Kali Linux
hydra
Overview
THC-Hydra parallelizes network login brute-force across protocols: SSH, FTP, HTTP(S) forms, SMB, RDP, SQL, SNMP, and many more via module-specific libraries.
Use `-L users.txt -P passes.txt` for combo attacks; `-C` for colon-separated cred pairs. `-t` threads and `-W` wait time tune aggressiveness. HTTP modules need path and form field names (`http-post-form` syntax).
Account lockout policies can brick engagements; prefer password spraying (`-u` single user, large wordlist slowly) on AD environments.
Primary use cases
- Credential stuffing against SSH/FTP with known user lists
- HTTP form brute-force on admin login pages
- SNMP community string guessing
- Spraying one password across many AD accounts
Key commands
SSH brute-force
hydra -L users.txt -P rockyou.txt ssh://10.0.0.50 -t 4 -W 3HTTP POST form
hydra -l admin -P passes.txt 10.0.0.50 http-post-form '/login:user=^USER^&pass=^PASS^:F=invalid'Detection / defense notes
- Rate limiting, CAPTCHA, and lockout after N failures
- Monitor distributed failed auth across many accounts (spray detection)
Related tools
- Hashcat — GPU password recovery. Rule and mask attacks across hundreds of hash formats.
- crackmapexec — Swiss army knife for AD pentesting. SMB, WinRM, LDAP, MSSQL lateral movement.