Monday, 22 August 2011

Using Hydra to dictionary-attack web-based login forms

Hydra is a online password cracking tool which can be used to dictionary-attack various services by trying lists of user-names and passwords until a successful login is found. It is multi-threaded, and can be very fast, trying username/password combinations at a rate of thousands per minute.

Hydra can be used to attack many different services including IMAP, SMB, HTTP, VNC, MS-SQL MySQL, SMTP, SSH, and many more.

(Hydra is to online-cracking of passwords, what John The Ripper is to offline-cracking of password hashes)

Often, web-based login forms authenticate using the HTTP POST method, but judging from several blogs I have read on this subject, it sounds like some people have great difficulty in getting Hydra to work effectively in this situation.

I have had a great deal of success with hydra, so here I describe how to get Hydra working with web-based form logins.

This attack is not limited to websites, and I would argue that it is more suited for gaining login access to software products that have a web UI, for example in penetration tests.

This tool should not be used to attack websites or services where you do not have permission to do so. Use this for legitimate testing purposes only.

Some differences between online and off-line password cracking

There are significant differences between online and off-line password cracking.

With off-line cracking, you have the hashes on your system, they are static, and you can try dictionary, hybrid, and brute force attacks to you hearts content. You have as long as you want, and you can try many billions of attempts in a short space of time.

The attack success is purely dependent on password strength, verses processor-power and time (and few user-chosen passwords will be strong enough to last).

With online password attacks there are more issues to consider, such as; network bandwidth, account lockouts, tar-pitting, changing passwords, detection in logs and IDS.

Online attacks are more suited to relatively small and focused dictionary attacks rather than exhaustive brute-force.

A simple Hydra SSH example

Here is a simple example of running a Hydra attack against an SSH server.

hydra ssh2 -s 22 -P pass.txt -L users.txt -e ns -t 10

This will attack the system, on port 22 with the SSH protocol, 10 threads at a time, and try all the combinations of usernames and passwords supplied in the files user.txt and pass.txt (+ empty passwords and passwords the same as the username)

This can take a while, so it is best to only use usernames you know exist, and a relatively small list of passwords (many thousands rather than many millions). This attack generally works very well for simple dictionary passwords.

Web-based login forms prerequisites

For web-based forms, you have to know much more information about the form you are attacking before you start the attack. Every web-based form is slightly different, different URLs and parameters, and different responses for success or failure.

You need to know:
  • The hostname/IP and URL
  • Whether it is a HTTPS or HTTP service
  • Whether the form supports GET or POST (or both)
  • The parameters of the request
  • The difference in response between success and failure
  • Whether any session cookies are required to be set or maintained
  • What lockout features and thresholds are enabled (if any)
Not knowing or understanding the above information can be a big cause of failure.

For the parameters of the request, you can intercept and examine a normal login attempt with a web proxy (such as owasp-zap, webscarab or burpsuite) or use a browser plugin (such as tamperdata) or just look at the HTML form.

An example attack

The Web Security Dojo VM has various vulnerable applications that you can use to test these techniques. So looking at an example the w3af testing framework has a test login at the following location

The important parts of the HTML form are:

<form name="input" action="dataReceptor.php" method="post">
<input type="text" name="user">

<input type="password" name="pass">

If we put in one wrong username and password combination we get:

Bad login, stop bruteforcing me!Bad u/p combination for user: a

So, now we have the information we need to attack this login form, we can use this info to construct a Hydra brute-force attack as follows:

hydra http-form-post "/w3af/bruteforce/form_login/dataReceptor.php:user=^USER^&pass=^PASS^:Bad login" -L users.txt -P pass.txt -t 10 -w 30 -o hydra-http-post-attack.txt

If we break this up

Host =
Method = http-form-post
URL = /w3af/bruteforce/form_login/dataReceptor.php
Form parameters = user=^USER^&pass=^PASS^
Failure response = Bad login
Users file = users.txt
Password file = pass.txt
Threads = -t 10
Wait for timeout = -w 30
Output file = -o hydra-http-post-attack.txt

Hydra basically iterates through all the username/password combinations, until it gets a response that does not contain the text "Bad login". When we run this attack we get:

Hydra v6.5 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.
Hydra ( starting at 2011-08-22 13:11:03
[DATA] 5 tasks, 1 servers, 5 login tries (l:5/p:1), ~1 tries per task
[DATA] attacking service http-post-form on port 80
[STATUS] attack finished for (waiting for children to finish)
[80][www-form] host:   login: admin   password: 1234
Hydra ( finished at 2011-08-22 13:11:07

As you can see, this was successful and found the user "admin" with password "1234".

Other examples

HTTPS forms can be brute-forced in exactly the same way by changing the method to "https-form-post".

Similarly there are the GET equivalents, of "http-get-form" and "https-get-form", though this type of method is really not recommended for web-based login forms (due to confidential information being passed in the URL, which can appear in proxy-logs, and browser history). Some forms do exist out there that use this.

Sometimes you need to look for text that appears meaning "success" rather than the absence of text meaning "failure". This can be done if you put "S=" in front of the failure string variable, it becomes a success string check, for example


Remember that the "failure" or "success" string does not have to be part of the HTML of the page. These strings could be information in the response headers, such as cookies being set, or locations of redirects. There are flexible options for dealing with pretty much any type of response, as long as it is repeatable, and there are distinct differences between success and failure.

Other more complex examples may be where you need to specify particular header values, or use an additional page to obtain set browser cookies before the form is submitted. These can be done by adding the additional parameters "C=" and "H=" on the end:

"/foo.php:user=^USER^&pass=^PASS^:S=success:C=/page/cookie:H=X-Foo: Foo"

All in all, this is a pretty straight forward, and a very effective tool, as long as you understand how the form is working, and what parameters are required, before you start the attack.


  1. Replies
    1. Thanks for your very useful Information. I will bookmark for next reference. I really liked this part of the article. I wait for the next post.

  2. hey, I want to hack you give me a script for that...I keep getting unknown service error... username name is usrname and password name is pass..thanks

    1. go read a fucking book you mongloid

    2. where the fuck is password list fuck ur this tut

    3. make your own password list you lazy fuck

    4. make your own password list you lazy fuck

    5. and again: make your own password list you lazy fuck :))

    6. yeah fuck

    7. ya fuck shit retard

    8. This comment has been removed by the author.

    9. what do i do with this as the login code?

      Access Code Required
      div class="col1" style="text-align:center"The page you requested is protected. You must enter the Device Access Code in order to continue.
      The Device Access Code is printed on the side or bottom of your DSL device

      form method="post" action="/cgi-bin/login.ha"
      input type="hidden" name="nonce" value="71ab68d900bc9219c52a790373d48d107ea84e7f0d5f57b0" /

      Device Access Code input type="password" name="password" maxlength="20" value="" autocomplete="off" /

      script language="javascript" type="text/javascript"


      input type="submit" name="Continue" class="cssbtn btnspacer" value="Continue" /

    10. I tried this but no luck...

      hydra -L Desktop/login.txt -P Desktop/10numlist.txt http-form-post "/cgi-bin/login.ha:user=^USER^&pass=^password^:The Password you entered is not correct." -t 10 -w 30 -o hydra-http-post-attack.txt

  3. thack you for your information.

  4. thanx a lot man...

  5. fucking skiddies dont need to have these capabilities

    1. I'm sure that you're not a skiddie yourself, rihght ;)

      I am guessing it's similar with those closet gays who keep calling everyone else gay to hide their true self.

      It's not as if someone reads as article on how to do something they're automatically a skiddie. You have to read up on things somewhere, it's not as if you're automatically a pro who knows every feature of a program right off the bat.

      Keep it at!

    2. your approach is called "security through obscurity" and guess what... in the long run, it doesn't work. i've looked this up because i'm looking for a way to figure out reliable criteria for a secure password because i don't fucking trust the "6 characters and at least one number" thing. if tools like hydra and this tutorial were kept away from the general public, the only people who would find out how to use them would be criminals (they have the strongest motivation to crack passwords, and they will use illegal methods of acquiring information on how to do it too), and normal people, webmasters and admins will have no method to figure out how to defend themselves.
      saying that this information shouldn't be available is like saying that warning people of common burglar tactics should be illegal because the information could be used by actual burglars. guess what? the burglars already know!

    3. Shut up you fucking tool.

    4. I agree with anonymous

    5. security through obscurity never works... no different from getting flat tyre... someone always has a jack even if you don't know how to tackle the job those that do will always find a way and those that want to will learn to. this way everyone knows.

    6. Haters gonna hate.

      Everyone starts somewhere, nobody starts a pro, but the problem with people asking for help online isn't that asking for help is a bad thing, it's when somebody says 'can you hack this for me please' or 'give me a script for this'. It just shows that a) this person doesn't understand what they're doing and b) they don't want to understand or are too impatient to put the time in. So that's why nobody wants to help you, because they don't like contributing to a fruitless task when nothing is gained from it for anyone.

