Brute-Force Web-based Login

Hydra uses “http[-{get/post}-form” or “https-{get/post}-form” to brute-force web-based logins. This module is used to perform brute force attacks on web-based login forms that use HTTP POST requests. This module is intended for use in situations where a login form sends POST requests to a web server for authentication. The module lets you specify the parameters and conditions for performing a brute-force attack.

Syntax of http[-{get/post}-form:

The basic syntax of the http-post-form module is given below:

hydra -l <username> -P <password_list> <target> http-post-form "<login_url>:<post_data>:<failure_string>"

• -l: Specify the username of the target.
• -P: The password file or rainbow table containing the potential password.
• <target>: URL of the web-based login page.
• <login_url>: When a user submits their login information on a website, the login form data is sent to a specific URL which is typically located in the HTML source code of the login page.
• <post_data>: The POST data that represents the form fields and their values. The login and password fields must be identified and replaced with placeholders, usually ^USER^ for the username and ^PASS^ for the password.
• <failure_string>: The string representing a failed login attempt. This string is used by Hydra to determine whether or not a login attempt was successful.

Example Syntax:

hydra -l admin -P pass.txt 192.10.10.02 https-post-form "/login.php:username=^USER^&password=^PASS^:Invalid credentials"

Here “admin” is the target username, “pass.txt” is the list of passwords, “192.10.10.02″ is the target IP address or URL, “/login.php” is the URL of the login form action, “username=^USER^&password=^PASS^” with the POST data representing the form fields, and “Invalid credentials” is the failure string.

Hydra is one of the most powerful open-source password-cracking programs available in Kali Linux. One of the most popular and open-source tools among hackers and penetration testers, it is used for dictionary attacks and brute-forcing. It can brute-force by sending multiple login requests very rapidly to a variety of network protocols, services, websites, and web applications. It can support more than 50 network protocols and services like Telnet, SSH, HTTP, HTTPS, RDP, SMTP, FTP, etc.

It sends a new log-in request with a different username and password each time until it discovers a working combination. It comes pre-installed, whether you’re using Parrot or Kali Linux as your pen-testing OS. This tool is also available for Windows and MacOS.

Syntax:

hydra -l <username> -P <password_list> <Target Hostname> <protocol> <options>

• -l: Specify the username of the target.
• -P: The password file or rainbow table containing the potential password.
• <Target Hostname>: Specify the target host or IP address.
• <protocol>: Protocol or service you want to attack.