet vmauthd vnc


How does Hydra work?
Hydra is a brute force password cracking tool. In information security (IT security), password cracking is the methodology of guessing passwords from databases that have been stored in or are in transit within a computer system or network. A common approach and the approach used by Hydra and many other similar pentesting tools and programs are referred to as Brute Force. We could easily do a Concise Bytes on ‘Brute Force Hacking’ but since this post is all about Hydra let’s place the brute-force attack concept within this password-guessing tool.

Brute force just means that the program launches a relentless barrage of passwords at a login to guess the password. As we know, the majority of users have weak passwords and all too often they are easily guessed. A little bit of social engineering and the chances of finding the correct password for a user are multiplied. Most people (especially those non-IT savvy, will base their ‘secret’ passwords on words and nouns that they will not easily forget. These words are common: loved ones, children’s names, street addresses, favorite football team, place of birth etc. All of this is easily obtained through social media so as soon as the hacker has compiled this data it can be compiled within a ‘password list’.

Brute force will take the list that the hacker built and will likely combine it with other known (easy passwords, such as ‘password1, password2’ etc) and begin the attack. Depending on the processing speed of the hackers (auditors) computer, Internet connection (and perhaps proxies) the brute force methodology will systematically go through each password until the correct one is discovered.

It is not considered as being very subtle – but hey it works!

Hydra is considered as being one of the better ones out there and it certainly worth your time as a security professional or student to give it a try.

Resources and tutorials
The majority of pentesting/ hacking tools are created and developed from a security perspective, meaning that they are designed to aid the pentester find flaws in their clients systems and take appropriate action. Hydra works by helping the auditor find weak passwords in their clients network. According to the Hydra developers they recommend that the professional do the following when using Hydra:

Step 1: Make your network as secure as possible.
Step 2: Set up a test network
Step 3: Set up a test server
Step 4: Configure services
Step 5: Configure the ACL
Step 6: Choose good passwords
Step 7: Use SSL
Step 8: Use Cryptography
Step 9: Use an IDS
Step 10: Throw Hydra against the security and try and crack the logon commands.
The below commands will install Hydra and here is our favorite video tutorial on how to use Hydra.

How do we defend against Hydra and brute force attacks?
There are several ways a system admin or network engineer can defend against brute force attacks. Here are a few methods. If you can think of any others, or disagree with the below, let us know in the comment below!

Disable or block access to accounts when a predetermined number of failed authentication attempts has been reached.
Consider multi-factor or double opt-in/ log in for users.
Consider implementing hardware-based security tokens in place of system-level passwords.
Enforce all employees to use generated passwords or phrases and ensure every employee uses symbols whenever possible.
And the most simple – remove extremely sensitive data from the network, isolate it!

In Summary
What are your thoughts? Have you used Hydra in any white/ back box pentesting and did it work or fail? Can you think of any particular uses with this program or are there alternatives that we should also share with your community?

23 responses to “What Is Hydra?”

  1. SeaSkiii says:

    Needs a dictionary / lists
    k thx bye

  2. Issa says:

    when you match passwords, this called dictionary attack not BRUTE FORCING!!!!

  3. proxy says:

    Open proxies are often used by ISPs and firms to decrease network loads. For those running old version, browser upgrading is important. This eliminates the chance of a hacker gaining control of your information while you are online.

  4. Charlie says:

    where can I get hydra software reply via email

  5. Guy says:

    Actually, you don’t need a list to do a hack. You can just use “-x” instead of “-P”. “-P” tells Hydra you’ll load passwords from a list. “-x” tells it that you’ll want it to guess the pass word. but the full command would be something like this: -x 6:8:a. 6 representing the minimum number of characters. 8 representing the maximum number of characters and “a” representing the letter you wish to start with. Have fun!

  6. rabin says:

    i had downloaded it but im unable to open it….it ia tar.gz type of file…how can i open it ????

  7. TOd says:

    Dose anyone know the simplest way to hack wifi by scripting with hydra? need some help. for presentation .

  8. Victoria says:

    The most likely abuser is just a spammer looking for emails to use in a botnet, therefore website content should be updated on regular basis, time interval varies on the type of industry you deal in. One crude yet highly successful method of slowing networks and taking websites down is the DOS (denial of service) attack.

  9. @ASIQ says:

    i want to get password “aashik123” i just knew there is five digits letters and remaining 3 digits numbers. can you write crunch for me dude

  10. Henry Dalziel says:

    Hi Asiq – the short answer is that I’m not too sure. I’d suggest that you contact the local consulate or US Embassy. Attending a conference would be a non-employment based event so I think it ought to be pretty straight forward. Good luck and let us know how you get on.

  11. Thomas says:

    They are the same thing. Just brute force is the more technical term.

  12. Anonymous says:

    What operating system did you used?

  13. Anonymous says:

    LMFAO at everyone who comments here. Get some knowledge first, don’t beg for code xD

  14. Tiny Frogo says:

    I got in trouble at school, and now a teacher has to log on for me, and I AM NOT ALLOWED TO KNOW MY OWN PASSWORD! So I am trying to find something to guess the password. Do you have any recommendations?

Leave a Question or Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Some Of Our Other Content

You may also like...

USB Keyloggers
USB Keyloggers

Some of these USB Keyloggers work over WiFi and others even email you the keystrokes! Require NO drivers. Just plant and forget.

Blog Post

N00b Hacking
WiFi Hacking Hardware Devices
WiFi Hacking Hardware Devices

We take a look at hardware used by the pro's to hack into Wireless Networks! (Keyloggers, Deauth Tools, Alfa Scanner etc.)

Blog Post

WiFi Hacking
Mobile Encryption Apps
Mobile Encryption Apps

Is WhatsApp safe? What about Telegram? There are dozens of mobile encryption apps...

List Review

Cyber Hacking
Password Cracking Tools
Password Cracking Tools

John The Ripper, Crowbar, L0phtcrack, Medusa, Rainbowcrack, THC Hydra and more!

List Review

Cyber Hacking
Kali Linux Developers
Meet The Kali Linux Developers

Meet the folks behind the Hacking Tools that make Kali Linux so damn awesome

Blog Post

N00b Hacking
OSCP Advice
How Difficult is OSCP? Get expert advice from those that passed!

We've interviewed over 25 Cybersecurity Professionals to ask them that exact question...

Blog Post

N00b Hacking
How To Hack WordPress 2020
How To Hack WordPress 2020

In this (constantly updated) resource we investigate ways to Hack WordPress

Blog Post

N00b Hacking
Pass CEH First Time
Pass CEH First Time: we ask experts in the field

Are you interested in passing CEH? If yes, read on, we have a ton of advice to share

Blog Post

N00b Hacking