LEGAL AND ETHICAL NOTICE
Password brute-forcing and credential attacks are serious security testing techniques that are ILLEGAL when performed without explicit written authorization. This simulator is for educational purposes only. Understanding these techniques is crucial for defensive security, but misuse will result in criminal prosecution under laws including the Computer Fraud and Abuse Act (CFAA), similar statutes worldwide, and potential civil liability.
What is Hydra?
THC Hydra is a parallelized network authentication cracker that supports numerous protocols to perform rapid dictionary attacks against login services. It is one of the most popular and powerful tools for testing the security of authentication mechanisms.
Originally developed by The Hacker's Choice (THC), Hydra can perform brute-force and dictionary-based attacks against more than 50 protocols including SSH, FTP, HTTP, HTTPS, SMB, RDP, MySQL, PostgreSQL, and many others. Its parallel processing capabilities make it exceptionally fast compared to sequential attack tools.
Why Learn Hydra?
- Security Testing: Validate password policies and authentication security in authorized penetration tests
- Defensive Understanding: Understand attack methodologies to implement better defenses (rate limiting, account lockouts, monitoring)
- Credential Recovery: Recover lost credentials on systems you own (with appropriate backups)
- Protocol Knowledge: Deepen understanding of various authentication protocols and their vulnerabilities
- Industry Standard: Hydra is widely used in professional security assessments and is essential knowledge for cybersecurity careers
Supported Protocols
Hydra supports an extensive array of protocols. Here are the most commonly tested:
Network Services
- SSH (Secure Shell): Port 22 - Remote administration protocol
- FTP (File Transfer Protocol): Port 21 - File transfer service
- Telnet: Port 23 - Unencrypted remote access (legacy)
- SMB/SAMBA: Port 445 - Windows file sharing protocol
- RDP (Remote Desktop Protocol): Port 3389 - Windows remote desktop
- VNC (Virtual Network Computing): Port 5900 - Remote desktop protocol
Database Services
- MySQL: Port 3306 - Popular open-source database
- PostgreSQL: Port 5432 - Advanced open-source database
- MSSQL: Port 1433 - Microsoft SQL Server
- Oracle: Port 1521 - Oracle database
- MongoDB: Port 27017 - NoSQL database
Web Services
- HTTP/HTTPS: Ports 80/443 - Web form authentication, basic auth, digest auth
- HTTP-POST-FORM: POST-based login forms (most common web logins)
- HTTP-GET-FORM: GET-based authentication
Email Protocols
- IMAP: Port 143/993 - Email retrieval
- POP3: Port 110/995 - Email retrieval
- SMTP: Port 25/587 - Email sending
Basic Syntax and Options
Core Command Structure
hydra [OPTIONS] TARGET PROTOCOL
Essential Options
-l LOGIN # Single username
-L FILE # Username list file
-p PASS # Single password
-P FILE # Password list file (wordlist)
-C FILE # Colon-separated username:password file
-t TASKS # Number of parallel connections (default 16)
-s PORT # Custom port (if not default)
-f # Exit after first valid credential found
-F # Exit after first valid credential per host
-v / -V # Verbose / Very verbose output
-o FILE # Output results to file
Example Commands
SSH Attack (Single User):
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100
FTP Attack (Multiple Users):
hydra -L users.txt -P passwords.txt -t 4 -f ftp://192.168.1.50
HTTP POST Form:
hydra -l admin -P wordlist.txt 192.168.1.100 http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid credentials"
MySQL Database:
hydra -l root -P passwords.txt -s 3306 mysql://192.168.1.100
RDP Attack:
hydra -L usernames.txt -P passwords.txt -V rdp://192.168.1.200
Advanced Techniques
Optimizing Attack Speed
The -t parameter controls parallel tasks. Higher values increase speed but may trigger security defenses or cause service disruption:
- Low (1-4 tasks): Stealthy, slower, less likely to trigger IDS/IPS
- Medium (8-16 tasks): Default, balanced approach
- High (32-64 tasks): Fast but noisy, may trigger defenses or crash services
Service Stability Warning:
Excessive parallel connections can crash or destabilize services. Always start conservative and increase gradually. In production environments, use minimal task counts to avoid denial-of-service conditions.
