Great question! Hydra uses password lists through a process called Brute-Force Dictionarty Attack. Here is how it works step-by-step:
1. The Combination Logic
When you provide a username list (-L) and a password list (-P), Hydra performs a "Cartesian product" of the two files.
For every single username in your first file, Hydra will try every single password in your second file.
- Username File:
admin,user - Password File:
123456,password,qwerty - Resulting Attempts:
admin+123456admin+passwordadmin+qwertyuser+123456- ... and so on.
2. Identifying Success vs. Failure
Hydra doesn't inherently "know" if a password is correct. You have to tell it what a failed login looks like. In your command, you used:
":username=^USER^&password=^PASS^:Invalid username or password"
^USER^and^PASS^: These are placeholders. Hydra replaces^USER^with a name from your username list and^PASS^with a word from your password list.- Condition: Hydra sends the data to the server and checks the response. If the server's response contains the string "Invalid username or password", Hydra knows the attempt failed and moves to the next combination. If that string is not found, Hydra assumes it found a match!
3. Efficiency and Speed
Hydra is powerful because it is multi-threaded. It doesn't just try one combination at a time and wait; it can start multiple "tasks" (usually 16 by default) to test many combinations simultaneously. This is why it can go through your 500-worst-passwords.txt file in just a few seconds.
In short: Hydra acts like a high-speed robot that automatically fills out the login form over and over again until it finds a combination that doesn't trigger an error message!
