Password Cracking: Hydra

(Valentine) #1

This is a tutorial that has been bugging me for a while and I’ve decided to post this tutorial, just to see how well it goes. This isn’t a series, but a one shot. If there’s enough interest I will maybe start a mini series.


Passwords are arguably the most common method for authentication (probably is). Of course we could just go ahead and exploit the system itself, but in my experience it’s easier to hack a specific account, which is protected by a password, that’s on server then compromising a whole entire system itself. There are many different methods to crack passwords,but the ones discussed here are : Dictionary, Bruteforce, and People (Social Engineering, Phishing, People’s stupidity, all of the above).

All, but the latter can be attempted with a software called THC-Hydra (Hydra).


Hydra is a password cracking tool that’s only on Linux (Sorry Window users). The tool itself is pre-installed on Kali Linux and Parrot, but if for some reason it’s not installed simply type:

apt-get install hydra

Once hydra is installed type:


Upon enter the help page should show up. For now we’re only interested in the -l flag and the -P flag.

The syntax for hydra is a follows:

hydra (options) host (service)

A simple example is:

hydra -l root -P wordlist.txt smtp

The flag -l is for the username. The -P flag can be either -p, for a single password or -P, for a file containing words to try. You have to specify the whole path for the -P flag. After the options is the host’s Ip and the service. The service is optional to specify, but can be useful during a cracking procedure. A more realistic example is:

hydra -l root -P /root/Desktop/wordlist.txt 

What if we’re trying to crack a email account password? This is where things get more interesting. Every email service has a service known as a smtp service. The smtp service is where the email process actually is. A simple example is the server. The port that the smtp service is actually running on varies from smtp service to another, but for the smtp service runs on port 565. The interesting part is that Hydra has flags that can specify a port and also the service. A example is:

hydra -l [email protected] -P /root/Desktop/wordlist.txt -S 565 smtp

The last flag of Hydra that I will introduce in this tutorial is the -x flag. Sometimes the user has a ridiculously long and complicated password that dictionaries attacks have no effect, but there’s one method that all passwords are vulnerable to, bruteforce attacks. In a bruteforce attack every combination is used to figure out the password. The speed depends on the cpu processor, but in the end the password will be cracked. In hydra the bruteforce option is invoked like this:

hydra -l John Doe -x Shortest length: longest length: combinations host

A example for gmail would look something like this:

hydra -l [email protected] -x 5:8:A1 -S 565 smtp

These are only some of the capabilities of Hydra.


(Leader & Offsec Engineer & Forum Daddy) #2

You do know that services like Google have protections in place against SMTP bruteforcing? This won’t work for email.



How do they protect against bruteforcing? Limited attempts in a certain period of time?

1 Like

(Valentine) #4

There really isn’t protection against bruteforcing except, have a strong password, limit the number of tries, etc. I personally stick to the wordlist method or the People method, but bruteforcing can still work if given enough time and patience.



CAPTCHA certainly defeats brute forcing well enough.


(Leader & Offsec Engineer & Forum Daddy) #6

Bruteforcing Google + Apple (now) + Yahoo does NOT work. @worz exactly.



A way to bypass this restriction exists when the target only locks out your IP: get a list of proxies and change proxy every * amount of attempts.

The story is different if the target locks out the account



(Leader & Offsec Engineer & Forum Daddy) #8

Which it does. All the major providers do this.


(Valentine) #9

True… Truth be told. I never used bruteforce. Takes to long and to much resources, but instead I run dictionary attacks.



@pry0cc I never said they didn’t :wink:

@Valentine Google locks you out after a 150-ish attempts if I recall correctly. Not even a dictionary attack would be useful then.



(Valentine) #11

Unless it’s a small wordlist. :slight_smile:


(True self is without form) #12

@Valentine Yeah, but with a wordlist of less then 150 password, your chance of finding THE correct one is pretty low :stuck_out_tongue_closed_eyes:

  • shutz_c0de

(Valentine) #13

Patience is one of many skills a hacker needs.

1 Like


How does “patience” play a role here? 150 tries is 150 tries.


1 Like

(True self is without form) #15

@anon79434934 I couldn’t have said it better x)

  • shutz_c0de

(Valentine) #16

Lmao. My bad. I re-read what I posted and sorry. :slight_smile:



Don’t swell it, we all make mistakes at one point. Although it wouldn’t be bad practice to back up your claims with sources next time :wink:




@pry0cc @oaktree @IoTh1nkN0t do it or I will.



I thought that 0x00sec was only accessible through private invit ? O.o How can we still read such things ?

1 Like

([email protected] [email protected]) #21

Well first and foremost, we’re not your personal army & we’re not a blackhat site. With that out of the way, let’s get down to business.

First, you’re gonna need to learn Linux. Or at least enough to not be a beginner.

Second, what social network are you trying to hack? I’m going to go ahead and assume facebook here, but the kind of attacks you use depend on which social network the account is that you want to hack.

Third, You don’t need the host’s IP and Service to hack their account. You need their personal information and /or password. You’ll also need their email account. How you go about getting that is up to you.

Now technically, you could pwn their box and dump passwords from their browser cache. Chances are, they’re going to have the same password for all of their accounts. How you do that is up to you.

I’m going to assume that you’re not trying to hack someone that you have no permission to, and instead you’re doing this as an exercise with a friend. Again…

We are not your personal army and we are not a blackhat site. This site is for learning and using what you learn legally and for good purposes.

I’m not sure if I’m stepping over a line here, but PLEASE STOP asking questions like this. If you want to ask these kinds of questions then you can either go on the IRC or head over to Hack Forums. Thanks.