C HTML CSS Makefile Shell Roff
Switch branches/tags
Clone or download
Latest commit 7f4d8fc Jul 16, 2018
Failed to load latest commit information.
hydra-gtk add radmin2 as a selectable option to xhydra Aug 1, 2017
web fix various spelling and typography errors Jul 25, 2017
.gitignore gitignore update Aug 11, 2016
.travis.yml travis-ci: install libgcrypt on osx. Aug 19, 2017
Android.mk disabled firebird: SIGSEGV on alloc.cpp:520 Nov 29, 2015
CHANGES update changelog Jul 16, 2018
INSTALL Removed execute bits from INSTALL, LICENSE and LICENSE.OPENSSL Apr 24, 2016
LICENSE Removed execute bits from INSTALL, LICENSE and LICENSE.OPENSSL Apr 24, 2016
LICENSE.OPENSSL FSF address update Jun 17, 2016
Makefile makefile fix Jul 21, 2017
Makefile.am support uncommon mysql ports Jun 14, 2018
Makefile.orig initial commit Apr 24, 2014
Makefile.unix warning fixes by crondaemon Aug 18, 2017
README 2018 year update Jan 4, 2018
README.md 2018 year update Jan 4, 2018
TODO changelog and todo update Mar 13, 2016
bfg.c cleanup Jul 7, 2017
bfg.h big int to stdint switch Jul 5, 2017
configure configure: find math.h on Xcode-only macOS systems Sep 1, 2017
crc32.c big int to stdint switch Jul 5, 2017
crc32.h big int to stdint switch Jul 5, 2017
d3des.c big int to stdint switch Jul 5, 2017
d3des.h big int to stdint switch Jul 5, 2017
dpl4hydra.sh dpl4hydra update Nov 3, 2016
dpl4hydra_full.csv dpl4hydra update Nov 3, 2016
dpl4hydra_local.csv dpl4hydra update Nov 3, 2016
hmacmd5.c big int to stdint switch Jul 5, 2017
hmacmd5.h big int to stdint switch Jul 5, 2017
hydra-adam6500.c cleanup Jul 7, 2017
hydra-afp.c big int to stdint switch Jul 5, 2017
hydra-asterisk.c big int to stdint switch Jul 5, 2017
hydra-cisco-enable.c big int to stdint switch Jul 5, 2017
hydra-cisco.c cisco: use strstr only on non-null var (found by ccc-analyzer). Aug 18, 2017
hydra-cvs.c big int to stdint switch Jul 5, 2017
hydra-firebird.c ipv6 pretty print Jul 6, 2017
hydra-ftp.c big int to stdint switch Jul 5, 2017
hydra-http-form.c modified parse_options function Jul 16, 2018
hydra-http-proxy-urlenum.c more spelling fixes Jul 26, 2017
hydra-http-proxy.c more spelling fixes Jul 26, 2017
hydra-http.c modified parse_options function Jul 16, 2018
hydra-http.h modified parse_options function Jul 16, 2018
hydra-icq.c big int to stdint switch Jul 5, 2017
hydra-imap.c big int to stdint switch Jul 5, 2017
hydra-irc.c spelling Aug 8, 2017
hydra-ldap.c fix various spelling and typography errors Jul 25, 2017
hydra-logo.ico initial commit Apr 24, 2014
hydra-logo.rc initial commit Apr 24, 2014
hydra-mod.c proxy connect debug Feb 19, 2018
hydra-mod.h Move int includes to hydra-mod and add includes. Aug 19, 2017
hydra-mssql.c big int to stdint switch Jul 5, 2017
hydra-mysql.c support uncommon mysql ports Jun 14, 2018
hydra-ncp.c big int to stdint switch Jul 5, 2017
hydra-nntp.c big int to stdint switch Jul 5, 2017
hydra-oracle-listener.c cleanup Jul 7, 2017
hydra-oracle-sid.c big int to stdint switch Jul 5, 2017
hydra-oracle.c fix Jan 4, 2018
hydra-pcanywhere.c big int to stdint switch Jul 5, 2017
hydra-pcnfs.c big int to stdint switch Jul 5, 2017
hydra-pop3.c fix various spelling and typography errors Jul 25, 2017
hydra-postgres.c ipv6 pretty print Jul 6, 2017
hydra-radmin2.c radmin2: cast calloc output (found by ccc-analyzer). Aug 18, 2017
hydra-rdp.c include fix Aug 19, 2017
hydra-redis.c big int to stdint switch Jul 5, 2017
hydra-rexec.c big int to stdint switch Jul 5, 2017
hydra-rlogin.c cleanup Jul 7, 2017
hydra-rpcap.c big int to stdint switch Jul 5, 2017
hydra-rsh.c cleanup Jul 7, 2017
hydra-rtsp.c cleanup Jul 7, 2017
hydra-s7-300.c big int to stdint switch Jul 5, 2017
hydra-sapr3.c big int to stdint switch Jul 5, 2017
hydra-sip.c Move int includes to hydra-mod and add includes. Aug 19, 2017
hydra-smb.c warning fixes by crondaemon Aug 18, 2017
hydra-smtp-enum.c fix various spelling and typography errors Jul 25, 2017
hydra-smtp.c fix various spelling and typography errors Jul 25, 2017
hydra-snmp.c fix various spelling and typography errors Jul 25, 2017
hydra-socks5.c big int to stdint switch Jul 5, 2017
hydra-ssh.c -w support for ssh module Jan 31, 2018
hydra-sshkey.c allow newer libssh versions - once they exist Apr 17, 2018
hydra-svn.c cleanup Jul 7, 2017
hydra-teamspeak.c big int to stdint switch Jul 5, 2017
hydra-telnet.c big int to stdint switch Jul 5, 2017
hydra-time.c cleanup Jul 7, 2017
hydra-vmauthd.c vmauthd: don't use freed mem (found by ccc-analyzer). Aug 18, 2017
hydra-vnc.c vnc: fix use after-free (found by ccc-analyzer). Aug 18, 2017
hydra-wizard.sh v8.1 release Dec 8, 2014
hydra-xmpp.c big int to stdint switch Jul 5, 2017
hydra.1 2018 year update Jan 4, 2018
hydra.c General Cleanup Jun 5, 2018
hydra.h support uncommon mysql ports Jun 14, 2018
libpq-fe.h big int to stdint switch Jul 5, 2017
ntlm.c fix various spelling and typography errors Jul 25, 2017
ntlm.h big int to stdint switch Jul 5, 2017
performance.h cleanup Jul 7, 2017
postgres_ext.h big int to stdint switch Jul 5, 2017
pw-inspector-logo.rc initial commit Apr 24, 2014
pw-inspector.1 initial commit Apr 24, 2014
pw-inspector.c fix build with musl libc Oct 5, 2017
pw-inspector.ico initial commit Apr 24, 2014
rdp.h big int to stdint switch Jul 5, 2017
sasl.c cleanup Jul 7, 2017
sasl.h big int to stdint switch Jul 5, 2017
xhydra.1 minor man page improvements Aug 1, 2017
xhydra.jpg remove unnecessay executable flags Jun 16, 2016


			  H Y D R A

                  (c) 2001-2018 by van Hauser / THC
                   <vh@thc.org> http://www.thc.org
   many modules were written by David (dot) Maciejak @ gmail (dot) com
             BFG code by Jan Dlabal <dlabaljan@gmail.com>

	    Licensed under AGPLv3 (see LICENSE file)

       Please do not use in military or secret service organizations,
                      or for illegal purposes.


Number one of the biggest security holes are passwords, as every password security study shows. This tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system.


There are already several login hacker tools available, however none does either support more than one protocol to attack or support parallized connects.

It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10) and MacOS.

Currently this tool supports the following protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

However the module engine for new services is very easy so it won't take a long time until even more services are supported. Your help in writing, enhancing or fixing modules is highly appreciated!! :-)


You can always find the newest release/production version of hydra at its project page at https://www.thc.org/thc-hydra If you are interested in the current development state, the public development repository is at Github: svn co https://github.com/vanhauser-thc/thc-hydra or git clone https://github.com/vanhauser-thc/thc-hydra Use the development version at your own risk. It contains new features and new bugs. Things might not work!


To configure, compile and install hydra, just type:

make install

If you want the ssh module, you have to setup libssh (not libssh2!) on your system, get it from http://www.libssh.org, for ssh v1 support you also need to add "-DWITH_SSH1=On" option in the cmake command line.

If you use Ubuntu/Debian, this will install supplementary libraries needed for a few optional modules (note that some might not be available on your distribution):

apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \
                 libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \
                 firebird-dev libncp-dev

This enables all optional modules and features with the exception of Oracle, SAP R/3 and the apple filing protocol - which you will need to download and install from the vendor's web sites.

For all other Linux derivates and BSD based systems, use the system software installer and look for similar named libraries like in the command above. In all other cases you have to download all source libraries and compile them manually.


  • All UNIX platforms (Linux, *bsd, Solaris, etc.)
  • MacOS (basically a BSD clone)
  • Windows with Cygwin (both IPv4 and IPv6)
  • Mobile systems based on Linux, MacOS or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq)


If you just enter hydra, you will see a short summary of the important options available. Type ./hydra -h to see all available command line options.

Note that NO login/password file is included. Generate them yourself. A default password list is however present, use "dpl4hydra.sh" to generate a list.

For Linux users, a GTK gui is available, try ./xhydra

For the command line usage, the syntax is as follows: For attacking one target or a network, you can use the new "://" style: hydra [some command line options] PROTOCOL://TARGET:PORT/MODULE-OPTIONS The old mode can be used for these too, and additionally if you want to specify your targets from a text file, you must use this one:

hydra [some command line options] [-s PORT] TARGET PROTOCOL [MODULE-OPTIONS]

Via the command line options you specify which logins to try, which passwords, if SSL should be used, how many parallel tasks to use for attacking, etc.

PROTOCOL is the protocol you want to use for attacking, e.g. ftp, smtp, http-get or many others are available TARGET is the target you want to attack MODULE-OPTIONS are optional values which are special per PROTOCOL module

FIRST - select your target you have three options on how to specify the target you want to attack:

  1. a single target on the command line: just put the IP or DNS address in
  2. a network range on the command line: CIDR specification like ""
  3. a list of hosts in a text file: one line per entry (see below)

SECOND - select your protocol Try to avoid telnet, as it is unreliable to detect a correct or false login attempt. Use a port scanner to see which protocols are enabled on the target.

THIRD - check if the module has optional parameters hydra -U PROTOCOL e.g. hydra -U smtp

FOURTH - the destination port this is optional! if no port is supplied the default common port for the PROTOCOL is used. If you specify SSL to use ("-S" option), the SSL common port is used by default.

If you use "://" notation, you must use "[" "]" brackets if you want to supply IPv6 addresses or CIDR ("") notations to attack: hydra [some command line options] ftp://[]/ hydra [some command line options] -6 smtps://[2001:db8::1]/NTLM

Note that everything hydra does is IPv4 only! If you want to attack IPv6 addresses, you must add the "-6" command line option. All attacks are then IPv6 only!

If you want to supply your targets via a text file, you can not use the :// notation but use the old style and just supply the protocol (and module options): hydra [some command line options] -M targets.txt ftp You can supply also port for each target entry by adding ":" after a target entry in the file, e.g.:


Note that if you want to attach IPv6 targets, you must supply the -6 option and must put IPv6 addresses in brackets in the file(!) like this:



You have many options on how to attack with logins and passwords With -l for login and -p for password you tell hydra that this is the only login and/or password to try. With -L for logins and -P for passwords you supply text files with entries. e.g.:

hydra -l admin -p password ftp://localhost/
hydra -L default_logins.txt -p test ftp://localhost/
hydra -l admin -P common_passwords.txt ftp://localhost/
hydra -L logins.txt -P passwords.txt ftp://localhost/

Additionally, you can try passwords based on the login via the "-e" option. The "-e" option has three parameters:

s - try the login as password
n - try an empty password
r - reverse the login and try it as password

If you want to, e.g. try "try login as password and "empty password", you specify "-e sn" on the command line.

But there are two more modes for trying passwords than -p/-P: You can use text file which where a login and password pair is separated by a colon, e.g.:


This is a common default account style listing, that is also generated by the dpl4hydra.sh default account file generator supplied with hydra. You use such a text file with the -C option - note that in this mode you can not use -l/-L/-p/-P options (-e nsr however you can). Example:

hydra -C default_accounts.txt ftp://localhost/

And finally, there is a bruteforce mode with the -x option (which you can not use with -p/-P/-C):

-x minimum_length:maximum_length:charset

the charset definition is a for lowercase letters, A for uppercase letters, 1 for numbers and for anything else you supply it is their real representation. Examples:

-x 1:3:a generate passwords from length 1 to 3 with all lowercase letters
-x 2:5:/ generate passwords from length 2 to 5 containing only slashes
-x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers


hydra -l ftp -x 3:3:a ftp://localhost/


Via the third command line parameter (TARGET SERVICE OPTIONAL) or the -m command line option, you can pass one option to a module. Many modules use this, a few require it!

To see the special option of a module, type:

hydra -U


./hydra -U http-post-form

The special options can be passed via the -m parameter, as 3rd command line option or in the service://target/option format.

