Hydra: Web Brute Force Guide

TL;DR

This guide shows you how to use Hydra to try and guess usernames and passwords on a web page. It’s for learning purposes only – do not use this against websites you don’t have permission to test.

Prerequisites

• A Linux machine (Kali Linux is ideal).
• Hydra installed:

  sudo apt update && sudo apt install hydra

• Basic understanding of the target web application.

Step 1: Gather Information

Before you start, find out:

• Login URL: The exact address of the login page (e.g., https://example.com/login).
• Form Parameters: What are the names of the username and password fields in the HTML form? Use your browser’s developer tools (usually F12) to inspect the source code of the login page. Look for input tags with ‘name’ attributes. Common names include username, login, user, password, pass.
• Login Method: Is it a standard HTTP POST request? Or does it use GET? (POST is much more common). Again, developer tools will help you see this in the Network tab when submitting the form manually.

Step 2: Prepare Wordlists

Hydra needs lists of potential usernames and passwords.

• Username List: Create a text file (e.g., usernames.txt) with one username per line.
• Password List: Create a text file (e.g., passwords.txt) with one password per line. You can find pre-made lists online, but be careful about the source and legality of these.

Step 3: Run Hydra

Here’s how to run a basic Hydra attack:

1. POST Request Example (most common):

   hydra -l username -P passwords.txt https://example.com/login login=^USER^&password=^PASS^

   • -l username: Specifies the username to use (Hydra will iterate through your usernames list).
   • -P passwords.txt: Specifies the password file.
   • https://example.com/login: The login URL.
   • login=^USER^&password=^PASS^: This is crucial! It tells Hydra how to format the POST request, replacing ^USER^ with usernames from your list and ^PASS^ with passwords. Adjust ‘login’ and ‘password’ to match the form parameter names you found in Step 1.
2. GET Request Example (less common):

   hydra -l username -P passwords.txt https://example.com/login ?username=^USER^&password=^PASS^

   • The main difference is the URL format for GET requests, using a question mark (?) to separate the base URL from the parameters.
3. Specifying Login Type: If Hydra doesn’t automatically detect the login method correctly, you can force it:

   hydra -l username -P passwords.txt https://example.com/login login=^USER^&password=^PASS^ -f

   • -f: Forces Hydra to use the form-based login method.

Step 4: Analyze Results

Hydra will print any successful logins to the console.

• Look for lines that say “Login: valid”. These indicate a correct username/password combination.

Important Considerations

• Rate Limiting: Many websites have rate limiting in place, which will block you if you make too many requests too quickly. Hydra has options to slow down the attack (e.g., -d delay=seconds).
• Account Lockout: Repeated failed login attempts can lock accounts. Be careful!
• Legal Issues: Always get permission before testing a website’s security. Unauthorized access is illegal.
• Cyber security best practices: Use strong, unique passwords and enable multi-factor authentication whenever possible.