How To Hack Email Accounts Using Hydra In Kali Linux

by Sunny Hoi

Today, I’m gonna show you how to hack any email accounts using Hydra in Kali Linux which is based on Debian and devised for digital forensics/penetration testing.

It’s pretty simple, really.

The tricky part is getting around the protections implemented by numerous email providers. Circumvention is indeed possible as illustrated in this article.

Essential brief instructions provided in this article include:

  • How To Carry Out Bruteforce Attacks On Targeted Email Accounts Using THC Hydra In Kali
  • Methods For Circumventing Bruteforce Protections And False Positives Implemented By Popular Email Providers
  • How To Stop Successful Bruteforcing Attempts On Your Own Email Account
  • Brief Overview Of How To Bypass Two Factor Authentication (2FA) On Target’s Phone

What is THC Hydra Cracker (Linux Edition)?

Hydra is an extremely efficient network login cracker which is not merely limited to brute-forcing email address providers, but also capable of attacking SSH servers and other important services.

Hydra is frequently a handy tool used to crack a remote authentication service and among one in an attacker’s arsenal.

We’re gonna utilize the command line version of Hydra. Why? Because it makes us look less of a script kiddie and more like a state actor! Haha. I’m funny, right?

Beware that some email providers have brute force detection and will throw in false positives! Thus, there may be enforcement of single IP address bans for multiple brute force attempts. False positives including tricking/providing brute forcing programs and the hacker a false password that appears to be correct, but is in reality incorrect. This creates confusion for the inexperienced hacker. Nevertheless, I’m gonna show you how to get around these protections later in the article.


CAUTIONARY NOTE: This article is solely for educational purposes. It’s not recommended to use this tool in a live production environment, notably government and enterprise entities.

Remember actions come with consequences. I’m not responsible for your own actions, you are. If you do something illicit, you may very likely get caught and defeated by an advanced adversary. The possibility strongly exists.

If you live in North Korea/China/Russia, are part of a ruthless elite state sponsored hacking group, and work for Great Marshall Kim Jong Un or some kind of Chinese/Russian top tier 1337 hax0r organization, then this cautionary reminder is probably meaningless to you.

Picture showing Kim Jong Un, the Chairman of the Worker’s Party of Korea and supreme leader of the DPRK. Mr. Un is surrounded by top tier elite hackers.

Picture showing the Moscow Kremlin where daily ordinary activities occur.




An elite team of Chinese hackers competing in the CTF contest at DEFCON 17 in Las Vegas. Whether the team is state sponsored remains debatable.

Proceed at your own risk.


If you know the target’s account name (email address), it puts them at risk regardless of any brute force protections by email providers like Gmail, Yahoo, Hotmail, Yandex, or whatever crap people use nowadays.

I’ve always believed that popular email providers like Google Mail (Gmail), Hotmail, Yahoo, and Yandex will tolerate a lot of suspicious activities before ever considering locking the targeted account. Therefore, this provides the attackers substantial benefits if they know what they’re doing.

Millions of email users typically endure the inconvenience of unlocking their email accounts using a phone number or secondary backup email address. Hence, it shouldn’t be easy at all for the email provider to lock the target’s email account.

Remember if using dictionary attacks fail, you can always resort to keen sophisticated spear phishing attacks to obtain the desired email passwords from your target!


You need a wordlist to become a 1337 hax0r in this tutorial. The wordlist is a list of potential passwords used to repeatedly guess and access the target’s email address.

Depending on the size of the wordlist, the number of dictionary-based passwords may be little or large.

I recommend you to use a superior wordlist that consists of thousands and thousands of distinctive password combinations which will maximize your chances of brute-forcing the password.

For this tutorial, we’re gonna use the default wordlist in Kali located at: /usr/share/wordlists/rockyou.txt.gz

Here is how to find the location of the wordlist in Kali:

Extract the wordlist inside rockyou.txt.gz called rockyou.txt and drag the wordlist onto your Kali desktop.

Open Up A Terminal

When you type hydra in the terminal, you will be presented with various syntaxes and options.

In your terminal, type in hydra.


hydra smtp -l -P ‘/root/Desktop/rockyou.txt’ -s 465 -S -v -V

We use the following hydra command where you will replace some of the information based on the victim’s email server, port number, and email account name:

hydra smtp -l victimsaccountname -P ‘/root/Desktop/rockyou.txt’ -s portnumber -S -v -V

The SMTP server (For example, if the victim is a Gmail user) is the victim’s email provider.

-l refers to the victim’s Gmail login account information.

-P ‘root/Desktop/rockyou.txt’ refers to the directory path where you initially dragged and stored your extracted wordlist onto your Kali Linux.

-s 465 (port 465 refers to SMTPS port) Port 465 stands for SMTPS which is SSL encryption that is started automatically.

For the demonstration, I’ve created a dummy Gmail account, and it was very easy to crack the password since I intentionally set the password to a single English word: princess. It took about 30 tries to crack the password.

Jeez, if life was that easy.

The more complex a password is, the more difficult it is to brute force it successfully.

The longer it takes, the more likely a false positive will be generated depending on who the email provider is.

Suck it up, princess!

Method For Hiding IP Address And Avoiding Single IP Address Bans When Bruteforcing Email Passwords

Simple: Use Tor. Route all Kali traffic through Tor using Whonix as I’ve explained here. Tor Exit IPs rapidly change which prevents single IP ban lockouts from brute forcing attempts.

If the email provider bans Tor exit nodes, you can circumvent using other proxies/VPNs. If you want to increase your anonymity, go with a Tor > VPN setup. This is recommended merely if you purchased your VPN using Bitcoins. This way the VPN provider won’t see your real IP address when brute forcing and will merely see the Tor IP if an investigation is commenced by law enforcement. A multi-hop VPN doesn’t hurt either.

Dictionary attacks are simple. Thus, you won’t see drastically diminished speeds when using proxies to mask IPs in brute-forcing activities. Of course, your CPU and RAM usage is taken into account.

To add another anonymity layer, consider using internet connections that are not associated with your home.

Get Yourself A Botnet Of Multiple Million IP Addresses

Of course, a classic botnet. With this method, you may make relatively slow brute force attacks on the target. Always remember that the more accounts you are going to work on concurrently, the fewer attempts you will make on each account and the less likelihood that each account will get locked. Do not make too many attempts per day from a single IP address.

While it’s not really a good idea to utilize a world-class botnet to brute force an insignificant email account, do note that a moderately weak password consisting of some common English words followed by a couple of digit numbers is certainly susceptible to a successful massively distributed brute-force attack. This is ONLY if the black hat hacker CHOOSES to act in this manner.

Seriously, the potential victims ought to not piss anyone off!

This brings us to:

How To Prevent Bruteforce Attempts On Your Own Email Account

While email providers use CAPTCHAs and other methods to weaken dictionary attacks against email accounts, their protections can be circumvented by an advanced adversary.

The best ways to defeat these brute force/dictionary attacks by Hydra are to:

  • Use strong, complex passwords. NOT: omghello289  But something more LIKE: *f&22=4uz(xH^#wySqQRx;]?R96%76Wb,3
  • Use two-factor authentication (2FA)

Of course, strong complex passwords can be defeated by hacking the email provider’s site/server and getting a hold of the account information in the databases. (Whether the data is encrypted is another question.) A security compromise of the email provider is a separate discussion saved for another time.

Brief Explanation Of Bypassing Two Factor Authentication (2FA) On Target’s Phone.

Just because someone uses 2FA on their cell phones doesn’t make them completely safe from a hacker interested in their email and social media accounts! It’s just another layer of protection that CAN be bypassed. This will largely depend on the level and expertise of the adversary.

In fact, we can defeat the target’s two-factor authentication by social engineering. A smart hacker can call the target’s cell provider and change the phone’s SIM. How? Well, an adversary can reroute a target’s text messages to a different SIM card, retrieve the target’s two-factor code, and get into any email and social media accounts of the target. An adversary can retrieve account verification texts. If the adversary is smart at all, he shall use a voice changer to mask his real voice to circumvent phone voice calling recorded by the cell service provider!

Looks like I’m giving out too many ideas. Lol.

I hope you enjoyed this tutorial and the educational information I have provided in this article.

Have a great day!

Related Posts