Installation

For Linux (Debian/Ubuntu):

sudo apt update
sudo apt install hydra

For **macOS** (using Homebrew):

brew install hydra

For Windows:
Download the Windows version from the Gifthub (https://github.com/vanhauser-thc/thc-hydra) or use Windows Subsystem for Linux (WSL).

Basic Syntax

hydra [options] [target] [protocol] [options]

Where:
– “options” are flags or parameters (e.g., wordlists, ports, etc.)
– “target” is the target machine or service
– “protocol” is the service/protocol you’re attacking (e.g., SSH, FTP, HTTP)

Using Hydra for SSH Bruteforce

One of the most common use cases for Hydra is cracking SSH passwords.

hydra -l <username> -P <path-to-wordlist> ssh://<target-ip>

– “-l <username>”: Specify the username for the attack.
– “-P <path-to-wordlist>”: Provide the path to your wordlist (a file containing a list of possible passwords).
– “ssh://<target-ip>”: Target machine and service (replace `<target-ip>` with the actual IP).

Using Hydra for HTTP Form Authentication

If you’re testing HTTP form-based login, you can use Hydra to brute force the login page. For example, to test against a login page:

hydra -l <username> -P <path-to-wordlist> <target-ip> http-form-post “/login.php:user=^USER^&pass=^PASS^:F=incorrect”

– “-l <username>”: Specify the username.
– “-P <path-to-wordlist>”: Path to the wordlist.
– “<target-ip>”: The IP address of the target machine.
– “http-form-post”: The protocol you’re attacking (HTTP POST).
– `”/login.php:user=^USER^&pass=^PASS^:F=incorrect”`: The HTTP form POST data. Adjust the URL, fields, and the failure string (“incorrect” in this case) based on the target login form.