Installing and using Hydra on Linux to scan an SSH server.

I installed Hydra on my machine to scan an SSH server, this was not too hard.

I downloaded the source via GIT this way.

(jcartwright@localhost) Documents  $ git clone
Cloning into 'thc-hydra'...
remote: Enumerating objects: 3603, done.
remote: Counting objects: 100% (1388/1388), done.
remote: Compressing objects: 100% (193/193), done.
remote: Total 3603 (delta 1262), reused 1225 (delta 1195), pack-reused 2215
Receiving objects: 100% (3603/3603), 3.30 MiB | 5.49 MiB/s, done.
Resolving deltas: 100% (2447/2447), done.

If all prerequisites are installed such as libssh and libidn-devel, then cd into the directory and run the configure script to check all requisite packages are installed.

(jcartwright@localhost) thc-hydra  $ ./configure 

Starting hydra auto configuration ...
Detected 64 Bit Linux OS

Checking for zlib (libz/zlib.h) ...
                                ... found
Checking for openssl (libssl/libcrypto/ssl.h/sha.h) ...
                                                    ... found
Checking for gcrypt (libgcrypt/gpg-error.h) ...
                                            ... gcrypt not found, radmin2 module disabled
Checking for idn (libidn) ...
                          ... found
Checking for curses (libcurses/term.h) ...
                                       ... found, color output enabled
Checking for pcre2 (libpcre/pcre.h) ...
                                    ... found
Checking for Postgres (libpq/libpq-fe.h) ...
                                         ... NOT found, module postgres disabled
Checking for SVN (libsvn_client-1/libapr-1/libaprutil-1) ...
                                                         ... NOT found, module svn disabled
Checking for firebird (libfbclient) ...
                                    ... NOT found, module firebird disabled
Checking for MYSQL client (libmysqlclient/math.h) ...
                                                  ... NOT found, module Mysql will not support version > 4.x
Checking for AFP (libafpclient) ...
                                ... NOT found, module Apple Filing Protocol disabled - Apple sucks anyway
Checking for NCP (libncp/nwcalls.h) ...
                                    ... NOT found, module NCP disabled
Checking for SAP/R3 (librfc/saprfc.h) ...
                                      ... NOT found, module sapr3 disabled
Get it from
Checking for libssh (libssh/libssh.h) ...
                                      ... found
Checking for Oracle (libocci/libclntsh/oci.h/libaio/liboci) ...
                                                            ... NOT found, module Oracle disabled
Get basic and sdk package from
Checking for Memcached (libmemcached/memcached.h) ...
                                                  ... NOT found, module memcached disabled
Checking for Freerdp3 (libfreerdp3/freerdp.h/libwinpr3/winpr.h) ...
                                                                ... NOT found, checking for freerdp2 module next...
Checking for Freerdp2 (libfreerdp2/freerdp.h/libwinpr2/winpr.h) ...
                                                                ... NOT found, module rdp disabled
Checking for Mongodb (libmongoc-1.0/mongoc.h/libbson-1.0/bson.h) ...
                                                                 ... NOT found, module mongodb disabled
Checking for smbclient (libsmbclient/libsmbclient.h) ...
                                                     ... NOT found, module smb2 disabled
Checking for GUI req's (pkg-config/gtk+-2.0) ...
                                             ... NOT found, optional anyway
Checking for Android specialities ...
                                  ... strrchr() found
                                  ... RSA_generate_key() found
Checking for secure compile option support in gcc ...
                                                  Compiling... yes
                                                  Linking... yes
Checking for --allow-multiple-definition linker option ... yes

Hydra will be installed into .../bin of: /usr/local
  (change this by running ./configure --prefix=path)

Writing ...
now type "make"

Then once this finishes and there are no problems, run ‘make’ to build the source code.

(jcartwright@localhost) thc-hydra  $ make

After, this install to /usr/local/bin this way.

[root@localhost thc-hydra]# make install

Now type make install
strip hydra pw-inspector
echo OK > /dev/null && test -x xhydra && strip xhydra || echo OK > /dev/null
mkdir -p /usr/local/bin
cp -f hydra pw-inspector /usr/local/bin && cd /usr/local/bin && chmod 755 hydra pw-inspector
echo OK > /dev/null && test -x xhydra && cp xhydra /usr/local/bin && cd /usr/local/bin && chmod 755 xhydra || echo OK > /dev/null
sed -e "s|^INSTALLDIR=.*|INSTALLDIR="/usr/local"|" | sed -e "s|^LOCATION=.*|LOCATION="/etc"|" > /usr/local/bin/
chmod 755 /usr/local/bin/
mkdir -p /usr/local/etc
cp -f *.csv /usr/local/etc
mkdir -p /usr/local/man/man1/
cp -f hydra.1 xhydra.1 pw-inspector.1 /usr/local/man/man1/
mkdir -p /usr/local/share/pixmaps
cp -f xhydra.png /usr/local/share/pixmaps/
mkdir -p /usr/local/share/applications
desktop-file-install --dir /usr/local/share/applications xhydra.desktop
[root@localhost thc-hydra]#

Now the program is installed and working, I can use it right away.

