hydra brute force http-post-form

i know with hydra HTTP post form to success u have to insert error message when the password is wrong.

but in my case, i don’t have an error message, i have a redirection to page if error ..

how to solve the problem ?

login: /admins/

success: /admins/index.php

error: /my_account

this is the scenario …. how to solve my problem ?

Why does THC Hydra and Medusa give false positives when used on TP-Link Netcam?

I am a university student who is doing a final year project on IoT device security within an isolated network.

One of the tests I carried out was brute forcing, I already knew what the username and password was for a factory resetted IP Netcam but wanted to see how it would work in practice and if it even worked on IoT devices.

The commands I used for both tools is as follows:

Medusa -h “IP address” -u “default login” -P Desktop/rockyou.txt -n 80 -M http

Hydra -l “default login” -P Desktop/rockyou.txt -e ns -f -V “Ip address” http-get

Hydra did seem to work fine on other devices and would attempt to go through the entire list. But for this TP-Link Netcam it seemed that both tools would just go partially through the lists and sometimes give multiple false positives within the few attempts made.

While I do not have access to these devices anymore to continue testing, I would atleast like to know if it was something I entered wrong? Or if the device has something that could potentially stop this?

Any insight would be greatly appreciated, thank you for your time.

Medusa / THC Hydra on multiple instances

Is it possible to distribute the login tries in THC Hydra / Medusa in multiple computers?

For example

hydra -l root -x 6:6:A1 ssh 

That equals to 2176782336 login tries, how can I distribute this job in several computers to make it faster?

Any possible code reference or topic related to this kind of procedure? Thanks in advance

Hydra Brute-force attack on Gitlab doesn’t work!

I’m using hydra to test my organization’s security since our GitLab is accessible online, I wanted to make sure the security of the login itself before implementing other types of security measure (e.g. hiding the subdomain, or .htaccess or Recaptcha)

here’s what I’m facing exactly:

the domain is: git.website.com

the URL after it, as a default of GitLab is: /users/sign_in

so if you even type git.website.com it redirects to git.website.com/users/sign_in

my THC Hydra command is :

hydra -l root -P /Users/john/Desktop/realhuman_phill.txt git.website.com http-post-form "/users/sign_in:utf8=%E2%9C%93&authenticity_token=MaxhReOTOWuQz5UjUR4YZ295k%2FGsPiQ2O8UUQE4RHgqhPMsqMP3gPMLfqukhZQJyVyMVgDFlp26sxvE5O1f0XA%3D%3D&user%5Blogin%5D=^USER^&user%5Bpassword%5D=^PASS^&user%5Bremember_me%5D=0:F=Invalid Login or Password." -vv 

I’m using Burpsuite for capturing the request and this is what’s shown:

POST /users/sign_in HTTP/1.1 Host: git.website.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://git.website.com/users/sign_in Content-Type: application/x-www-form-urlencoded Content-Length: 211 Origin: https://git.website.com DNT: 1 Connection: close Cookie: _gitlab_session=fb399cff612eecda0c4a75770700e655 Upgrade-Insecure-Requests: 1  utf8=%E2%9C%93&authenticity_token=%2F4y5%2BI62o%2Fi7nfnnwVsdAwCbMhpXqtOW1tnqrLziGyRvHBOXXdh6r%2BmNxi2xIAcWOMG0a8rxUM5B2g%2FVyaTxcg%3D%3D&user%5Blogin%5D=TESTING&user%5Bpassword%5D=TESTING&user%5Bremember_me%5D=0 

gitlab request, POST data

So when I’m trying to send these parameters to hydra it always returns one of these 2 scenarios:

  1. if I type this command, it just prints the manual:


hydra -l root -P /Users/john/Desktop/realhuman_phill.txt git.website.com http-post-form "/users/sign_in:utf8=%E2%9C%93&authenticity_token=MaxhReOTOWuQz5UjUR4YZ295k%2FGsPiQ2O8UUQE4RHgqhPMsqMP3gPMLfqukhZQJyVyMVgDFlp26sxvE5O1f0XA%3D%3D&user%5Blogin%5D=TESTING&user%5Bpassword%5D=TESTING&user%5Bremember_me%5D=0:F=Invalid Login or password." -vv 