Using Custom Wordlists
Effective wordlists are critical for success. Common wordlist locations:
# Popular wordlists on Kali Linux:
/usr/share/wordlists/rockyou.txt # 14M+ passwords from real breaches
/usr/share/wordlists/fasttrack.txt # Common default passwords
/usr/share/seclists/Passwords/ # Curated password collections
/usr/share/seclists/Usernames/ # Common username lists
Credential Pair Files
Use -C for pre-paired credentials (common default combinations):
# Format: username:password (one per line)
admin:admin
root:toor
administrator:password123
postgres:postgres
mysql:mysql
Protocol-Specific Syntax
HTTP POST Form Attacks:
hydra -L users.txt -P pass.txt example.com http-post-form
"/path/to/login:username=^USER^&password=^PASS^:F=incorrect"
# Breakdown:
# /path/to/login - Form action URL
# username=^USER^ - Username parameter (^USER^ is placeholder)
# password=^PASS^ - Password parameter (^PASS^ is placeholder)
# F=incorrect - Failure string (text that appears on failed login)
# Can also use S=success for success string detection
Defensive Countermeasures
Understanding Hydra attacks teaches you how to defend against them. Critical defenses include:
1. Account Lockout Policies
- Lock accounts after N failed attempts (typically 3-5)
- Implement temporary lockouts (5-15 minutes) before permanent locks
- Require administrator intervention for unlock on sensitive accounts
2. Rate Limiting
- Limit authentication attempts per IP address (e.g., 10 per minute)
- Implement exponential backoff (increasing delays after failures)
- Use CAPTCHA after repeated failures
3. Strong Password Policies
- Minimum 12-14 characters for administrative accounts
- Require complexity (uppercase, lowercase, numbers, symbols)
- Prohibit common passwords using breach databases
- Enforce password rotation for privileged accounts
4. Multi-Factor Authentication (MFA)
- Require second factor (SMS, authenticator app, hardware token)
- Makes brute-force attacks effectively impossible
- Critical for administrative and privileged access
5. Monitoring and Detection
- Monitor for multiple failed authentication attempts
- Alert on unusual authentication patterns (time, location, volume)
- Use SIEM systems to correlate authentication events
- Implement intrusion detection systems (IDS) to detect brute-force signatures
6. Network-Level Defenses
- Firewall rules limiting access to authentication services
- VPN requirements for administrative access
- IP whitelisting for critical services
- Fail2ban or similar automated blocking tools
Defense in Depth:
No single defense is perfect. Layer multiple defensive techniques to create comprehensive protection against credential attacks. MFA is the most effective single control, rendering most brute-force attacks ineffective regardless of password strength.
Ethical and Legal Considerations
UNAUTHORIZED ACCESS IS A FEDERAL CRIME
Under 18 U.S.C. § 1030 (Computer Fraud and Abuse Act) and similar laws worldwide, unauthorized access to computer systems is punishable by fines up to $250,000 and imprisonment up to 20 years for repeat offenses. "I was just testing" is NOT a legal defense.
Legal Use Cases
- Authorized Penetration Testing: Written scope document, signed authorization, clearly defined boundaries
- Personal Systems: Your own servers, networks, and accounts (with backups)
- Controlled Lab Environments: Virtual machines, isolated networks, training platforms
- Bug Bounty Programs: Following published rules of engagement exactly
Professional Ethics
- Always obtain explicit written authorization before testing
- Clearly document scope, methods, and findings
- Protect confidential information discovered during testing
- Report vulnerabilities responsibly to asset owners
- Never exceed authorized scope or access data unnecessarily
- Maintain professional certifications and continuing education
Red Team vs. Black Hat
Red Teams are authorized security professionals who use offensive techniques to improve organizational security. They operate under strict legal agreements, professional ethics, and organizational policies.
Black Hats are malicious actors who perform unauthorized attacks for personal gain, disruption, or other illegal purposes. They face criminal prosecution, civil liability, and reputational destruction.
The technical skills may overlap, but the authorization, intent, and legal status are fundamentally different.
Hydra Training Simulator v1.0
Select a target scenario and type Hydra commands to simulate attacks.
Press TAB for autocomplete suggestions. Type 'help' for examples.
Type 'clear' to clear the terminal.
------------------------------------------------------------
root@kali:~$
Hydra Challenges
Complete these challenges to test your Hydra skills. Enter the correct command to solve each challenge.
