One of the most commonly used password wordlists is rockyou.txt, which has over 14 million unique passwords, sorted by how common they are, collected from online leaked databases of passwords and usernames.
As for our usernames wordlist, we will utilize the following wordlist from SecLists:
Username/Password Attack
Hydra requires at least 3 specific flags if the credentials are in one single list to perform a brute force attack against a web service:
Credentials
Target Host
Target Path
We can use the -L flag for the usernames wordlist and the -P flag for the passwords wordlist.
Tip: We will add the “-u” flag, so that it tries all users on each password, instead of trying all 14 million passwords on one user, before moving on to the next.
Above will take a lot of time.
Username Bruteforce
If we know the password already, use -p flag to note it: