Hydra Brute force attack with Burpsuite

Hydra is a very fast online password cracking tool using brute force, which can perform rapid dictionary attacks against more than 50 Protocols, including Telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several databases and much more. THC (The Hackers Choice) created Hydra for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

When using hydra for HTTP login, their are some very important things to look for before starting any brute force attack. Is the website using cookies, does the website have any PHP session ID’s? Does the login page do a GET or POST on the web server?

For this tutorial I will explain using cookies.. This way it will cover all basic. In case if you don't need cookies then also you can use same method.


I will be using DVWA for demo and it is also suggested to use your lab for testing, before moving to real time applications. 

Login to DVWA (admin/password) --> Brute Force 

Enter any random username and password, it will give you error.. (right username and password are admin/password).

Burp Suite

Start burp suite

Got to Proxy --> Intercept, Turn intercept off.

Goto Proxy --> HTTP History 

Configure Mozila for burp suite

To configure mozila

Mozila Preference --> Network configuration --> Proxy

Capture Data

Now proxy is configured login again in DVWA and you will see entry in burp suite dashbaord.Click on entry which have URL /vulnerability/brute.....

Here you can see we have Cookies in header, we will use those cookies. 

Setup Hydra

Now we need to setup hydra for attack. To setup we will need attack string which have

  • request type ( In this case it is GET request, check in burpsuite)
  • URL (In this case it is /vulnerability/brute/)
  • Attack Parameter (In this case it will be username and password)
  • Verification String (This is used to identify wrong attempt, in our case it will be incorrect , you can get it by false login)
  • Header (session/cookies) (from Burp suite)

Command for Hydra is 

hydra -L <User List> -P <Password List> <Server IP> <Attack String>

You can use -L for user list or -l in case of single user.

With about command reference, command for this attack will be

hydra -l admin -P usr/share/john/password.lst <attack string>

For attack string

  • request type : http-get-form
  • URL : /vulnerability/brute/
  • Attack Parameter : username=^USER^&password=^PASS^&Login=Login
  • Verification String : incorrect
  • Header : -H cookies: PHPSSSID: ...........................; security:high

So our final command will be

hydra -l admin -P /usr/share/john/password.lst http-post-form "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:incorrect:H=Cookies: PHPSSID:alskdjffjdklsl234432; security=high;"

Make sure to put ':' and 'H=' at right place.

Here is attached video for detailed explanation.