Saturday, July 20, 2024

How to use Hydra to Brute-Force SSH Connections

Learn how to use Hydra to Brute-force SSH. Hydra is one of the favorite tools in a whitehats toolkit. It is an excellent tool for performing brute force attacks and can be used from a red team perspective to break into systems as well as from a blue team perspective to audit and test ssh passwords against common password lists like rockyou.txt and crackstation wordlists.

Note : This guide is purely for educational purposes. We do not claim liability for any property damages caused with the use of the knowledge gained from this guide.

What is Hydra?

Hydra is an open-source tool that allows us to perform various kinds of brute force attacks using wordlists. It comes by default with all Pentesting Distros like Kali Linux. However, it can also be installed with the apt command as follows:

$ sudo apt install hydra

In case the package is not found, or you run into an error, you can also refer to the Github repo and install it using the specified instructions.

How to Use Hydra?

Hydra offers a lot of functionality which can be easily displayed with :

$ hydra -h

However, in our case we will be dealing with the following four primary flags :

  • -l -> Specify a username to use during brute force attack
  • -L -> Specify a wordlist of usernames to be used during the bruteforce attack
  • -p -> Specify a password to use during brute force attack
  • -P -> Specify a wordlist of passwords to be used during the bruteforce attack
Recommended:  10+ penetration testing tools the pros use

The basic syntax of hydra is :

hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]

Brute-force SSH Usernames and Passwords with Hydra

While trying to brute-force ssh credentials there are 3 possible combinations:

  • Bruteforcing Passwords
  • Bruteforcing Usernames
  • Bruteforcing Passwords and Usernames

First things first we would need wordlists for our brute-force attack. You can fetch some well knows wordlists with wordlistctl and once you have your wordlist ready, we can move on !

1. Bruteforcing Passwords

To brute-force ssh passwords with a known username, the syntax is :

$ hydra -l <username> -P <path to wordlist> <IP> ssh

2. Bruteforcing Username

To brute-force ssh usernames with a known password, the syntax is :

$ hydra -L <path to wordlist> -p <password> <IP> ssh

3. Bruteforcing Both Usernames And Passwords

If you do not know both the username and the password, the syntax is as follows:

$ hydra -L <path to username wordlist> -P <path to password wordlist> <IP> ssh

Some Special Flags

Sometimes we have some special conditions and we need to orchestrate our attack according to that. In this section, we will discuss some special flags which helps us to customize our attacks.

1. Change The Number Of Threads

By default, hydra runs 16 threads but we can change the value of the same with the -t flag as such :

$ hydra -l <username> -P <path to wordlist> <IP> -t <number of threads> ssh

2. Change The Port Number

Sometimes, sysadmins change the ssh port number from the default 22 to some other port. Hence, to use a different port number, we use the -s flag as :

Recommended:  GitHub code scanning now finds more security vulnerabilities
$ hydra -s <port number> -l <username> -P <path to wordlist> <IP> ssh

3. Brute Forcing A List Of IPs

Just like we can bruteforce a list of usernames and passwords, we can also brute-force ssh IPs from a list using the -M flag :

$ hydra -l <username> -P <path to wordlist> -M <path to Ip list> ssh

4. Miscellaneous

We can also enable a more verbose output with the -V flag. Also, sometimes the users/sysadmins leave certain obvious passwords that need to be accounted for beyond the scope of our wordlists which can be included with the -e flag. A popular trio that goes with this flag are the letters ‘nsr’, where ‘n’ stands for null and tries to log in without any flag at all, ‘s‘ stands for same, i.e, it uses the username itself as a password while ‘r‘ tries the reversed username as a potential password. The syntax for this should look like this :

$ hydra -l <username> -P <path to wordlist> <IP> -V -e nsr ssh


Hydra can be a pretty powerful tool when you want to brute-force ssh connections and can be coupled with several other flags to customize your attack. However, this must not be exploited to poke around stuff you are not meant to and the users alone are accountable for their actions.

You may also enjoy reading, The largest DDoS to date, Microsoft mitigates a 3.47 Tbps DDoS attack

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Recommended:  Analyzing Phishing Attacks that use malicious PDFs

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates