Hydra

hydra command-line options (online login brute-forcing), grouped by function. Flags in English, descriptions follow your language.

Use only against systems you are explicitly authorized to test.

Targets & Auth

-l LOGIN / -L FILE — Single login, or load several logins from FILE.

-p PASS / -P FILE — Try password PASS, or load several from FILE.

-C FILE — Colon-separated "login:pass" format (instead of -L/-P).

-M FILE — List of servers to attack (one per line, ':' for port).

-s PORT — Use a non-default service port.

-S — Perform an SSL connect.

-O — Use old SSL v2 and v3.

-m OPT — Module-specific options (see -U).

-4 / -6 — Use IPv4 (default) / IPv6 addresses.

Password Generation

-e nsr — Try "n" null, "s" login as pass, "r" reversed login.

-x MIN:MAX:CHARSET — Password brute-force generation (-x -h for help).

-y — Disable use of symbols in brute-force.

-u — Loop around users, not passwords (implied with -x).

-r — Use a non-random shuffling method for -x.

Performance & Threads

-t TASKS — Connects in parallel per target (default 16).

-T TASKS — Connects in parallel overall, for -M (default 64).

-c TIME — Wait time per login attempt over all threads (forces -t 1).

-w / -W TIME — Wait for a response (32) / between connects per thread (0).

-K — Do not redo failed attempts (good for -M).

Behavior & Control

-f / -F — Exit when a login/pass pair is found (-f per host, -F global).

-R — Restore a previous aborted / crashed session.

-I — Ignore an existing restore file (don't wait 10s).

-q — Do not print messages about connection errors.

Output & Info

-o FILE — Write found login/password pairs to FILE.

-b FORMAT — Output format for -o: text (default), json, jsonv1.

-v / -V / -d — Verbose / show login+pass per attempt / debug.

-U — Service module usage details.

-h — More command-line options (complete help).

Compiled from the “hydra” chart by Hacking Articles (Ignite Technologies); descriptions condensed.