In this post i will be talking talking about hydra, the powerfull tool to make login bruteforce attack which supports many different services, this is one of most used tools with a Hackers, CTF players, Security Student, etc… In short, is the one most tool used by the Hacking community.
Hydra Support Many protocots that including FTP, SSH, HTTP, SMB, SMTP, Telnet, VNC, Cisco AAA, LDAP and others more, but in this post i will only focus in HTTP. HTTP protocol in hydra include Both the protocol and the method like GET or POST.
Let’s begin!!
This post is only with EDUCATIONAL PURPOSE and I’m not responsible for the misuse of this information.
Before begin to run attack to the web login first we must analyze the source code, so hydra will know which fields to attack…commonly to this fields named username and password, others developers call them at will.
After analyze the code and look what is the name on the Username field and Password field, let’s prepare the command to attack the login. known that user is molly.
Hydra Command is that…
hydra -l molly -P ~/rockyou.txt hydra.test http-post-form “/login:username=^USER^&password=^PASS^:F=incorrect”
Don’t worry if you don’t understand it, I’ll explain it below.
Demo…
I use a rockyou dictionary to attack and i did edit the /etc/hosts to translate the ip to a name. This is to your convenience.
Conclusion
Hydra is a very fast network logon cracker which supports many different services, but this is not supposed to be used for criminal and/or non-legal purposes.
Follow me on twitter: https://twitter.com/n0obit4
Look at my github: https://github.com/n0obit4