Hydra Quick Reference
Core Options
| Option | Description |
|---|---|
| -l LOGIN | Specify single username |
| -L FILE | Load username list from file |
| -p PASS | Specify single password |
| -P FILE | Load password list from file |
| -C FILE | Colon-separated username:password pairs file |
| -e nsr | Try null password (n), login as password (s), reversed login (r) |
| -u | Loop around users, not passwords (useful to avoid account lockout) |
| -f | Exit after first valid credential found |
| -F | Exit after first valid credential per host |
| -M FILE | Attack multiple targets from file |
Performance & Output
| Option | Description |
|---|---|
| -t TASKS | Number of parallel connections (default 16, max 64) |
| -w TIME | Wait time for responses in seconds (default 32) |
| -c TIME | Wait time per login attempt in seconds |
| -v / -V | Verbose / Very verbose output |
| -d | Debug mode |
| -q | Quiet mode, only show results |
| -o FILE | Write output to file |
| -b FORMAT | Output format: text, json, jsonv1 |
Network Options
| Option | Description |
|---|---|
| -s PORT | Custom port number (if not default for protocol) |
| -S | Use SSL/TLS connection |
| -O | Use old SSL version (SSLv2/SSLv3) |
| -4 / -6 | Force IPv4 / IPv6 |
Common Protocols & Ports
| Protocol | Default Port | Description |
|---|---|---|
| ssh | 22 | Secure Shell remote access |
| ftp | 21 | File Transfer Protocol |
| telnet | 23 | Unencrypted remote access |
| http | 80 | Web (Basic/Digest auth) |
| https | 443 | Secure web |
| http-post-form | 80 | Web form POST authentication |
| http-get-form | 80 | Web form GET authentication |
| smb | 445 | Windows file sharing |
| rdp | 3389 | Remote Desktop Protocol |
| vnc | 5900 | Virtual Network Computing |
| mysql | 3306 | MySQL database |
| postgres | 5432 | PostgreSQL database |
| mssql | 1433 | Microsoft SQL Server |
| mongodb | 27017 | MongoDB NoSQL database |
| imap | 143 | Email retrieval |
| pop3 | 110 | Email retrieval |
| smtp | 25 | Email sending |
Common Wordlists
| Path | Description |
|---|---|
| /usr/share/wordlists/rockyou.txt | 14M+ real-world passwords from breaches |
| /usr/share/wordlists/fasttrack.txt | Common default passwords |
| /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt | Top 10K common passwords |
| /usr/share/seclists/Passwords/Default-Credentials/ | Default credentials for various systems |
| /usr/share/seclists/Usernames/top-usernames-shortlist.txt | Common usernames |
| /usr/share/seclists/Usernames/cirt-default-usernames.txt | Default usernames |
Example Commands
# SSH brute-force single user
hydra -l root -P rockyou.txt ssh://192.168.1.100
# FTP with user and password lists
hydra -L users.txt -P passwords.txt -t 4 ftp://192.168.1.50
# HTTP POST form (common web login)
hydra -l admin -P wordlist.txt 192.168.1.100 http-post-form "/login:user=^USER^&pass=^PASS^:F=incorrect"
# MySQL database
hydra -l root -P passwords.txt mysql://192.168.1.100
# RDP attack (Windows Remote Desktop)
hydra -L users.txt -P passwords.txt -V rdp://192.168.1.200
# SMB/Windows shares
hydra -L users.txt -P passwords.txt smb://192.168.1.150
# IMAP email server
hydra -l user@example.com -P passwords.txt imap://mail.example.com
# Multiple targets from file
hydra -L users.txt -P passwords.txt -M targets.txt ssh
# Using credential pairs file
hydra -C credentials.txt ssh://192.168.1.100
# Custom port SSH
hydra -l admin -P wordlist.txt -s 2222 ssh://192.168.1.100
# Exit after first valid credential
hydra -l admin -P wordlist.txt -f ssh://192.168.1.100
# Loop users to avoid lockout
hydra -L users.txt -P passwords.txt -u ssh://192.168.1.100
# Verbose output with result file
hydra -l admin -P wordlist.txt -V -o results.txt ssh://192.168.1.100
Settings
Appearance
Dark Mode
Toggle dark/light color scheme
Progress Management
Export Progress
Download your challenge progress and settings as JSON
Import Progress
Restore progress from a previously exported JSON file
Reset Progress
Clear all challenge completions and statistics (cannot be undone)
About
Hydra Training Lab
Version 1.0.0
Educational network authentication attack simulator for cybersecurity training.
For authorized security testing and education only. Unauthorized use is illegal.