Brute force with Hydra

with No Comments

I will intercept POST using Burb Suite, which by the way is a good utility for testing application security. First, configure the Firefox browser-> Open menu-> Options-> Network proxy options (pic.1); In accordance with the settings Burb -> Proxy -> Options (pic.2)







Then we go to the target site in the browser, click on the authentication form and enter the wrong data into the login / password fields, we receive a ‘warning message’ about the incorrect data entered, we need it so that the hydra understands that incorrect data has been entered (pic 3).




Go to Burb-> Proxy-> HTTP history; looking for POST / index / sub / (pic.4)




All the necessary data is collected, run the THC-Hydra. In the example, a helper with a brief description of the possibilities (pic.5)



After that, we take the information for command prompt from the Burb Request  pic.4:


Where  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE

-p PASS  or -P FILE  try password PASS, or load several passwords from FILE

-f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)

-v / -V / -d  verbose mode / show login+pass for each attempt / debug mode

-s PORT   if the service is on a different default port, define it here

And ‘Cookie’.


Also there is the possibility of using Hydra for the login searching. And the -x option for generating a password without a file.


Article has carries strictly cognitive character, the author is not responsible for using the methods by other users described in the article.

Leave a Reply