Brute-Force Web-based Login
Hydra uses “http[-{get/post}-form” or “https-{get/post}-form” to brute-force web-based logins. This module is used to perform brute force attacks on web-based login forms that use HTTP POST requests. This module is intended for use in situations where a login form sends POST requests to a web server for authentication. The module lets you specify the parameters and conditions for performing a brute-force attack.
Syntax of http[-{get/post}-form:
The basic syntax of the http-post-form module is given below:
hydra -l <username> -P <password_list> <target> http-post-form "<login_url>:<post_data>:<failure_string>"
- -l: Specify the username of the target.
- -P: The password file or rainbow table containing the potential password.
- <target>: URL of the web-based login page.
- <login_url>: When a user submits their login information on a website, the login form data is sent to a specific URL which is typically located in the HTML source code of the login page.
- <post_data>: The POST data that represents the form fields and their values. The login and password fields must be identified and replaced with placeholders, usually ^USER^ for the username and ^PASS^ for the password.
- <failure_string>: The string representing a failed login attempt. This string is used by Hydra to determine whether or not a login attempt was successful.
Example Syntax:
hydra -l admin -P pass.txt 192.10.10.02 https-post-form "/login.php:username=^USER^&password=^PASS^:Invalid credentials"
Here “admin” is the target username, “pass.txt” is the list of passwords, “192.10.10.02″ is the target IP address or URL, “/login.php” is the URL of the login form action, “username=^USER^&password=^PASS^” with the POST data representing the form fields, and “Invalid credentials” is the failure string.
Crack Web Based Login Page With Hydra in Kali Linux
Hydra is one of the most powerful open-source password-cracking programs available in Kali Linux. One of the most popular and open-source tools among hackers and penetration testers, it is used for dictionary attacks and brute-forcing. It can brute-force by sending multiple login requests very rapidly to a variety of network protocols, services, websites, and web applications. It can support more than 50 network protocols and services like Telnet, SSH, HTTP, HTTPS, RDP, SMTP, FTP, etc.
It sends a new log-in request with a different username and password each time until it discovers a working combination. It comes pre-installed, whether you’re using Parrot or Kali Linux as your pen-testing OS. This tool is also available for Windows and MacOS.
Syntax:
hydra -l <username> -P <password_list> <Target Hostname> <protocol> <options>
- -l: Specify the username of the target.
- -P: The password file or rainbow table containing the potential password.
- <Target Hostname>: Specify the target host or IP address.
- <protocol>: Protocol or service you want to attack.
Contact Us