Bruteforcing passwords

Hydra bruteforcing

Hydra "parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add !" .

HTTP POST login forms

The basic format, assuming an POST-based login form consists of a username, a password, the login request with the username/password values replaced respectively by ^USER^ and PASS^ and the error message given when the login process fails, like so :

hydra -l [username] -p [password] "http-post-form:[login request]"
hydra -l [username] -P [password wordlist] "http-post-form:[login request]"
hydra -L [username wordlist] -p [password] "http-post-form:[login request]"

A practical example would look like this ;

SMB