How To

Cracking Online Web Form Passwords Using Hydra & Burp Suite

Welcome back guys. Today we will see how we can perform a brte-force attack on online web forms using Hydra.

Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you.

With that said lets get right into the topic.

1) Open THC-Hydra

To get started, fire up the Kali and open THC-Hydra from Applications -> Kali Linux -> Password Attacks -> Online Attacks -> hydra.

Get those Web Form Parameters

To hack a web form usernames and passwords, we should determine the parameters of web form login page and also how the form responds to failed/bad logins. These are the  key parameters we must identify:

  • IP Address of the website
  • type of form
  • URL of website
  • field containing the username
  • field containing the password
  • failure or error message

We can identify each of these using a proxy such as Tamper Data or Burp Suite.

Use Burp Suite

We can just any proxy to do the job, including Tamper the Data but in this post we will be using Burp Suite. You can open Burp Suite from Applications -> Kali Linux -> Web Applications -> Web Application Proxies -> burpsuite. Something like the one below appears

Now, we will try  to crack the password on the Damn Vulnerable Web Application (DVWA). You can run it from Metasploitable operating system (that is available at Rapid7) and then connecting to its login page, just as I did here.

We need to enable the Intercept and Proxy on the Burp Suite. Make sure to select the Proxy tab at the top and then select Intercept on the second row of tabs. Make sure that the “Intercept is on.”

Last, we need to configure our IceWeasel (web browser )to use a proxy. We do it by going to  Edit -> Preferences -> Advanced -> Network -> Settings to open the Connection Settings, just as seen below. There, configure the IceWeasel to use and port 8080 as a proxy by entering in in the HTTP Proxy field, 8080 in the Port field and delete any further information in the No Proxy for field provided at the bottom. Also, click on “Use this proxy server for all protocols” button.

Get Bad Login Response

Now, let’s try to log in with my sample username and password. When I do so, the BurpSuite intercepts the request and shows me the key fields we need for a THC-Hydra web form crack.

After reading this information, I then forward the request from Burp Suite by selecting the “Forward” button to the far left . The DVWA returns a message that says “Login failed.” Now, we have all the information we need to configure THC-Hydra and crack this web app!

Getting the failure message is key to getting THC-Hydra to work on web forms. In this case, it is a text-based message, but it won’t always be. At times it may be a cookie, but the critical part is finding out how the application communicates a failed login. In this way, we can tell THC-Hydra to keep trying different passwords; only when that message does not appear, have we succeeded.


Place the Parameters into THC Hydra Command

Since we now have the parameters, we can place them into THC-Hydra command. The required syntax looks like this:

kali > hydra -L <username list> -p <password list> <IP Address> <form parameters><failed login message>

So, based on the information we have gathered from Burp Suite, our command should look something like this:

kali >hydra -L <wordlist> -P<password list> http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed”

After the address of the login form (/dvwa/login.php), the next field is the name of the field that takes the username. In our case, it is “username,” but on some forms it might be something different, such as “login.”

Now, let’s put together a command that will crack this web form login.

Next, we need to chose a wordlist. As with any other dictionary attack, the wordlist is key here. You can use a custom one made with Crunch of CeWL, but Kali already has numerous wordlists that are built right in. To see them all, simply type:

kali > locate wordlist

In addition, there are numerous online sites with wordlists that can be up to 100 GB! Choose wisely, my hacker novitiates. In this case, I will be using a built-in wordlist with less than 1,000 words at:


Now, let’s build our command with all of these elements, as seen below.

To Top

Pin It on Pinterest

Share This