(jcartwright@localhost) thc-hydra  $ hydra
Hydra v9.6dev (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]

  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -t TASKS  run TASKS number of connects in parallel per target (default: 16)
  -U        service module usage details
  -m OPT    options specific for a module, see -U output for information
  -h        more command line options (COMPLETE HELP)
  server    the target: DNS, IP or (this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)

Supported services: adam6500 asterisk cisco cisco-enable cobaltstrike cvs ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql(v4) nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs.
Licensed under AGPL v3.0. The newest version is always available at;
Please don't use in military or secret service organizations, or for illegal
purposes. (This is a wish and non-binding - most such people do not care about
laws and ethics anyway - and tell themselves they are one of the good ones.)

Example:  hydra -l user -P passlist.txt

You need a wordlist for this to break passwords. Use the rockyou2021.txt file to have a large enough wordlist. Here is a magnet link for a very large wordlist.


Use 7zip to unpack this wordlist.

(jcartwright@localhost) rockyou2021.txt dictionary from kys234 on RaidForums  $ 7z x rockyou2021.txt.7z.001

7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=C.UTF-8,Utf16=on,HugeFiles=on,64 bits,12 CPUs Intel(R) Core(TM) i5-10400F CPU @ 2.90GHz (A0655),ASM,AES-NI)

Scanning the drive for archives:
1 file, 9000000000 bytes (8584 MiB)

Extracting archive: rockyou2021.txt.7z.001
Path = rockyou2021.txt.7z.001
Type = Split
Physical Size = 9000000000
Volumes = 2
Total Physical Size = 13644753861
Path = rockyou2021.txt.7z
Size = 13644753861
Path = rockyou2021.txt.7z
Type = 7z
Physical Size = 13644753861
Headers Size = 138
Method = LZMA2:24
Solid = -
Blocks = 1

Everything is Ok      

Size:       98378212907
Compressed: 13644753861

7zip is very slow on Linux, but eventually, it will be unpacked.

Download a lot of useful wordlists here:

Unpack a wordlist like this.

(jcartwright@localhost) Hydra  $ bzip2 -d rockyou.txt.bz2
(jcartwright@localhost) Hydra  $ bzip2 -d rockyou.txt.bz2

But to use Hydra to attack an SSH server, use it like this.

(jcartwright@localhost) Hydra  $ hydra -l johann -P rockyou2021.txt ssh://localhost
Hydra v9.6dev (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra ( starting at 2024-01-31 11:40:31
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4

This will take a long time to run, but if the password is in the wordlist, the attack will succeed.

. SSH Server Behavior:

  • Most SSH servers don’t reveal whether a failed login attempt is due to an incorrect username or password. They simply provide a generic “authentication failed” message.
  • This makes it difficult for attackers to distinguish between invalid usernames and invalid passwords, slowing down the brute-forcing process.

2. Username Space:

  • The possible username space is often smaller and more predictable compared to password possibilities.
  • Attackers can often narrow down potential usernames based on common patterns (e.g., firstname.lastname, admin, root), making brute forcing less time-consuming.

3. Tools for Username Brute Forcing:

  • While tools like Hydra and Nmap’s ssh-brute script primarily focus on password brute force, they can be configured to brute force usernames as well.

4. Strategies:

  • Targeted Username Lists: Attackers might create custom username lists based on information gathered about the organization or individuals involved.
  • Combining with Password Brute Forcing: Attackers might try a small set of common usernames with a larger password list to increase efficiency.

5. Countermeasures:

  • Account Lockout: Servers often implement lockout mechanisms after a certain number of failed login attempts, hindering brute-forcing attempts.
  • Fail2Ban: This tool blocks IP addresses after repeated failed login attempts, further deterring attacks.
  • Strong Password Policies: Enforce strong password policies to make brute forcing passwords more difficult, even if a username is discovered.
  • Two-Factor Authentication: Require two-factor authentication to add an extra layer of security, even if valid credentials are compromised.

Ethical Considerations:

  • It’s crucial to only attempt brute forcing on systems you have explicit permission to test. Unauthorized brute-forcing attempts are illegal and unethical.

