Results 1 to 5 of 5

Thread: Hydra or Medusa, want to learn either.

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    7

    Default Hydra or Medusa, want to learn either.

    I know there is much discussion on which is better. I have no take.

    I want to learn one of them, whichever is better. I have heard medusa is faster but I don't know.

    I am having issues with the syntax of both programs for webforms (http-post)

    I really would rather learn, so please walk my newb brain through the steps.

    I want to try SABnzbdplus and phpmyadmin. Once I am successful with SAB, I'll move on to phpmyadmin.

    Using the source of SABnzbdplus, I see that ma_username and ma_password are the fields I'm looking for.
    Code:
    <form action="/sabnzbd/" method="POST">
        Username: <input type="text" name="ma_username" /><br />
        Password: <input type="password" name="ma_password" /><br />
        <input value="Login" type="submit" />
    Unfortunately I am missing something.
    Code:
    hydra -l Test -P ~/Desktop/n_names.txt -f -s 8080 -t 2 -V 163.6.71.13 http-post-form "sabnzbd/:ma_username=^USER^&ma_password=^PASS^"

  2. #2
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    I've had similar problems with those tools. I'd recommend trying bruter. It will fill in the fields automatically.
    http://www.darknet.org.uk/2008/01/br...-forcing-tool/

    William

  3. #3
    Just burned his ISO
    Join Date
    May 2009
    Posts
    3

    Default

    The correct syntax for hydra is

    <url>:<form parameters>:<failure string>

    something like this
    login.php:ma_username=^USER^&ma_password=^PASS^:fa ilure"

    Here is a comparison of the features although a bit old now
    hxxp://.foofus.net/jmk/medusa/medusa-compare.html

  4. #4
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    7

    Default

    I get the url and the form parameters, at least I think i do, but where can i find the failure string?

  5. #5
    Junior Member
    Join Date
    Apr 2009
    Posts
    33

    Default

    I don't know either products but a failer string is simple plain text only shown on the page when it fails. For example if you fill out the form and it always says "password failed" you could use that (DON'T use text that's shown on the page when the password works).

    I have a basic form testing script that uses cURL to submit then checks the response HTML. If the response HTML haves the string it tries the next user/pass or exits and echos the user/pass. I assume its the same logic.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •