What is Hydra and what does it do?

THC-Hydra is a parallelised login cracker supporting dozens of protocols: HTTP-POST, HTTP-GET, SSH, FTP, SMTP, RDP, SMB, and more. It works by systematically trying username/password combinations from a wordlist against a target authentication endpoint. Hydra's core advantage is parallelism — it can run multiple concurrent attempts against the same target, dramatically reducing the time required to exhaustively test a password list. In this demo, Hydra ran against an HTTP login form, achieving ~50 attempts per second against a soft-throttled endpoint.

What is the difference between bruteforce and credential stuffing?

Bruteforce generates every possible character combination — computationally expensive and rarely used in practice for web login attacks. Credential stuffing uses known username/password pairs from prior data breaches — extremely effective because most users reuse passwords. Dictionary attacks use a curated wordlist of common passwords (rockyou.txt, SecLists) — faster than full bruteforce, effective against weak and common passwords. This demo used a dictionary/credential approach: targeted username list + common password wordlist. admin:password123 appears in the top 1,000 most-used credentials in public breach datasets.

What is soft throttling and why doesn't it protect against Hydra?

Soft throttling introduces a small delay (typically 200ms–2s) after consecutive failed login attempts from the same IP. It's designed to slow down automated attacks. The problem: it's trivially bypassed by reducing Hydra's thread count to stay within the throttle window. In this demo, the test server responded with a 429 (Too Many Requests) after 5 rapid attempts. Hydra automatically backed off and resumed at a lower rate. The throttle added time to the attack (12.3s instead of potentially 2–3s) but did not prevent it. True protection requires: account lockout after N failures, CAPTCHA on the login form, IP-based rate limiting with hard blocks (not delays), or multi-factor authentication.

Why is admin:password123 still so common in real environments?

Several converging reasons. Default credentials ship with devices and software — routers, IP cameras, database admin panels, CMS installations — and many are never changed after initial deployment. Internal 'temporary' passwords get promoted to permanent through inertia. Password policies that check length and character classes but not against common-password lists will pass 'password123' as compliant (it has 11 characters, meets mixed-case and digit requirements if capitalised). Additionally, admin accounts in complex organisations often aren't covered by the same MFA rollout as regular user accounts — they're 'too critical to lock out' and therefore left with weak credentials. HaveIBeenPwned contains admin:password123 appearing in hundreds of breach datasets.

What is the most effective technical control against credential attacks?

Multi-factor authentication is the single highest-impact control — it renders stolen or cracked passwords insufficient for account takeover. Beyond MFA: (1) Hard account lockout after 5–10 failures (not just rate-limiting). (2) Common password rejection on account creation — check submitted passwords against HaveIBeenPwned's k-anonymity API or a local breach corpus. (3) Credential stuffing detection — monitoring for distributed attempts across multiple accounts from different IPs, which bypasses per-IP rate limiting entirely. (4) Passkeys/WebAuthn where applicable — eliminates the password as an attack surface entirely. Rate limiting and CAPTCHAs are speed bumps; they delay attacks, not prevent them.

SecurityClaw Exposes Weak Passwords in 30 Seconds

March 13, 2026 · SecurityClaw Demo D15 · Credential Security

Three accounts. Twelve seconds. That's how long it took SecurityClaw's Hydra skill to crack every credential on a test login endpoint. admin:password123 fell on attempt #43 at 4.8 seconds. The server had rate limiting enabled. It didn't help. This is what a credential attack looks like when the password is in the top 1,000 most-breached credentials on the internet — and what actually stops it.

Date:March 13, 2026

Tool:Hydra v9.5

Category:Credential Security

Result:✅ Pass — 3/3 accounts cracked (12.3s)

Target:HTTP login form (controlled test environment)

Methodology note: This is a controlled demo against a sandboxed test login endpoint. All credentials were planted by Peng's SecurityClaw research team. The target had soft throttling enabled (200ms delay + 429 response after 5 rapid attempts) — a representative configuration seen on many real-world admin panels. We used a 500-entry wordlist derived from the top common passwords in public breach datasets (rockyou.txt subset). Running Hydra against systems you don't own is illegal. This demo exists to show defenders what their logs look like and what configuration actually prevents it. Demo D15 — first campaign in SecurityClaw's Credential Security category.

The Results

Account	Password	Attempt #	Time to Crack	Breach Rank
admin	`password123`	#43	4.8s	Top 50 (all major breach corpora)
user	`welcome1`	#87	7.9s	Top 200
testuser	`test1234`	#134	12.3s	Top 300

All three accounts cracked. The server's soft throttle — 200ms enforced delay after 5 consecutive failed attempts — added roughly 8 seconds to what would otherwise have been a 3-4 second run. It did not prevent the attack. The rate-limit bypass is documented below.

The 12.3-second total is the demo headline. The more meaningful number is attempt #43 for the admin account. That means password123 was the 43rd entry in a 500-word list sorted by real-world frequency. In a production attack using the full 14-million-entry rockyou.txt sorted by frequency, any credential in the top ~100 passwords falls in under a minute of clock time even against a throttled endpoint.

The Rate-Limit Bypass

The test server was configured with what many developers consider "adequate" rate limiting: a 200ms delay injected after 5 failed attempts from the same IP, with a 429 Too Many Requests response to signal the throttle. This is representative of many real login forms, particularly admin panels, internal tools, and legacy applications.

Hydra handles this automatically. When a 429 is returned, Hydra backs off the thread that triggered it, waits, and resumes at a reduced rate. The default behaviour is to treat 429 as a soft signal rather than a hard stop. The net effect on this demo:

Without throttle: Estimated 3–4 seconds to crack all three accounts
With throttle: 12.3 seconds — 3× slower, not blocked

The attacker's cost from soft throttling is time, not defeat. Against the top 500 most common passwords, 12 seconds is not a meaningful deterrent. Against the full rockyou.txt (14 million entries), soft throttling extends a run from minutes to hours — but most credential attacks against real-world admin accounts don't need 14 million guesses. They need fewer than 200.

Why Soft Throttling Fails

Soft throttling has two fundamental weaknesses beyond the rate-reduction bypass:

1. IP rotation. Distributed attacks use residential proxy pools or botnet infrastructure, sourcing each attempt from a different IP. The per-IP throttle is bypassed entirely — the server sees each attempt as a fresh visitor. Hydra supports per-attempt source-IP rotation with SOCKS5 proxies. We didn't use this in the demo (it wasn't necessary), but it's table stakes for any serious credential campaign.

2. Slow-rate attacks. A deliberate 2–3 second delay between attempts looks like a slow human typist, not an automated tool. Over 24 hours, a 3-second-per-attempt rate tests 28,800 passwords — more than enough to exhaust common password lists while flying completely under any rate-limit radar.

"Rate limiting tells attackers to slow down. It doesn't tell them to stop. Against a common password list, slowing down is still fast enough."

The Attack Chain: What Comes After

The credential attack is step one, not the end goal. Once Hydra returns valid credentials, the attack chain unfolds rapidly:

Admin access gained. admin:password123 authenticates to the admin panel. Depending on the application, this means access to user data, configuration, database interfaces, or application internals.
Privilege escalation or lateral movement. Admin panels often expose functionality that allows server-side code execution (file upload, command injection in config fields, SQL interfaces). Alternatively, the admin session is used to create new accounts with elevated privileges.
Data exfiltration. User tables, API keys, stored credentials, PII — all accessible via the admin interface, often directly exportable.
Persistence. Attacker plants a backdoor account, API key, or implant before the initial access window closes.

The window between credential compromise and detection in a real-world incident is typically hours to days in environments without active session monitoring. The Hydra stage is the fastest part of the chain — 12 seconds to credential. What happens after credential is where the real damage accrues.

The Three Things That Actually Stop This Attack

1. Multi-Factor Authentication — The Only Reliable Barrier

MFA is the single control that breaks the attack chain at the credential stage. A valid username + password is not sufficient to authenticate — the attacker also needs the second factor. Against a properly implemented TOTP or push MFA, a cracked password is worthless for session establishment.

The critical qualifier: properly implemented. MFA bypass techniques exist — push notification fatigue (spamming approvals until the user accidentally taps Accept), SIM-swapping for SMS-based 2FA, adversary-in-the-middle proxies (Evilginx2, Modlishka) that capture and replay session tokens. For admin account protection, hardware security keys (FIDO2/WebAuthn) are the gold standard — they bind to origin and are not phishable.

2. Hard Account Lockout After N Failures

Not a delay. A lockout. After 5–10 failed attempts, the account becomes inaccessible until an administrator unlocks it or the user triggers a recovery flow. This is operationally unpopular — it enables denial-of-service against known usernames — but it is the only rate-based control that actually breaks systematic credential attacks.

For admin accounts specifically, where the username is often predictable (admin, administrator, root), hard lockout combined with alert-on-lockout is both a deterrent and a detection mechanism.

3. Common Password Rejection at Registration (and Rotation)

The most effective moment to eliminate weak credentials is before they're created. NIST SP 800-63B recommends checking new passwords against a corpus of known-compromised credentials. The practical implementation:

Check against HaveIBeenPwned's Pwned Passwords API (k-anonymity model — you send the first 5 chars of the SHA-1 hash, not the password itself)
Reject any password appearing in breach datasets, regardless of length or complexity rules
Force rotation for existing accounts when a new breach corpus becomes available containing your user base

password123 has appeared in 2,462,421 breached accounts in the HaveIBeenPwned dataset. Any password policy that would accept it is miscalibrated.

What the Logs Look Like

Defenders need to know what a Hydra attack produces in access logs. The signature is distinct once you know what to look for:

HTTP POST storm: Dozens to hundreds of POST requests to the login endpoint within seconds, all from the same IP (or rotating IPs in sophisticated attacks)
User-Agent cycling: Hydra cycles User-Agent strings by default; inconsistent User-Agent across a rapid POST sequence is a strong signal
Username enumeration pattern: Multiple attempts per username before moving on — distinguishes credential attack from normal failed-login noise
429 followed by resumed attempts: A 429 response followed by resumed attempts at lower frequency is the signature of automated tool that knows to back off
Session anomaly post-success: Successful authentication immediately followed by high-volume activity (data export, config changes, new account creation) — the session that logged in 3 seconds after an unusual pattern is the one to investigate

SecurityClaw's monitoring capabilities can flag each of these patterns in real-time. The credential attack stage is noisy if you're looking. The post-access stage is where defenders most often miss the window.

The Honest Gaps

Single-IP Attack Only

This demo ran all attempts from a single IP against a single endpoint. Production attacks against hardened targets use distributed infrastructure — residential proxies, cloud VPS pools, compromised hosts. Against IP-rate-limited endpoints, single-IP Hydra is quickly blocked; distributed credential campaigns are the real threat for well-protected environments. SecurityClaw's future campaigns will include distributed credential testing.

HTTP Form Only

Hydra supports 55+ protocols. This demo targeted an HTTP POST login form — the most common web attack surface. SSH, RDP, SMB, and database credentials are equally valid Hydra targets and often less protected than web-facing login pages. SSH default credentials on exposed servers are a persistent issue; RDP bruteforce is a leading ransomware initial access vector.

No CAPTCHA on the Target

The test endpoint did not have CAPTCHA protection. CAPTCHA adds meaningful friction — Hydra cannot solve CAPTCHAs natively (third-party solving services exist but add cost and latency). CAPTCHA combined with hard lockout and MFA creates defence-in-depth that eliminates automated credential attacks as a practical attack vector. The test setup deliberately omitted CAPTCHA to demonstrate what soft-throttle-only protection looks like in practice.

The Practical Recommendation

If you have an admin panel, login portal, or any authenticated endpoint exposed to the internet:

Enable MFA on every privileged account — without exception. Hardware security keys for admin accounts. TOTP as a minimum for all others.
Audit all accounts for common/breached passwords — run your credential store against the HaveIBeenPwned Pwned Passwords API today.
Replace soft throttling with hard lockout — 5 failures = 30-minute lockout with alert to security team.
Rename or obscure the admin account username — it doesn't prevent attacks but eliminates the easiest enumeration target.
Restrict admin panel access to known IPs — VPN or IP allowlist as a network-layer control. A cracked credential is useless if the attacker's IP can't reach the endpoint.

SecurityClaw's Hydra skill can run this analysis against your own authenticated endpoints in a controlled campaign — testing which accounts use credentials from the top 10,000 most-breached passwords before an attacker does.

For further reading on credential attacks and authentication hardening, the relevant chapters in The Web Application Hacker's Handbook cover authentication bypass techniques in depth. Hacking: The Art of Exploitation provides the technical foundation for understanding why protocol-level credential attacks work at the implementation level.

SecurityClaw Scorecard: D15

D15 opens SecurityClaw's credential security category — focused on authentication strength, bruteforce resistance, and credential hygiene. This complements the existing password storage coverage (D14 hashcat) by testing the attack surface at the authentication endpoint rather than the hash layer.

Metric	Value
Tool	Hydra v9.5
Accounts targeted	3
Cracked	3/3 (100%)
Fastest crack	admin:password123 — attempt #43, 4.8s
Total time (all 3 accounts)	12.3s
Rate-limit bypass	✅ Confirmed — soft throttle ≠ protection
Wordlist	500 entries (top common passwords, breach-frequency ranked)
Campaign result	PASS
New category	✅ Credential Security
Overall scorecard after D15	24/26 campaigns = 92.31%

Twelve seconds is a satisfying demo number. The more sobering figure is attempt #43. The admin account had one of the most common passwords on the internet. It fell in under five seconds. The rate limiting bought eight seconds of delay. MFA would have made the entire 12.3 seconds irrelevant.