Hydra – Brute Force HTTP(S)-优快云博客

本文介绍如何使用Hydra工具进行HTTP和HTTPS服务的暴力破解。通过详细步骤讲解，包括收集目标网站登录页、请求体及错误消息，构建Hydra命令进行用户信息暴力破解。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

In this tutorial, I will be demonstrating how to brute force authentication on HTTP and HTTPS services.

Basic Hydra usage – HTTP
hydra -l <USER> -p <Password> <IP Address> http-post-form “<Login Page>:<Request Body>:<Error Message>”

Options
-l Single Username
-L Username list
-p Password
-P Password list
-t Limit concurrent connections
-V Verbose output
-f Stop on correct login
-s Port

Hydra HTTP

Brute forcing authentication using Hyrda on a web service requires more research than any of the other services. We will need three main things from the website. The login page, request body, and the error message.

Website Login Page
Let’s start with the main login page we can see the Username and Password fields.

Inspect Elements
Now that we can see the website we need to inspect the page. Right click on the page and select “inspect element” from the drop-down menu.

Website Headers
Now that we are in the “inspect elements” section we need to get into the headers area.
Select the Network tab and then attempt to login (This will fail to log in). After the login fails click on the POST Method and then click on “Edit and Resent.”

Information Gathering
In this view, we need to focus on four things. Hostname/IP, Login Page, Request Body, and the error message.

Command Build
With all the information that we have collected now let’s build the hydra command.
Change the <Login page> this value has to start with “/” backspace.
Change <Request body> with the format from the page. We do need to modify the username and password. Replace the failed username with ^USER^ and the failed password with ^PASS^. This change will allow hydra to substitute the values.
Change the <Error Message> with the failed login error message.
Change the <IP Address> with either an IP address or hostname.
Change the <User> with either username or username list.
Change the <Password> with either a password or password list.

Layout of command: hydra -L <USER> -P <Password> <IP Address> http-post-form “<Login Page>:<Request Body>:<Error Message>”

hydra -L usernames.txt -P passwords.txt 192.168.2.62 http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login Failed”

After running the command we were able to brute force the user information from the website.