📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
DAY 4 OF 180
KALI LINUX MASTERY COURSE
FREE — ALL 180 DAYS
🔵 Day 4 — Hydra Tutorial
Day 180 — Advanced Kali Mastery
🔐
Authorised use only — home lab practice. Every Hydra commands in this tutorial targets Metasploitable2 running in your own VirtualBox lab. Brute-forcing credentials on any live system without explicit written authorisation is illegal and unethical. Always check for account lockout policies before running Hydra on any authorised engagement target.
New to labs? → Ethical Hacking Lab Setup at Home · Metasploitable2 Labs Hub
🔑
The most common vulnerability in every Verizon Data Breach Report, every year, without exception, is weak or default credentials. Not SQL injection. Not XSS. Not zero-days. Passwords. Specifically: admin:admin, root:toor, user:password123. Hydra is the tool that proves to organisations — with evidence — that their services are guessable.
Day 4 of the Kali Linux Course teaches you Hydra from scratch. You will understand every flag, know exactly which settings to adjust for each protocol, run a complete brute-force attack against SSH on Metasploitable2 in your home lab, and learn how to attack HTTP login forms — the skill that finds real vulnerabilities in bug bounty programmes. All on systems you own, all legal, all practical.
📋 What You’ll Master in Day 4
What Is Hydra & How It Works
Every Important Flag Explained
Wordlists — rockyou.txt & SecLists
Brute Force SSH (Full Walkthrough)
Brute Force FTP
HTTP Login Form Brute Force
RDP, SMB & MySQL
Hydra vs Hashcat — When to Use Each
Defence — Stopping Brute Force
Command Reference Card
What Is Hydra and How Does It Work?
THC-Hydra (The Hacker’s Choice Hydra) is a parallelised network logon cracker. It connects to a running service and systematically tries username and password combinations from wordlists, measuring responses to determine whether a credential pair is valid. It is protocol-aware — it knows how to speak SSH, FTP, HTTP, SMB, RDP, and 50+ other protocols, so it constructs the correct authentication request for each service.
The key distinction: Hydra performs online brute forcing — it sends live authentication requests to a running service. This means:
WHAT HYDRA CAN DO
✅ Test live services for weak credentials
✅ Run multiple credential attempts in parallel
✅ Try custom username + password combinations
✅ Resume interrupted attacks (-R flag)
✅ Work across 50+ protocols natively
WHAT HYDRA CANNOT DO
❌ Crack password hashes offline (use Hashcat)
❌ Bypass account lockout policies
❌ Work undetected on actively monitored systems
❌ Guarantee success — only finds weak passwords
❌ Work without network access to the target
📚 Context: Day 4 builds on Day 1. Before running Hydra, you use Nmap (Day 1) to discover which services are running on the target. You only run Hydra against services you have confirmed are open and in scope. Recon first, then brute force.
Every Important Hydra Flag — Explained
securityelites.com
HYDRA FLAG REFERENCE — KALI LINUX COURSE DAY 4
TARGET FLAGS
-l admin # Single username
-L users.txt # Username list from file
-p password123 # Single password
-P rockyou.txt # Password list from file
-C combos.txt # user:pass combo file
-s 2222 # Custom port (not default)
PERFORMANCE FLAGS
-t 4 # Parallel tasks (threads)
-w 3 # Wait seconds between tries
-W 3 # Wait between connects
-f # Stop after first valid pair found
-F # Stop if valid found on any host
-R # Resume previous attack
OUTPUT FLAGS
-V # Verbose: show every attempt
-v # Verbose: show only key events
-d # Debug mode (very verbose)
-o results.txt # Save found credentials to file
-q # Quiet — only show results
ADVANCED FLAGS
-x 6:8:aA1 # Generate passwords (length:charset)
-e nsr # Try null, same-as-login, reversed
-u # Loop around users, not passwords
-6 # IPv6 target
-S # SSL mode
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.56.101 ssh -t 4 -V -f -o found.txt
Hydra Flag Reference — Four categories: target (who to attack and with what credentials), performance (threads, delays, resume), output (verbosity, file saving), and advanced (password generation, null/same tries, SSL). The bottom bar shows a complete production-ready command: single username, rockyou wordlist, SSH on port 22, 4 threads, verbose, stop on first find, save results.
⚠️ Thread warning for SSH: SSH servers actively throttle parallel connections. Use -t 4 for SSH — never the default 16. Higher thread counts cause connection failures that can silently skip valid credentials. For all other protocols: -t 16 is usually safe. Always read the protocol-specific notes before running.
Wordlists — The Ammunition Hydra Uses
Hydra is only as good as the wordlists you give it. Kali Linux ships with several pre-installed wordlists, and the SecLists project provides hundreds more categorised by use case.
─── Decompress rockyou.txt (do this once) ───────────────────────
sudo gunzip /usr/share/wordlists/rockyou.txt.gz
rockyou.txt: 14.3 million real-world leaked passwords — the standard
─── Install SecLists (the best wordlist collection) ───────────── sudo apt install seclists -y # Installs to: /usr/share/seclists/
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)