mutillidae brute force login

Brute Force Web Login using Hydra

OS used: Kali Linux
Tool Used: hydra/ burp suite
web app: mutillidae

here is the command used in full;
hydra -l admin -P /root/Desktop/work/mutillidae/mutilldae-passwords 192.168.0.9  http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"


lets break it down

hydra > this is the name of the brute force program
-l admin > this tells the program to check the username admin (this was gained via enumeration earlier)
 -P /root/Desktop/work/mutillidae/mutilldae-passwords >this is the path to the password file used
192.168.0.9 > this is the host address (ip) of the server 
http-post-form > this is the type of form we are attacking
"/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"

 "/mutillidae/index.php?page=login.php > this is the parameter to the login page the " is appended to the beginning

to work out the remainder of the command consider the following

 this was taken from burp suite and is the result of a POST request to the server in an attempt to login, we pass these paramemters in part to hydra to complete the command prior to attacking the login page. Hence the command continues with;
:username=^USER^&password=^PASS^&login-php-submit-button=Login
but there is still one more piece of info we need which is  
:Not Logged In"
the " is appended to the end the Not Logged In is the result of a user not been logged and is what is presented when you visit the log in page without logging in as shown below

remember these parameters will differ depending on the application used
the command

hydra -l admin -P /root/Desktop/work/mutillidae/mutilldae-passwords 192.168.0.9  http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"

is now complete and we begin our attack