loading
loading
Passwords
A fast, flexible, parallelized login cracker that supports numerous protocols to attack.
overview
Hydra (THC-Hydra) is a network login cracker that throws username and password guesses at a service in parallel until it finds a working pair. It speaks dozens of protocols, from SSH, FTP, and SMB to HTTP form and basic auth, so the same tool tests credentials against almost any login it meets. The parallelism is what makes it practical: many connections run at once, per target and overall, so large credential lists finish in a fraction of the serial time.
You point Hydra at a target and a service, supply logins and passwords as single values or files, and it reports the pairs that succeed. The login:pass combo file lets you replay leaked credential dumps directly, while the built-in generator can brute force a charset and length range when you have no list. Concurrency, wait times, and an early-exit-on-success flag all tune the run against the service's tolerance.
On Trickest, Hydra is a Passwords node that reads target and credential files and writes a file and a folder of results. Use it for authorized credential-strength testing: confirm whether reused or weak passwords open a service, then feed the recovered pairs into your reporting stage.
use cases
Run a username and password list against SSH, FTP, SMB, or an HTTP login to confirm whether weak or reused credentials grant access.
Use the http-post-form service to test a phpMyAdmin panel, admin console, or app login, matching the failure string so Hydra reports only the pairs that authenticate.
Feed a colon-separated login:pass file so Hydra replays known leaked pairs directly against the target service.
Use the built-in generator to try a charset and length range, with non-random ordering to make the run repeatable.
Supply a servers file to attack a list of targets, tuning global and per-target concurrency to stay within their limits.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| server | STRING | · | The target: a DNS name, IP, or CIDR such as 192.168.0.0/24. |
| service | STRING | · | The service to crack, e.g. ssh, ftp, smb, or http-post-form. |
| login | STRING | -l | Try a single login name. |
| logins | FILE | -L | Load several logins from a file. |
| passwords | FILE | -P | Load several passwords from a file. |
| login-pass-file | FILE | -C | Colon-separated login:pass file instead of separate username and password lists. |
| threads-per-target | STRING | -t | Connections to run in parallel per target (default 16). |
| exit-found | BOOLEAN | -f | Exit when a login/pass pair is found for a host. |
Showing key inputs. Hydra exposes 31 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| ipv4 | BOOLEAN | -4 | use IPv4 addresses (default) |
| ipv6 | BOOLEAN | -6 | use IPv6 addresses (always wrap in [], including in the servers file) |
| port | STRING | -s | connect on this port when the service runs on a non-default one |
| debug | BOOLEAN | -d | debug mode |
| login | STRING | -l | try this single login name |
| quiet | BOOLEAN | -q | do not print messages about connection errors |
| logins | FILE | -L | load several logins from a file |
| server | STRING | · | the target: a DNS name, IP, or CIDR such as 192.168.0.0/24 (this or the servers file) |
| old-ssl | BOOLEAN | -O | use old SSL v2 and v3 |
| servers | FILE | -M | list of servers to attack, one per line, ':' to set a port |
| service | STRING | · | the service to crack. Supported: adam6500 asterisk cisco cisco-enable cvs ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql(v4) nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey teamspeak telnet[s] vmauthd vnc xmpp |
| verbose | BOOLEAN | -v | verbose mode |
| password | STRING | -p | try this single password |
| passwords | FILE | -P | load several passwords from a file |
| exit-found | BOOLEAN | -f | exit when a login/pass pair is found for a host |
| pass-gen-nsr | STRING | -e | extra password tries: 'n' null password, 's' login as pass, 'r' reversed login |
| output-format | STRING | -b | output format: text (default), json, or jsonv1 |
| threads-global | STRING | -T | run this many connects in parallel overall (default 64) |
| login-pass-file | FILE | -C | colon-separated login:pass file instead of separate login and password files |
| pass-generation | STRING | -x | MIN:MAX:CHARSET bruteforce generation, e.g. 5:8:A1 for length 5 to 8 with uppercase letters and digits |
| show-login-pass | BOOLEAN | -V | show login+pass for each attempt |
| dont-redo-failed | BOOLEAN | -K | do not redo failed attempts (good for mass scanning with a servers file) |
| exit-found-global | BOOLEAN | -F | exit when any login/pass pair is found across all hosts |
| loop-arround-users | STRING | -u | loop around users rather than passwords (implied with -x) |
| threads-per-target | STRING | -t | run this many connects in parallel per target (default 16) |
| pass-gen-non-random | BOOLEAN | -r | use a non-random shuffling method for option -x |
| perform-ssl-connect | BOOLEAN | -S | perform an SSL connect |
| wait-time-per-login | STRING | -c | wait time per login attempt over all threads (forces one thread per target) |
| wait-time-for-response | STRING | -w | wait time for a response (default 32) |
| pass-gen-disable-symbols | BOOLEAN | -y | disable use of symbols in bruteforce |
| wait-time-between-connects | STRING | -W | wait time between connects per thread (default 0) |
example
# brute-force an SSH login with username and password listshydra -L users.txt -P passwords.txt -t 4 -f ssh://198.51.100.23Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - for legal and authorized testing only Hydra starting at 2026-06-22 14:03:11[DATA] max 4 tasks per 1 server, overall 4 tasks, 3210 login tries (l:6/p:535), ~803 tries per task[DATA] attacking ssh://198.51.100.23:22/[22][ssh] host: 198.51.100.23 login: admin password: s3cret-Summer24[STATUS] 1210.00 tries/min, 1210 tries in 00:01h, 2000 to do in 00:02h, 4 active1 of 1 target successfully completed, 1 valid password foundHydra finished at 2026-06-22 14:05:47guidance
Use Hydra for authorized testing of network login strength across protocols. For wordlist-based offline hash cracking, hashcat or john are the right tools. For web-app-specific brute forcing with response matching, ffuf gives finer control.
Another parallel network login cracker. Similar scope, different module set and tuning.
Nmap's network auth cracker. Strong on SSH and RDP, fewer modules than Hydra overall.
Web fuzzer with response matching. Better for HTTP login brute forcing that needs precise filtering.
faq
A target and a credential wordlist feed Hydra, which tests logins in parallel and writes the working login/pass pairs as a queryable output.
Facts on this page come from the live Trickest tool library.