Hydra v9.1-dev (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).  Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-24 13:20:01 Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]  Options:   -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE   -p PASS  or -P FILE  try password PASS, or load several passwords from FILE   -C FILE   colon separated "login:pass" format, instead of -L/-P options   -M FILE   list of servers to attack, one entry per line, ':' to specify port   -t TASKS  run TASKS number of connects in parallel per target (default: 16)   -U        service module usage details   -m OPT    options specific for a module, see -U output for information   -h        more command line options (COMPLETE HELP)   server    the target: DNS, IP or (this OR the -M option)   service   the service to crack (see below for supported protocols)   OPT       some service modules support additional input (-U for module help)  Supported services: adam6500 asterisk cisco cisco-enable cvs ftp http-{head|get|post} http-{get|post}-form http-proxy http-proxy-urlenum icq imap irc ldap2 ldap3[s] mssql mysql(v4) nntp pcanywhere pcnfs pop3 redis rexec rlogin rpcap rsh rtsp s7-300 smb smtp smtp-enum snmp socks5 teamspeak telnet vmauthd vnc xmpp  Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL v3.0. The newest version is always available at; https://github.com/vanhauser-thc/thc-hydra Please don't use in military or secret service organizations, or for illegal purposes. (This is a wish and non-binding - most such people do not care about laws and ethics anyway - and tell themselves they are one of the good ones.)  Example:  hydra -l user -P passlist.txt 

which means hydra is not even processing my command, so something is wrong

  1. when i trim down the command, remove UTF8, authenticity_token & rememeber_me in post request and also change the way i write the domain.module.module-options following hydra guidelines:


hydra -l root -P /Users/john/Desktop/realhuman_phill.txt http-post-form://git.website.com:login=^USER^&password=^PASS^:F=Invalid Login or password. -vv 


hydra -l root -P /Users/john/Desktop/realhuman_phill.txt http-post-form://git.website.com:login=^USER^&password=^PASS^:F=Invalid Login or password. -vv [1] 75788 Hydra v9.1-dev (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).  Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-24 13:24:46 [WARNING] You must supply the web page as an additional option or via -m, default path set to / [ERROR] the variables argument needs at least the strings ^USER^, ^PASS^, ^USER64^ or ^PASS64^: (null) [1]    exit 255   hydra -l root -P /Users/john/Desktop/realhuman_phill.txt  Login incorrect login:  

P.S 1: I need to mention that I have thoroughly searched and didn’t get a solution, most videos and guidelines test it on single IP without extra URLs (e.g. /users/sign_in) so they have been practically useless.

P.S 2: git.website.com is obviously fake so if you need a real example to test let me know

I would really appreciate it if you could guide me and correct me where I’m wrong.

I’m having problems with Hydra cracking

I’ve tried hydra to crack one of my friends’ web

my line is – hydra -l ” -P /usr/share/wordlists/rockyou.txt.gz zskostomlatypm.cz http-post-form “/admin:passwd=^PASS^

the thing is, i don’t know if it’s working because the site only has password form, no username

another point is it doesnt output any error mesage

the web is http://zskostomlatypm.cz/

Hydra http-post-form when there are two forms on the page

I am trying to brute force the login creditials on the following website

<!doctype html> <html>     <head>         <title>Admin Login -- Cody's First Blog</title>     </head>     <body>         <h1>Admin Login</h1>         <form method="POST">     Username: <input type="text" name="username"><br>     Password: <input type="password" name="password"><br>     <input type="submit" value="Log In"><br>     <span style="color: red;">Incorrect username or password</span></form>         <br>         <br>         <hr>         <h3>Comments</h3>         <!--<a href="?page=admin.auth.inc">Admin login</a>-->         <h4>Add comment:</h4>         <form method="POST">             <textarea rows="4" cols="60" name="body"></textarea><br>             <input type="submit" value="Submit">         </form>     </body> </html> 

I have been running the hydra command

hydra **domain** http-post-form /**subdomain**/?page=admin.auth.inc:username=^USER^:password=^PASS^:F='Incorrect username or password' -L ~/Documents/SecLists/Usernames/top-usernames-shortlist.txt -P ~/Documents/SecLists/Passwords/darkweb2017-top100.txt -t 30 -w 30 -o ~/Desktop/hydra-http-post-attack.txt 

