THC Hydra: Auditing passwords

As we have said previously, the Cyber Security world is full of useful tools to perform different task. At the end of the day, pentesters are usually very proficient with some of them, the ones they use in daily day basis but, at least, they know or they have tried some of the others. Even similar tools or tools that apparently do the same task, sometimes have slightly different behaviors that can be the difference between success or fail in a pentest.

The tool we are going to see today is called THC Hydra. THC Hydra is a tool that will help us to test the strength of our passwords auditing remote authentication services.

As an example, I am going to use the same set up I used in the Ncrack article before. If you do not know what I am talking about, you can follow this link to my previous article.

After we have our service running in our virtual machine, and we have checked the machine and the service are available, we can execute the “hydra” command.

Just a few notes before test our service.

You can execute the command to obtain information about how to execute the tool:


You will see that multiple flags are listed, and the most interesting part is the list of services that are supported by the tool. As an important note, I must say that the number of services supported by the tool depends on the kind of compilation and installation we have done. There are a few libraries or dependencies we need to install before THC Hydra to have support for all types of services.

To follow this example, it is enough if you have install the tool with the “libssh” support.

Now, let’s continue. As you have seen in the help description for the tool, there are multiple flags we can use, but for this test, we are going to focus in the next flags:

  • -l LOGIN or -L FILE: It allows us to give to the tool a user or a list of users.
  • -p PASS or -P FILE: It allows us to give to the tool a password or a list of passwords.
  • service: The service we want to test. In our case “ssh”

Now, following the appropriate syntax, we can execute the next command:

hydra -l fjavierm -P password.txt ssh://

This is going to show us the result:

Hydra v8.4 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra ( starting at 2017-04-02 08:26:38
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 3 tasks per 1 server, overall 3 tasks, 3 login tries (l:1/p:3), ~1 try per task
[DATA] attacking service ssh on port 22
[22][ssh] host: login: fjavierm password: pa$$w0rd
1 of 1 target successfully completed, 1 valid password found
Hydra ( finished at 2017-04-02 08:26:41

As we can see, we have been able to find the weak password.

THC Hydra: Auditing passwords