Hydra – Brute Force HTTP(S)

本文介绍如何使用Hydra工具进行HTTP和HTTPS服务的暴力破解。通过详细步骤讲解,包括收集目标网站登录页、请求体及错误消息,构建Hydra命令进行用户信息暴力破解。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

In this tutorial, I will be demonstrating how to brute force authentication on HTTP and HTTPS services.

Basic Hydra usage – HTTP
hydra -l <USER> -p <Password> <IP Address> http-post-form “<Login Page>:<Request Body>:<Error Message>”

Options
-l  Single Username
-L Username list
-p Password
-P Password list
-t Limit concurrent connections
-V Verbose output
-f Stop on correct login
-s Port

Hydra HTTP

Brute forcing authentication using Hyrda on a web service requires more research than any of the other services. We will need three main things from the website. The login page, request body, and the error message.

Website Login Page
Let’s start with the main login page we can see the Username and Password fields.

Inspect Elements
Now that we can see the website we need to inspect the page. Right click on the page and select “inspect element” from the drop-down menu.

Website Headers
Now that we are in the “inspect elements” section we need to get into the headers area.
Select the Network tab and then attempt to login (This will fail to log in). After the login fails click on the POST Method and then click on “Edit and Resent.”

Information Gathering
In this view, we need to focus on four things. Hostname/IP, Login Page, Request Body, and the error message.

Command Build
With all the information that we have collected now let’s build the hydra command.
Change the <Login page> this value has to start with “/” backspace.
Change <Request body> with the format from the page. We do need to modify the username and password. Replace the failed username with ^USER^ and the failed password with ^PASS^. This change will allow hydra to substitute the values.
Change the <Error Message> with the failed login error message.
Change the <IP Address> with either an IP address or hostname.
Change the <User> with either username or username list.
Change the <Password> with either a password or password list.

Layout of command: hydra -L <USER> -P <Password> <IP Address> http-post-form “<Login Page>:<Request Body>:<Error Message>”

hydra -L usernames.txt -P passwords.txt 192.168.2.62 http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login Failed”

After running the command we were able to brute force the user information from the website.

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值