http-post-form
Hydra’s http-post-form service is specifically designed to target login forms. It enables the automation of POST requests, dynamically inserting username and password combinations into the request body. By leveraging Hydra’s capabilities, attackers can efficiently test numerous credential combinations against a login form, potentially uncovering valid logins.
hydra [options] target http-post-form "path:params:condition_string"Understanding the Condition String
In Hydra’s http-post-form module, success and failure conditions are crucial for properly identifying valid and invalid login attempts. Hydra primarily relies on failure conditions (F=...) to determine when a login attempt has failed, but you can also specify a success condition (S=...) to indicate when a login is successful.
The failure condition (F=...) is used to check for a specific string in the server’s response that signals a failed login attempt. This is the most common approach because many websites return an error message (like “Invalid username or password”) when the login fails. For example, if a login form returns the message “Invalid credentials” on a failed attempt, you can configure Hydra like this:
Code: bash
hydra ... http-post-form "/login:user=^USER^&pass=^PASS^:F=Invalid credentials"In this case, Hydra will check each response for the string “Invalid credentials.” If it finds this phrase, it will mark the login attempt as a failure and move on to the next username/password pair. This approach is commonly used because failure messages are usually easy to identify.
you can configure Hydra to look for that success condition using S=. Here’s an example where a successful login results in a 302 redirect:
hydra ... http-post-form "/login:user=^USER^&pass=^PASS^:S=302"hydra ... http-post-form "/login:user=^USER^&pass=^PASS^:S=Dashboard"Browser Developer Tools
And Web Proxy
Constructing the params String for Hydra
After analyzing the login form’s structure and behavior, it’s time to build the params string, a critical component of Hydra’s http-post-form attack module. This string encapsulates the data that will be sent to the server with each login attempt, mimicking a legitimate form submission.
The params string consists of key-value pairs, similar to how data is encoded in a POST request. Each pair represents a field in the login form, with its corresponding value.
Form Parameters: These are the essential fields that hold the username and password. Hydra will dynamically replace placeholders (^USER^and^PASS^) within these parameters with values from your wordlists.Additional Fields: If the form includes other hidden fields or tokens (e.g., CSRF tokens), they must also be included in theparamsstring. These can have static values or dynamic placeholders if their values change with each request.Success Condition: This defines the criteria Hydra will use to identify a successful login. It can be an HTTP status code (likeS=302for a redirect) or the presence or absence of specific text in the server’s response (e.g.,F=Invalid credentialsorS=Welcome).