I get the output

hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-12-30 16:01:39 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 30 tasks per 1 server, overall 30 tasks, 1683 login tries (l:17/p:99), ~57 tries per task [DATA] attacking http-post-form://**domain**:80/**subdomain**/?page=admin.auth.inc:username=^USER^:password=^PASS^:Incorrect username or password [STATUS] 30.00 tries/min, 30 tries in 00:01h, 1653 to do in 00:56h, 30 active [STATUS] 10.00 tries/min, 30 tries in 00:03h, 1653 to do in 02:46h, 30 active [STATUS] 4.29 tries/min, 30 tries in 00:07h, 1653 to do in 06:26h, 30 active [STATUS] 2.00 tries/min, 30 tries in 00:15h, 1653 to do in 13:47h, 30 active [STATUS] 0.97 tries/min, 30 tries in 00:31h, 1653 to do in 28:29h, 30 active [STATUS] 0.64 tries/min, 30 tries in 00:47h, 1653 to do in 43:10h, 30 active [STATUS] 0.48 tries/min, 30 tries in 01:03h, 1653 to do in 57:52h, 30 active [STATUS] 0.38 tries/min, 30 tries in 01:19h, 1653 to do in 72:33h, 30 active [STATUS] 0.32 tries/min, 30 tries in 01:35h, 1653 to do in 87:15h, 30 active [STATUS] 0.27 tries/min, 30 tries in 01:51h, 1653 to do in 101:57h, 30 active [STATUS] 0.24 tries/min, 30 tries in 02:07h, 1653 to do in 116:38h, 30 active [STATUS] 0.21 tries/min, 30 tries in 02:23h, 1653 to do in 131:20h, 30 active [STATUS] 0.19 tries/min, 30 tries in 02:39h, 1653 to do in 146:01h, 30 active [STATUS] 0.17 tries/min, 30 tries in 02:55h, 1653 to do in 160:43h, 30 active [STATUS] 0.16 tries/min, 30 tries in 03:11h, 1653 to do in 175:25h, 30 active [STATUS] 0.14 tries/min, 30 tries in 03:27h, 1653 to do in 190:06h, 30 active [STATUS] 0.13 tries/min, 30 tries in 03:43h, 1653 to do in 204:48h, 30 active [STATUS] 0.13 tries/min, 30 tries in 03:59h, 1653 to do in 219:29h, 30 active [STATUS] 0.12 tries/min, 30 tries in 04:15h, 1653 to do in 234:11h, 30 active [STATUS] 0.11 tries/min, 30 tries in 04:31h, 1653 to do in 248:53h, 30 active [STATUS] 0.10 tries/min, 30 tries in 04:47h, 1653 to do in 263:34h, 30 active 

Any idea whats going wrong? It seems none of the threads are being resolved.

Hydra HTTP Form Post with parameters containing a colon “:”

I’m trying to brute force login on my domain using THC Hydra v9.1-dev. It is using an ASP.net form and some of the required post body parameters contain a colon : in them which is the separator used by Hydra. An example parameter: _ctl0:PlaceHolder:LoginName:txtLoginUsername=^USER^.

This makes hydra think that I have _ctl0 as the first part and Placeholder as the error message.

I tried:

  • URL encoding them, e.g this becomes: _ctl0%3APlaceHolder%3ALoginName%3AtxtLoginUsername=^USER^
  • replacing : with a \:
  • placing the parameter in quotation marks ""

but none of them worked and I can’t seem to find a way to change the separator.

Any help is much appreciated!

False Hydra in Call of Cthulhu

I would like to run False Hydra but in Call of Cthulhu. The climate fits perfectly and the story can be adjusted to the system without a problem, but I have one concern – Is there a Lovecraftian creature which is anyhow similar or at least some spells in the rulebook that can cause False Hydra effects, or should I just homebrew this creature? From what I know the False Hydra is not canon in D&D as well, but I would like to know if there is anything similar in CoC.

How would giving Hydra a Breath Weapon affect game balance and CR?

I wanted to spice up a fight I’m planning for my party by giving a Hydra a Breath Weapon, I’m flexible on the specifics but the change would effectively be described as such


Multiattack. The hydra makes as many bite or breath attacks as it has heads, but only one attack per head.

Frost Breath (Recharge 5–6). The hydra exhales an icy blast in a 30-foot cone. Each creature in that area must make a DC 12 Constitution saving throw, taking 12 (4d6) cold damage on a failed save, or half as much damage on a successful one.

I took the breath weapon statistics from the Young White Dragon, but I significantly lowered the DC and damage dice to accommodate for the Hydra being able to use it multiple times during a turn.

I am open to suggestions to make this more balanced, but as is, how would this modification effect the Hydra’s CR?

Would every head of a Hydra be effected by the dragon’s breath spell? dnd 5e

I’m a dm setting up a oneshot and I have an idea to spice up combat a bit by giving a hydra a breath weapon, and so far the lest homebrew option I’ve thought of is to have an enemy spellcaster cast dragon’s breath on it. However a Hydra is stated to start out with 5 heads so does this mean every head could use the breath weapon as one action?

I can only think of two possible solutions that give different answers, but both seem equally viable.

  1. The spell specifically says “spew magical energy from its mouth, provided it has one” since the hydra has five mouths, it can spew from every mouth.
  2. The Hydra stat block says “Multiattack: The hydra makes as many bite attacks as it has heads.” Since dragons breath is not a bite attack (and according to Jeremy Crawford, not even an “attack”) It would only be able to use it once, despite it’s number of heads.

The best amalgamation I can think of would be that any head can use it’s breath weapon, but the creature can only do it once and then can’t spend it’s action using it’s multi-attack. However but this sounds ridiculously under-powered as it essentially means 4 heads miss a turn. Would allowing every head to use dragon breath as a result of this spell be to over-powered? Are the attack actions on the hydra stat block irrelevant in this case because dragon’s breath is not an attack?

TL:DR (Main Question) Dragon’s Breath spell on a Hydra, how would that work?

(Sub-question: Could each different head have a different damage type?)