  6. very nice Post , But can tell me if my Source page show like it :

    <input class="form_input ltr" id="user" type="text"

    how can i do it ? its not name="user" and hydra dont put my username and password

    1. surely in your case is sent for AJAX

  7. Hmm i always seem to get false positives what ever success or fail string I enter.

  8. can any1 telll me how to hack gmail?

    1. fucking skid .

    2. use hydra-gtk i dont remember what port but its easy

    3. Google It!

    4. install xhydra(hydra GTK)
      for target type
      port 465
      protocol is smtp...then use what you need in the next tabs..

  9. I have read so many article of this site in which some of them were very
    interesting and inspiring.This article has good title with good description.i am very happy that i found this site. I have bookmarkedthis site to visit again and find out the new post.I just want to say,is a wonderful article. "custom article writing"

  10. When there is no Username input there,only password field is there,how u configure in hydra

  11. if the the field submit not have a name, what can i do? its safe?
    Please reply me, i study for prevent attacks

  12. can you make clip for https-post-form with set cookie?

  13. i am trying to brute force dvwa level medium, but it doesn't fuction, has someone already brute force dvwa with hydra? if so, thank you for helping me..

  14. quick question. i've been at this for hours. (thanks for the explanations above, btw. good teaching.)

    is there any way to specify successful or failed login responses with http-get? (as opposed to post).

    i'm testing/learning on a login page that uses http-get, and returns nothing (in tamper data or through burp) that indicates a failed login response. however, i know what the successful login response should/would be. it seems that this feature is relegated only to the lumped in parameters belonging to -post data though (/:USER&PASS: or ) .. is there any way to implement the fail/success indication with -get?


  15. edit:

    sorry, that should say something more like (/:USER&PASS: [failed dialogue] or [S=success dialogue])

  16. ok ... i did that but.... that page have many translation. witch language use to get error message ?
    i tried in engllish: error mesage is "The password you entered is incorrect "

    i tried: hydra -l ******* -P '/root/Desktop/pass' http-post-form "/login=1:email=^USER^&password=^PASS^&submit=Sign+in:The password you entered is incorrect" -vV -f

    with that syntax pass found are not stable, i get random pass , if try once i get a passif try 2nd i get other pass

    if use Success message: title of page is "Search for people on Twoo"

    hydra -l *************-P '/root/Desktop/pass' http-post-form "/login=1:email=^USER^&password=^PASS^&submit=Sign+in:S=Search+for+people+on+Twoo" -f -vV

    i get no pass : " 1 of 1 target completed, 0 valid passwords found "

    1. burp suite don't help me to get login button form :( :(((

      i get : action=login&email=PUT_USERNAME&password=PUT_PASS

      i give you host: .... may somebody will view sorce code and can see where is mistake or what is problem ..

  17. Hi Ben, may I ask what is the Hydra script for this form :
    Thanks in advance

    1. p.s. that I need Expert and Admin passwords.

  18. hi
    need help
    cant get work
    where is my fault
    in /phone2.html/action?

    $hydra http-form-post "/phone2.html/infopce:id=^USER^&pwd=^PASS^:Access denied" -l admin -P 'Micro.txt' -t 10 -w 30 -o output-hydra.txt

    page source:


    1. "" -> I think you mistook hostname with your own IP

      For example if you want to bruteforce a page called your command would look like:

      hydra http-form-post "/phone2.html/infopce:id=^USER^&pwd=^PASS^:Access denied" -l admin -P 'Micro.txt' -t 10 -w 30 -o output-hydra.txt

      and make sure your password dictionnary "Micro.txt" is on the directory from where you're making the command, or just put the whole path so that it will look like : -P '/path/to/your/file/Micro.txt'

      Also if it doesn't work, try putting "http-post-form" instead of "http-form-post"

  19. Hey I'd like some help about one thing actually,
    I've been able to bruteforce succefully some http-form websites with my own username, but I'm currently blocked with a command for one http form.

    The login informations of the source code:

    "LoginControl_UserName" id="LoginControl_lblUserName">Identifiant
    name="LoginControl$UserName" type="text" value="trololol" id="LoginControl_UserName" class="tbx-identifiant"

    "LoginControl_Password" id="LoginControl_lblMotDePasse"
    name="LoginControl$Password" type="password" id="LoginControl_Password"

    "LoginControl_RememberMe" id="LoginControl_lblRemember" class="checkbox" id="LoginControl_RememberMe" type="checkbox" name="LoginControl$RememberMe"

    type="button" title="Se connecter" id="LoginControl_LoginButton" onclick="WebForm_DoPostBackWithOptions(new WebForm_PostBackOptions('LoginControl$LoginButton', '', true, '', '', false, true))" class="bouton bouton-connexion" class="bouton-icone"

    In the last paragraph the login button has no name! I've searched a lot on the internet but couldn't find the solution. Do I have to use the "type"; "title" or "id" as Login parameter?
    I tried to launch it without login parameters but I get the "16 correct passwords" error.

    Here is my command:

    hydra -l user -P '/root/Desktop/pass.txt' www.********.net http-form-post "/:LoginControl$UserName=^USER^&LoginControl$Password=^PASS^:incorrect"

  20. where the fuck is password list?

    1. go to "/usr/share/wordlists/"
      .. you'll find some password lists there.

  21. What is the command line to create the password.txt and username.txt file ??? which cracks the usernames and passwords of a server...

    1. make a text document with notepad, fill it with words, and use it

  22. Thanks for providing precious information.
    email support

  23. Great post, however if the password isn't in the password file it wont work. learn lua programming

  24. Great post. By the way - do you know why Hydra make two requests in http-form-post: 1st is GET and 2nd is POST ? My server logs and Wireshark confirm it. One more request is definitely not necessary. I can't find how to switch it off?

    1. Maybe it needs to get a session cookie first from the server?

    Work from home theory is fast gaining popularity because of the freedom and flexibility that comes with it. Since one is not bound by fixed working hours, they can schedule their work at the time when they feel most productive and convenient to them. Women & Men benefit a lot from this concept of work since they can balance their home and work perfectly. People mostly find that in this situation, their productivity is higher and stress levels lower. Those who like isolation and a tranquil work environment also tend to prefer this way of working. Today, with the kind of communication networks available, millions of people worldwide are considering this option.

    Women & Men who want to be independent but cannot afford to leave their responsibilities at home aside will benefit a lot from this concept of work. It makes it easier to maintain a healthy balance between home and work. The family doesn't get neglected and you can get your work done too. You can thus effectively juggle home responsibilities with your career. Working from home is definitely a viable option but it also needs a lot of hard work and discipline. You have to make a time schedule for yourself and stick to it. There will be a time frame of course for any job you take up and you have to fulfill that project within that time frame.

    There are many things that can be done working from home. A few of them is listed below that will give you a general idea about the benefits of this concept.

    This is the most common and highly preferred job that Women & Men like doing. Since in today's competitive world both the parents have to work they need a secure place to leave behind their children who will take care of them and parents can also relax without being worried all the time. In this job you don't require any degree or qualifications. You only have to know how to take care of children. Parents are happy to pay handsome salary and you can also earn a lot without putting too much of an effort.

    For those who have a garden or an open space at your disposal and are also interested in gardening can go for this method of earning money. If given proper time and efforts nursery business can flourish very well and you will earn handsomely. But just as all jobs establishing it will be a bit difficult but the end results are outstanding.

    Freelance can be in different wings. Either you can be a freelance reporter or a freelance photographer. You can also do designing or be in the advertising field doing project on your own. Being independent and working independently will depend on your field of work and the availability of its worth in the market. If you like doing jewellery designing you can do that at home totally independently. You can also work on freelancing as a marketing executive working from home. Wanna know more, email us on and we will send you information on how you can actually work as a marketing freelancer.

    Internet related work
    This is a very vast field and here sky is the limit. All you need is a computer and Internet facility. Whatever field you are into work at home is perfect match in the software field. You can match your time according to your convenience and complete whatever projects you get. To learn more about how to work from home, contact us today on workfromhome.otr214428@gmail.comand our team will get you started on some excellent work from home projects.

    Diet food
    Since now a days Women & Men are more conscious of the food that they eat hence they prefer to have homemade low cal food and if you can start supplying low cal food to various offices then it will be a very good source of income and not too much of efforts. You can hire a few ladies who will help you out and this can be a good business.

    Thus think over this concept and go ahead.

  26. different forms have different output or response for the wrong or incorrect password, how do i find the response? im no expert btw just trying to learn :P this stuff always comes in handy.....

  27. Each time I run hydra with all the fields populated correctly, it shows the attempt for about 10 different passwords (I used -l admin to limit the attempts) and says they're all correct. The odd thing is, they're random passwords found towards the beginning of a list I'm using, and aren't in the same order they appear on the list. I've had this same problem with all other attempts with Hydra and even Medusa. I've seen suggestions that it is because of an auth. cookie, but I'm running this test against the Web Sec Dojo VM from my Kali VM. I thought there was some issue with it locating the page, but when I tried botching the .php form name, it doesn't show any attempts of brute-forcing, so I'm quite certain this is actually reaching the correct form.

