Welcome to HackeRoyale.

How To Crack Passwords Using THC Hydra ?

THC Hydra

Hello friends , assume you know the tool to crack passwords but if you don’t know how to use it , then its waste of knowing it. So it is most important to know everything before you start an attack or anything.Here in this article you are going to know about THC Hydra and its working. so let’s jump into that!!

THC Hydra is the best option for brute force attack.

THC Hydra

When you need to brute force crack a remote authentication service, Hydra is often the tool of choice.

Hydra is a parallelized login wafer which underpins various conventions to assault.

It is quick and adaptable, and new modules are anything but difficult to include.

This apparatus makes it feasible for analysts and security specialists to demonstrate how simple it is increase unapproved access to a framework publicly.

Ubuntu it can be introduced from the synaptic bundle chief.

Kali Linux, it is per-installed.

It is already in kali distribution, so we don’t need to download, install, or compile anything to use it.

It can perform fast dictionary attacks against more than 50 protocols

Some of the protocols supported by THC Hydra:

  • POP3
  • FTP
  • Firebird
  • Subversion (SVN)
  • Telnet
  • And many more

Type of Attacks THC Hydra can do :

  • Parallel dictionary attacks (16 threads by default)
  • Brute force/Hybrid attacks
  • Check for null, reversed, same as username passwords
  • Slow down the process of attack- prevent detection- IPS   (Intrusion   Prevention  System)
  • Parallel attack of different servers


  1. All UNIX stages
  2. Macintosh OS/X
  3. Windows with Cygwin
  4. Versatile frameworks in light of Linux.

Cracking Passwords using THC Hydra

Step 1:

Step 1:

  • Download and Install Tamper Data
  • Before we begin with THC-Hydra, how about we introduce another device that supplements THC-Hydra.
  • This device is known as “Alter Data”, and it is a module for Mozilla’s Firefox.
  • Since our IceWeasel program in Kali is based on the open source Firefox, it connects similarly well to Iceweasel.
  • Alter Data empowers us to catch and see the HTTP and HTTPS GET and POST data.
  • In essense, Tamper Data is a web intermediary like Burp Suite, however less difficult and incorporated appropriate with our program.
  • Alter Data empowers us to snatch the data from the program on the way to the server and adjust it.
  • Likewise, once we get into more refined web assaults, it is essential to comprehend what fields and strategies are being utilized by the web shape, and Tamper Data can help us with that also.
  • Download it and introduce it into Iceweasel

Step 2:

Test Tamper Data

  • Since we have Tamper Data introduced into our program, we should perceive what it can do.
  • Actuate Tamper Data and after that explore to any site.
  • Underneath you can see that I have explored to Bank of America and Tamper Data furnishes we with every HTTPS GET and POST ask for between my program and the server.

  • When I attempt to login to the site with the username “programmer”, Tamper Data comes back to me all the basic information on the shape.
  • This data will be helpful when we start to utilize Hydra to break online passwords.

Step 3:

Open THC Hydra

Open THC Hydra

Since we have Tamper Data set up and working appropriately, how about we open Hydra.

You can discover it at Kali Linux – > Password – > Online Attacks – > Hydra.

You can see it about halfway among the rundown of online secret word splitting apparatuses.

Step 4:

Comprehend the Hydra Basics

When we open Hydra, we are welcomed with this assistance screen.

Note the example sentence structure at the base of the screen.

Hydra’s language structure is moderately straightforward and like other secret word breaking instruments


How about we investigate it further.

hydra -l username -p passwordlist.txt target

The username can be a solitary client name, for example, “administrator” or username list,passwordlist is typically any content document that contains potential passwords, andtarget can be an IP address and port, or it can be a particular web shape field.

Despite the fact that you can utilize ANY watchword content record in Hydra, Kali has a few implicit.

How about we change catalogs to


kali > cd /usr/share/wordlists

At that point list the substance of that index:

kali > ls

You can see underneath, Kali has many word records implicit.

You can utilize any of these or any word show you download from the web as long as it was made in Linux and is in the .txt organize.

Step 5:

Utilize Hydra to Crack Passwords

In the case underneath, I am utilizing Hydra to attempt to split the “administrator” watchword utilizing the “rockyou.txt” wordlist at on port 80.

Using Hydra on Web Forms

Utilizing Hydra on web shapes includes a level of multifaceted nature, however the arrangement is comparative aside from that you require information on the web frame parameters that Tamper Data can give us.

The sentence structure for utilizing Hydra with a web shape is to utilize

<url>:<formparameters>:<failure string>

where already we had utilized the objective IP.

Despite everything we require a username rundown and secret key rundown.

Presumably the most disparaging of these parameters for web frame secret key hacking is the “disappointment string”.

This is the string that the shape returns when the username or secret key is off base.

We have to catch this and give it to Hydra so Hydra knows when the endeavored secret key is erroneous and would then be able to go to the following endeavor.

This Article is only for Educational Purpose

I hope this article THC Hydra helps you

Thank you for reading this article

Happy Hacking…


featured posts


Get weekly updates by subscribing to our newsletter.