Hydra Overview
Understanding Hydra Help
Viewing Hydra Modules
Print the hydra
help output
hydra -h
Notice the Supported services section. These are the modules that the hydra
binary installed on your system can use.
Supported services: adam6500 asterisk cisco cisco-enable cobaltstrike cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
View List of Modules
adam6500
asterisk
cisco
cisco-enable
cobaltstrike
cvs
firebird
ftp[s]
http[s]-{head|get|post}
http[s]-{get|post}-form
http-proxy
http-proxy-urlenum
icq
imap[s]
irc
ldap2[s]
ldap3[-{cram|digest}md5][s]
memcached
mongodb
mssql
mysql
nntp
oracle-listener
oracle-sid
pcanywhere
pcnfs
pop3[s]
postgres
radmin2
rdp
redis
rexec
rlogin
rpcap
rsh
rtsp
s7-300
sip
smb
smtp[s]
smtp-enum
snmp
socks5
ssh
sshkey
svn
teamspeak
telnet[s]
vmauthd
vnc
xmpp
Querying Module Usage
hydra -U module_name_here
For example, to query the module usage documentation for http-post-form
hydra -U http-post-form
http-post-form
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-14 17:56:12
Help for module http-post-form:
============================================================================
Module http-post-form requires the page and the parameters for the web form.
By default this module is configured to follow a maximum of 5 redirections in
a row. It always gathers a new cookie from the same URL without variables
The parameters requires at a minimum three ":" separated values,
plus optional values.
(Note: if you need a colon in the option string as value, escape it with "\:", but do not escape a "\" with "\\".)
Syntax: <url>:<form parameters>[:<optional>[:<optional>]:<condition string>
First is the page on the server to GET or POST to (URL), e.g. "/login".
Second is the POST/GET variables (taken from either the browser, proxy, etc.)
without the initial '?' character and the usernames and passwords being
replaced with "^USER^" ("^USER64^" for base64 encodings) and "^PASS^"
("^PASS64^" for base64 encodings).
Third are optional parameters (see below)
Last is the string that it checks for an *invalid* login (by default).
Invalid condition login check can be preceded by "F=", successful condition
login check must be preceded by "S=".
This is where most people get it wrong! You have to check the webapp what a
failed string looks like and put it in this parameter! Add the -d switch to see
the sent/received data!
Note that using invalid login condition checks can result in false positives!
The following parameters are optional and are put between the form parameters
and the condition string; seperate them too with colons:
2= 302 page forward return codes identify a successful attempt
(c|C)=/page/uri to define a different page to gather initial cookies from
(g|G)= skip pre-requests - only use this when no pre-cookies are required
(h|H)=My-Hdr\: foo to send a user defined HTTP header with each request
^USER[64]^ and ^PASS[64]^ can also be put into these headers!
Note: 'h' will add the user-defined header at the end
regardless it's already being sent by Hydra or not.
'H' will replace the value of that header if it exists, by the
one supplied by the user, or add the header at the end
Note that if you are going to put colons (:) in your headers you should escape
them with a backslash (\). All colons that are not option separators should be
escaped (see the examples above and below).
You can specify a header without escaping the colons, but that way you will not
be able to put colons in the header value itself, as they will be interpreted by
hydra as option separators.
Examples:
"/login.php:user=^USER^&pass=^PASS^:incorrect"
"/login.php:user=^USER64^&pass=^PASS64^&colon=colon\:escape:S=result=success"
"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed"
"/:user=^USER&pass=^PASS^:H=Authorization\: Basic dT1w:H=Cookie\: sessid=aaaa:h=X-User\: ^USER^:H=User-Agent\: wget"
"/exchweb/bin/auth/:F=failedowaauth.dll:destination=http%3A%2F%2F<target>%2Fexchange&flags=0&username=<domain>%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:C=/exchweb":reason=
Common Hydra Options
-I Do not read the hydra.restore file
-f Stop brute force attack when valid credentials found
-l username_hsere Use a single username
-L /path/to/usernames.txt Use a list of usernames from a file
-p password_here Use a single password
-P /path/to/passwords.txt Use a list of passwords from a file
-C /path/to/usernames_and_passwords.txt Use a list of username:password combinations in a file
-u For every password, loop over usernames instead
-s port_number_here Use an alternate port to connect to the target service
-t number_of_threads Number of parallel threads per task, good for throttling
-v Slightly verbose output
-V Verbose output of each login attempt
-d Debug output including protocol data
Example Command
username='root'
password_list='/usr/share/seclists/Passwords/Default-Credentials/default-passwords.txt'
hydra -IVf -t 4 -l $username -P $password_list ssh://10.10.0.6