How to use THC Hydra for bruteforcing Web app Login Forms

Hydra is an online login cracker and form bruteforcer which supports numerous protocols to attack. It is very fast and flexible and this tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely. There are already several login hacker tools available, however none does either support more than one protocol to attack or support parallelized connects. Hydra can be used and compiled cleanly on Linux, Windows/Cygwin, Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10) and OSX. THC Hydra tool supports the following protocols:

Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Some important options used in Hydra are :  

  • -l      : use it you have a single user name 
  • -L     : provide a list of users
  • -p     : for single password
  • -P     : password list
  • http-post-form "args" :    for post request methods  and the args are the data for related to our targets. it is divided into three parts " Path_for_target_page_or_form : field_name_to_brute_force : Check_strings_weather_failure_or_success ". And also note that at the check string part normally we can specify the failure results for example at wordpress login bruteforce, which returns "Error" at failure. And we can also put Success strings with S=, for exmaple in dvwa brute force we are using index.php which the dvwa will redirect if login attempt is successful. (the index.php string is returned by the response header at success.) Note : if the check strings is in the headers field, then it will just fine otherwise, sometimes it may not worked correctly.
  • -V :    for verbose mode
  • -t :    specify number of thread to start (default is 16)

The required data is :

  • The hostname/IP and URL
  • Whether it is a HTTPS or HTTP service
  • Whether the form supports GET or POST (or both)
  • The parameters of the request
  • The difference in response between success and failure
  • Whether any session cookies are required to be set or maintained
  • What lockout features and thresholds are enabled (if any)

Bruteforce web Logins :

For demonstration, i am using OWASPBWA vm, which you can download from here : I am using wireshark to intercept the HTTP communication, you can also use other proxy tools like Burp suite, ZAP proxy etc. The url of the login page is "". Now start wireshark at sniffing to virtual box "hostonly" network interface, and put the random username and password and hit login button. 

Now go to wireshark and filter the sniffed data for http traffic

Now right click the packet with post requests and go to Follow > HTTP Stream

Now at the HTTP post requests we can see the format of login and password data.

which is  ' log="username"&pwd="password"&submit=Login' , now this is the data we put on the bruteforce field. And in the response body there is an "Error" message.

So we can use this for weather it is failure or success. For this example i am using a username 'user' and a password list for passwords. Now the command will look like
 hydra -l user -P /home/ajay/pentest/wordlist/general/common.txt http-post-form "/wordpress/wp-login.php:log=^USER^&pwd=^PASS^&submit=submit:Error" -V
The output is

Now lets try with another web app dvwa :

Now scroll down at the Follow HTTP Stream window in wireshark and at the POST request we can see the format, which is 'username="username"&password="password"&Login=Login'.

And for check string, this time we are going to use 'S' flag which is nothing but for Success condition, it means when login attempts is successful then the web app will return redirect header 'Location: index.php', so we are going to use it as a check string. Now the command for login bruteforce will look like
 hydra -l user -P /home/ajay/pentest/wordlist/general/common.txt http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:S=index.php" -V

The output is

Brute Forcing SSH password :
 hydra ssh -s 22 -l piuser -P pass.txt -e ns 

Conclusion :

So these are the very basic use of hydra, now from here you can start experimenting with Hydra.