Number one of the biggest security holes are passwords, as every password security study shows.

Hydra is a parallized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast.

Hydra was tested to compile on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1, OpenBSD, OSX, QNX/Blackberry, and is made available under GPLv3 with a special OpenSSL license expansion.

Currently this tool supports:
Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, S7-300, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

For HTTP, POP3, IMAP and SMTP, several login mechanisms like plain and MD5 digest etc. are supported.

This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.

The program was written van Hauser and is additiionally supported by David Maciejak.

hydra_pass

hydra_start

Download

https://www.thc.org/thc-hydra/

Examples

General usage and options:

https://www.aldeid.com/wiki/Thc-hydra
https://resources.infosecinstitute.com/online-dictionary-attack-with-hydra/

HTTP basic auth:

https://www.owasp.org/index.php/Testing_for_Brute_Force_%28OWASP-AT-004%29
https://www.sillychicken.co.nz/Security/how-to-brute-force-your-router-in-windows.html

HTTP form based auth:

https://www.art0.org/security/performing-a-dictionary-attack-on-an-http-login-form-using-hydra
https://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html
https://www.sillychicken.co.nz/Security/how-to-brute-force-http-forms-in-windows.html
https://www.owasp.org/index.php/Testing_for_Brute_Force_%28OWASP-AT-004%29

Multiple protocols:

https://wiki.bywire.org/Hydra
https://www.attackvector.org/brute-force-with-thc-hydra/
https://www.madirish.net/content/hydra-brute-force-utility

Telnet:

https://www.theprohack.com/2009/04/basics-of-cracking-ftp-and-telnet.html
https://www.adeptus-mechanicus.com/codex/bflog/bflog.html