Some differences between online and off-line password cracking Use this for legitimate testing purposes only. This tool should not be used to attack websites or services where you do not have permission to do so.
This attack is not limited to websites, and I would argue that it is more suited for gaining login access to software products that have a web UI, for example in penetration tests. I have had a great deal of success with hydra, so here I describe how to get Hydra working with web-based form logins. Often, web-based login forms authenticate using the HTTP POST method, but judging from several blogs I have read on this subject, it sounds like some people have great difficulty in getting Hydra to work effectively in this situation. (Hydra is to online-cracking of passwords, what John The Ripper is to offline-cracking of password hashes) Hydra can be used to attack many different services including IMAP, SMB, HTTP, VNC, MS-SQL MySQL, SMTP, SSH, and many more.
