From aldeid
Jump to navigation Jump to search
This article is also available in one or more other languages
To view this article in French, click here


THC-Hydra is a very fast (multi-threaded) network logon cracker which supports many different services:

  • afp
  • cisco
  • cisco-enable
  • cvs
  • firebird
  • ftp
  • http-get
  • http-head
  • http-proxy
  • https-get
  • https-head
  • https-form-get
  • https-form-post
  • icq
  • imap
  • imap-ntlm
  • ldap2
  • ldap3
  • mssql
  • mysql
  • ncp
  • nntp
  • oracle-listener
  • pcanywhere
  • pcnfs
  • pop3
  • pop3-ntlm
  • postgres
  • rexec
  • rlogin
  • rsh
  • sapr3
  • sip
  • smb
  • smbnt
  • smtp-auth
  • smtp-auth-ntlm
  • snmp
  • socks5
  • ssh2
  • svn
  • teamspeak
  • telnet
  • vmauthd
  • vnc



Name Lib Package
Xhydra (GUI) sudo apt-get install pkg-config libgtk2.0-dev
Openssl libssl/ssl.h sudo apt-get install libssl-dev
Postgres sudo apt-get install libpq-dev
SVN (Subversion) libsvn_client-1,, sudo apt-get install libsvn-dev libapr1-dev libaprutil1-dev
firebird sudo apt-get install firebird2.1-dev
MySQL client sudo apt-get install libmysqlclient-dev
NCP, nwcalls.h sudo apt-get install libncp-dev
SAP/R3 librfc/saprfc.h (See
libssh libssh/libssh.h sudo apt-get install libssh-dev

Install Hydra

$ cd /data/src/
$ wget
$ tar xzvf hydra-5.9-src.tar.gz
$ cd hydra-5.9-src/
$ ./configure
$ make
$ sudo make install


Command Line Interface (CLI)


$ hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns]
[-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV]
server service [OPT]


restore a previous aborted/crashed session
connect via SSL
-s <PORT>
if the service is on a different default port, define it here
-l <LOGIN> or -L <FILE>
login with LOGIN name, or load several logins from FILE
-p <PASS> or -P <FILE>
try password PASS, or load several passwords from FILE
-e <ns>
additional checks, "n" for null password, "s" try login as pass
colon seperated "login:pass" format, instead of -L/-P options
server list for parallel attacks, one entry per line
-o <FILE>
write found login/password pairs to FILE instead of stdout
exit after the first found login/password pair (per host if -M)
-t <TASKS>
run TASKS number of connects in parallel (default: 16)
defines the max wait time in seconds for responses (default: 30)
-v / -V
verbose mode / show login+pass combination for each attempt
the target server (use either this OR the -M option)
the service to crack. Supported protocols: telnet ftp pop3[-ntlm] imap[-ntlm] smb smbnt http[s]-{head|get} http-{get|post}-form http-proxy cisco cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5 rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh2 smtp-auth[-ntlm] pcanywhere teamspeak sip vmauthd firebird ncp afp
some service modules need special input (see README!)

Graphical User Interface (GUI)


This tab enables to specify the target and the protocol to attack.

  • Target
    • Use "Single Target" to specify one unique host
    • Use "Target List" to specify a file containing a list of hosts
    • Eventually use "Port" to specify the port to attack (if non standard)
    • Select the protocol in the "Protocol" dropdown list
  • Output Options
    • Use SSL: Check this option if the protocol uses SSL
    • Show attemps: Displays all brute-force attemps in the Start tab
    • Be verbose: Displays more information in the Start tab
    • Debug: Displays debug information in the Start tab



This tab enables to specify the credentials to use for the brute-force attack.

  • Username
    • Use "Username" for a unique username (if known. e.g. root, sa, ...)
    • Use "Username List" for a list of usernames from a file.
  • Password
    • Use "Password" if you already know the password (uncommon).
    • Use "Password List" to specify a file where you have saved all passwords to test.
  • Colon separated file
    • Use Colon separated file: Use this option if you prefer to use a file where login and passwords are specified in a unique file with colon as separator.
    • Try login as password: Use this option to attempt and combination of login as passwords from your file, in addition to your password file.
    • Try empty password: Will try empty password in addition to your password file.


If you select both options "Username List" and "Password List", xhydra will try every combination of logins/passwords from specified files.


This tab enables to fine-tune the brute-force attack.

  • Performance Options
    • Number of Tasks: Number of parallel tasks (threads). Default: 36
    • Timeout: Maximum Timeout an attack process is waiting for a response from the target. Default: 30
    • Exit after first found pair: Xhydra will automatically close once a valid login/password has been found
  • Use a HTTP/HTTPS Proxy
    • No proxy / HTTP Method / CONNECT Method: enables to specify the proxy type
    • Proxy: Proxy address (e.g.
    • Proxy needs authentication: use for specifying a username/password
      • Username: Username to use for proxy authentication
      • Password: Password to use for proxy authentication


Notice that xhydra will automatically reduce the number of threads if needed (depends on the attacked service)


Some services need specific options. This tab enables to specify these options.

  • http-proxy module: URL to connect to via the proxy
  • http / https url: protected URL you want to access
  • Cisco Enable, Login for Cisco device: Password to the Cisco device
  • LDAP DN: The DN scope of LDAP to authenticate against
  • SMBNT:
    • local account: just attack local accounts
    • domain account: attack domain and local accounts
    • Interpret passes as NTLM hashes
  • sapr3 client id: Client id you want to attack (between 1 and 99)
  • CVS/SVN Repository: Directory of the CVS or SVN repository
  • Telnet - Successful Login String: Insert the return string for a successful login
  • SNMP:
    • Version 1 / Version 2: Version (1 or 2) of SNMP
    • Write Password / Read Password: Method



This tab shows outputs of xhydra (attempts, successful credentials, verbose and debug information). It also controls the tool (start, stop, save, clear output).

  • Output: All information about the brute-force process
  • Start: Starts the attack with provided information
  • Stop: Stops the running attack
  • Save output: enables to save the output in a file
  • Clear output: Clears the output screen.



The following is an example of hydra run against a local MySQL database, on the root account:

$ hydra mysql -l root -P /data/dictionnaires/test.txt -t 4
Hydra v5.9 (c) 2010 by van Hauser / THC - use allowed only for legal purposes.
Hydra ( starting at 2011-01-01 13:01:15
[DATA] 4 tasks, 1 servers, 32 login tries (l:1/p:32), ~8 tries per task
[DATA] attacking service mysql on port 3306
[3306][mysql] host:   login: root   password: Password01
[STATUS] attack finished for (waiting for childs to finish)
Hydra ( finished at 2011-01-01 13:01:15