In our case, it is 'username,' but on some forms it might be something different, such as 'login.' In this case, I will be using the lower case 'l ' as I will only be trying to crack the 'admin' password.Īfter the address of the login form ( /dvwa/login.php), the next field is the name of the field that takes the username. First, you use the upper case 'L' if you are using a username list and a lower case 'l' if you are trying to crack one username that you supply there. So, based on the information we have gathered from Burp Suite, our command should look something like this:ġ92.168.1.101 http-post-form '/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed'Ī few things to note. Now, that we have the parameters, we can place them into the THC-Hydra command.
Step 5: Place the Parameters into Your THC Hydra Command
In this way, we can tell THC-Hydra to keep trying different passwords only when that message does not appear, have we succeeded. At times it may be a cookie, but the critical part is finding out how the application communicates a failed login. In this case, it is a text-based message, but it won't always be. Getting the failure message is key to getting THC-Hydra to work on web forms.