    Why do all the passwords show as valid? Thanks!

    1. This ended up being a problem with access from my Kali VM to my Web Sec Dojo VM. Checking the Apache logs showed logs from my Kali IP with 403 and 529 from Hydra. Modifying the primary .htaccess file and adding the Kali VM IP allowed a new Hydra test to report only 1 successful IP (the right one).

  28. How would I know what Protocol to USE ?? and what PORT ??

  29. hi there
    I m trying to use hydra 7.5 on windows 8.1 genuine, when ever i m trying to crack password it show me this message hydra 4788 find_fast_cwd: WARNING: Couldn't compute FAST_CWD pointer
    please help i will be thankful for your response on this mail

    1. Easy:

      -Go to your C:/ folder
      -CTRL + A
      -Get Linux.

  30. This comment has been removed by the author.

  31. its not showing me correct password

  32. Awesome post ! Thanks and its perfect solution..Worked immediately. ..thanks again !! visit more info Gmail Support You can reach Acetecsupport at their Call Toll Free No +1-800-231-4635 For US/CA.

  33. Well done - Especially info on the use of cookie headers! Thank you :)

  34. very nice post! thanks for giving information about Hydra.
    full version software download site

  35. I will prefer this blog because it has much more informative stuff.Password Manager

  36. Hydra is a powerful and very useful online password cracking tool. thanks for this post!
    download windows free software

  37. Hydra is a awesome password cracking tool. very good sharing! softwares windows

  38. Hydra password cracking tool is very effective and also used to dictionary-attack various services.
    download software for windows free

  39. Hydra to dictionary-attack web-based login forms are really amazing and very helpful.
    full version software 2014

  40. Nice website full of quite interesting and informative posts, so must keep on good working! what is graphic design

  41. thanks alot for great informative post about Hydra cracking tool.
    Full Software Download

  42. Really amazing blog, I’d love to discover some extra information. full coverage insurance on my car

  43. Thanks fellow your posts are really very good for me since it make good sense for me. who are the best whole life insurors

  44. Super-Duper blogs! I love it really!! Would come back to visit soon, again Thanks. payday loan stores in new jersey

  45. This comment has been removed by the author.

  46. This blog Info is fabulous; I must wanna see best more from your writers.bad credit payday loans

  47. I couldnt find the login and pwd for: using hydra

  48. After entering Moscow, the Grande Arme, unhappy with military conditions and no sign of victory, began looting what little remained within Moscow. Already the same evening, the first fires began to break out in the city please visit, spreading and reemerging over the next few days. Before the order was received to evacuate Moscow, the city had a population of approximately 270,000 people.

  49. hello dear friend tired of debts and meager monthly salary. you can change your life and earn more money in a day VISIT THE SITE

  50. So - seen an interesting way of blocking thc-hydra's most basic Web Form attack- using GUID URIs on the POST for ASP forms. Given that's in the reply, can it be harnessed for chaining forward? Purely academic interest, namely actually thinking that solution isn't that secure.

  51. What I want to know is does Hydra blend?

  52. Thanks great tut!

  53. I Found E-Tutorial, E-Learning and Job on This portal is excellent for Technical Skills Development and jobs.This Portal is also provide Online test paper

  54. Who can help me brute attack site with hydra?
    Thank you so much !

  55. How do I mimic URL = /w3af/bruteforce/form_login/dataReceptor.php?

    The web page source is method="post" action=""

    There is no php for me to use

  56. I know this hacker "Brian Dusty (
    He can hacking any websites login, gmail accounts, facebook accounts..
    anything in just few days...very good service, He offer money back guarantee!

  57. The blog really assists me much and it’s been a week that I’ve been searching on this topic. Thanks anyway for sharing my favorite information. life insurance rates

  58. this is good.....Interested in playing the game, then maybe we can take a look at

  59. Very useful article about Absolute great. Thanks.
    Online Business Directory

  60. Hello Everybody,
    My name is Mrs Sharon Sim. I live in singapore and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of S$250,000.00 to start my life all over as i am a single mother with 3 kids I met this honest and GOD fearing man loan lender that help me with a loan of S$250,000.00 SG. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs Sharon, that refer you to him. contact Dr Purva Pius,via email:( Thank you.