Examples (they are all equal):

./hydra -l test -p test -m PLAIN imap
./hydra -l test -p test imap PLAIN
./hydra -l test -p test imap://


When hydra is aborted with Control-C, killed or crashes, it leaves a "hydra.restore" file behind which contains all necessary information to restore the session. This session file is written every 5 minutes. NOTE: the hydra.restore file can NOT be copied to a different platform (e.g. from little endian to big endian, or from solaris to aix)


The environment variable HYDRA_PROXY_HTTP defines the web proxy (this works just for the http services!). The following syntax is valid:


The last example is a text file containing up to 64 proxies (in the same format definition as the other examples).

For all other services, use the HYDRA_PROXY variable to scan/crack. It uses the same syntax. eg:


for example:



  • sort your password files by likelihood and use the -u option to find passwords much faster!
  • uniq your dictionary files! this can save you a lot of time :-) cat words.txt | sort | uniq > dictionary.txt
  • if you know that the target is using a password policy (allowing users only to choose password with a minimum length of 6, containing a least one letter and one number, etc. use the tool pw-inspector which comes along with the hydra package to reduce the password list: cat dictionary.txt | pw-inspector -m 6 -c 2 -n > passlist.txt


The results are output to stdio along with the other information. Via the -o command line option, the results can also be written to a file. Using -b, the format of the output can be specified. Currently, these are supported:

  • text - plain text format
  • jsonv1 - JSON data using version 1.x of the schema (defined below).
  • json - JSON data using the latest version of the schema, currently there is only version 1.

If using JSON output, the results file may not be valid JSON if there are serious errors in booting Hydra.

JSON Schema

Here is an example of the JSON output. Notes on some of the fields:

  • errormessages - an array of zero or more strings that are normally printed to stderr at the end of the Hydra's run. The text is very free form.
  • success - indication if Hydra ran correctly without error (NOT if passwords were detected). This parameter is either the JSON value true or false depending on completion.
  • quantityfound - How many username+password combinations discovered.
  • jsonoutputversion - Version of the schema, 1.00, 1.01, 1.11, 2.00, 2.03, etc. Hydra will make second tuple of the version to always be two digits to make it easier for downstream processors (as opposed to v1.1 vs v1.10). The minor-level versions are additive, so 1.02 will contain more fields than version 1.00 and will be backward compatible. Version 2.x will break something from version 1.x output.

Version 1.00 example:

    "errormessages": [
        "[ERROR] Error Message of Something",
        "[ERROR] Another Message",
        "These are very free form"
    "generator": {
        "built": "2018-03-01 14:44:22",
        "commandline": "hydra -b jsonv1 -o results.json ... ...",
        "jsonoutputversion": "1.00",
        "server": "",
        "service": "http-post-form",
        "software": "Hydra",
        "version": "v8.5"
    "quantityfound": 2,
    "results": [
            "host": "",
            "login": "bill@example.com",
            "password": "bill",
            "port": 9999,
            "service": "http-post-form"
            "host": "",
            "login": "joe@example.com",
            "password": "joe",
            "port": 9999,
            "service": "http-post-form"
    "success": false


through the parallelizing feature, this password cracker tool can be very fast, however it depends on the protocol. The fastest are generally POP3 and FTP. Experiment with the task option (-t) to speed things up! The higher - the faster ;-) (but too high - and it disables the service)


Run against a SuSE Linux 7.2 on localhost with a "-C FILE" containing 295 entries (294 tries invalid logins, 1 valid). Every test was run three times (only for "1 task" just once), and the average noted down.

			P A R A L L E L    T A S K S
SERVICE	1	4	8	16	32	50	64	100	128
------- --------------------------------------------------------------------
telnet	23:20	5:58	2:58	1:34	1:05	0:33	0:45*	0:25*	0:55*
ftp	45:54	11:51	5:54	3:06	1:25	0:58	0:46	0:29	0:32
pop3	92:10	27:16	13:56	6:42	2:55	1:57	1:24	1:14	0:50
imap	31:05	7:41	3:51	1:58	1:01	0:39	0:32	0:25	0:21

(*) Note: telnet timings can be VERY different for 64 to 128 tasks! e.g. with 128 tasks, running four times resulted in timings between 28 and 97 seconds! The reason for this is unknown...

guesses per task (rounded up):

295 74 38 19 10 6 5 3 3

guesses possible per connect (depends on the server software and config):

telnet 4 ftp 6 pop3 1 imap 3


Hydra: Email me or David if you find bugs or if you have written a new module. vh@thc.org (and put "antispam" in the subject line)

You should use PGP to encrypt emails to vh@thc.org :

Version: GnuPG v3.3.3 (vh@thc.org)