How to brute force http forms in windows

This will give you an idea on how to brute force http forms with THC-Hydra
This is a continuation from How to brute force your router so if you haven’t read it check it out !!!

Watch the video for a live example. Video best viewed in full screen mode

IMPORTANT: This is for educational purposes only, dont go around attacking sites, thats how you get into trouble
In this example I will be brute forcing an admin account on this site which has been setup just for this (the user has already been deleted).
The url I will be using in this example is which “was” the path to the Joomla admin login page.

A couple of things that need to be identified:

  • Postback page
  • Post Parameters
  • Failed attempt unique text


Post back page

This is normally the same page as the login but not always so. So just view the source code of the page and find the form with a method=”post”. The action value is the page which the values will be “posted” to.

This is the section from the administrator login page for Joomla:

As you can see the page to post to is “index.php”


Post Parameters

These can be found by viewing the source code of the login page. All tags within the form will be posted.

The post name will be the “name” attribute of the tag. The value will be the “value” attribute if it has one defined.

Alternativly you can use firefox with the Tamper Data extension which works great.

Failed attempt unique text

This is text that is found on the webpage when a login attempt fails. This text must be exclusive to a failed login attempt.


Putting it all together:

The site:

The post back page:


The postback values are:

usrname=(user input)

pass=(user input)


which have been extracted from the page source:

Now if we try to login into the admin page we get a javascript popup which says “Incorrect Username, Password ……”

“Incorrect Username” sounds like text that would not show up, had it been a successful login so we will use this.

Let’s combine it all into hydra:

hydra -l {username} -P {password list path} -s {port} -f {Site Address} http-post-form

“{Path to postback page}:{USERNAME_NAME}=^USER^&{PASSWORD_NAME}=^PASS^:{failed login text}”

My command looks like:

hydra -l hydra -P password.lst -s 80 -f http-post-form “/administrator/index.php:usrname=^USER^&pass=^PASS^&submit=Login:Incorrect Username”


Command break down:
hydra –> The hydra program
-l –> (lower case “L” not to be confused with a upper case i) single username to target. Use uppercase -L to specify a username list) i have setup the “hydra” account for this demo and has already been deleted
-P –> Provide path to password lis. -p to try a single password ie “passw0rd”
-s –> Port to target default port for http is 80
-f –> Exits the program after the first match is made

{Site Address} I.E Do not include http://
http-post-form –> service to brute force. Hydra README has the command as http-form-post       using that will give you an error
{Path to postback page} everything after the site address must start with “/”
{USERNAME_NAME} –> the name of the username postback variable
^USER^ –> this will be replaced with the username specified by -l or -L username list
^PASS^ –> this will be replaced with the password from the defined list
{Failed login text} –> text that will only be found in a failed login
note* ensure quotes are from after http-post-form ” TO END OF COMMAND

You will get an output line with username and password if you are successful.
Watch the video for a live example.
This attack is only as good as your dictionary .
Next how to brute force web forms, make sure to come back and check it out!!

IMPORTANT: This is for educational purposes only, don’t go around attacking sites, thats how you get into trouble

20 thoughts on “How to brute force http forms in windows

  1. Unfortunately, this does not work on all versions of Joomla, because the Admin logon page includes a random token that gets updated with every request, and there is no mechanism to specify this in Hydra.


    “/administrator/index.php:username=^USER^&passwd=^PASS^&lang=&option=com_login&task=login&cec21c04bff97e66ecc0068f5cb4507d=1:do not match”

    The token “cec21c04bff97e66ecc0068f5cb4507d” needs to change with every request. While hydra can get a new cookie if required, there is no mechanism to tell it to get new form values/parameters on each submission.


  2. Why is this listed as a “brute force” attack if you need a dictionary file?

    Also, “max25″ above, you neglect to mention that the “uniqpass” password file mentioned on that site is not FREE! That scam site (which is getting plugged in the comments of every single hydra post) is asking for $4 to get a copy of that file. Fuck them.

      • Brute Force is an appropiate title. This is a Dictionary Attack which is a subcategory or method of a Brute Force Attack, so the title is general but appropiate for this situation.

    • Hi John, it makes no difference what the page type is (php,asp,aspx,html) you can follow the above along substituting in whatever page path you like.

  3. if the the field submit not have a name, what can i do? its safe?
    Please reply me, i study for prevent attacks

      • Thanks for the answer, but if I don´t include the submit name don´t work, I always get succes password and not is true.


        Path to postback page

        Correct data
        name: admin
        password: 12345

        Always get succes in this case although the password is false.

        Thank you very much for you time.

  4. (form action=”index.php” method=”post”)
    (input name=”name” type=”text”)
    (input name=”password” type=”password”)
    (input name=”submit” type=”submit” value=”send”)

    • I´m sorry, this
      (form action=”index.php” method=”post”)
      (input name=”name” type=”text”)
      (input name=”password” type=”password”)
      (input type=”submit” value=”send”)

  5. Hi, your tutorial was very helpful to me, but i still got two questions googling aint helping about.

    Is there a chance to use the hydra if the “{failed login text}” is replied in JavaScript?

    If there is no string in HTML or so, but a response using JS? Seems to be a lot more difficult


    How can i tell the hydra, that the difference between a successful and a failed login is a cookie? I think i have to use the :c= option instead of “{failed login text}”, but i am not sure how to use it properly.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>