Results 1 to 5 of 5

Thread: Hydra password login Ajax not work

Hybrid View

  1. #1
    Just burned their ISO
    Join Date
    Sep 2012
    Posts
    3

    Post Hydra password login Ajax not work

    I use BackTrack 5R3 and Hydra 7.3

    I've tried to use hydra to find the password on my D-Link DIR-600.
    With the command
    Code:
    hydra -l admin -P /root/crack/all.lst -e s -t 5 -w 16 -f -s -v 192.168.200.250 http-get /
    OWASP Mantra makes me see this header when i have the correct login

    http://192.168.200.250/session.cgi

    POST /session.cgi HTTP/1.1
    Host: 192.168.200.250
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Referer: http://192.168.200.250/
    Content-Length: 75
    Cookie: uid=YX43vSWS1j
    Pragma: no-cache
    Cache-Control: no-cache
    REPORT_METHOD=xml&ACTION=login_plaintext&USER=admi n&PASSWD=lia1302&CAPTCHA=
    HTTP/1.1 200 OK
    Server: Linux, HTTP/1.1, DIR-600 Ver 2.11
    Date: Fri, 31 Dec 1999 17:34:34 GMT
    Transfer-Encoding: chunked
    Content-Type: text/xml
    How do I see if I find the hydra password?
    I also tried this comand:
    Code:
    hydra -v -l admin -P /root/crack/all.lst -e s -t 5 -f -m /session.cgi 192.168.200.250 http-get
    response with "[WARNING] Unusual return code: 5 for admin:....."

    I have to use another program for this type of login page?

    Thanks.

  2. #2
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Hydra password login Ajax not work

    Well the first problem is that you are lacking some basic knowledge upon which to carryout such an attack. This is obvious because you're telling hydra to do a http-get but the Mantra traffic you quoted shows an HTTP POST. Thanks for sharing your username and password though

    1) Try learning how web forms and HTTP work, etc.
    2) Try searching the forums for "hydra", you're not the first person to try this without the necessary basics.
    Last edited by thorin; 10-01-2012 at 07:46 AM.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  3. #3
    Just burned their ISO
    Join Date
    Sep 2012
    Posts
    3

    Default Re: Hydra password login Ajax not work

    Hi Thorin,
    I searched but could not find a case similar to mine.
    I asked you because I do not know these things, I also tried with http-get-post, I just tried this command:

    hydra -l admin -P /root/crack/all.lst -f 192.168.200.250 http-post-form "/index.php:loginusr=^USER^&loginpwd=^PASS^&Login=#: User Name or Password is incorrect."

    and results is:

    Hydra v7.3 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only

    Hydra (http://www.thc.org/thc-hydra) starting at 2012-10-03 23:58:03
    [DATA] 16 tasks, 1 server, 3917162 login tries (l:1/p:3917162), ~244822 tries per task
    [DATA] attacking service http-post-form on port 80
    [80][www-form] host: 192.168.200.250 login: admin password: emil2999
    [STATUS] attack finished for 192.168.200.250 (valid pair found)
    1 of 1 target successfuly completed, 1 valid password found
    Hydra (http://www.thc.org/thc-hydra) finished at 2012-10-03 23:58:07


    the good password is other!

    If you can help me thank you, before you ask I have tried, I'm Italian and I do not understand English very well and a lot of information in my language there are unfortunately.

  4. #4
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Hydra password login Ajax not work

    As was already stated, you need to learn how HTML forms, HTTP Authentication, and HTTP itself work before you're going to be able to do this.

    1) Is index.php the actual component that does the authentication?
    2) Are loginusr, loginpwd, and Login the actual field/control names used by your particular device's interface? (Why are you passing a login error message as the value for Login?)
    etc.

    Since it's your router, if you don't know the password, why not simply walk across the room and do a hard reset to defaults?
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  5. #5
    Just burned their ISO
    Join Date
    Sep 2012
    Posts
    3

    Default Re: Hydra password login Ajax not work

    A bit 'of years ago authentications were simpler, I left the php version 4 and since then I plan more. I know that index.php is the login page that I could not find the <form action = ".....
    Ajax unfortunately do not know him at all!

    The concept of hydra is now clear, are the variables that I pass that risco not understand.
    Hydra is the test, if the login fails, keep looking ....
    So it should be something like:
    hydra -l admin -P /root/crack/all.lst -s 80 -f 192.168.200.250 http-post-form "/index.php:loginusr=^USER^&loginpwd=^PASS^:noGAC=Us er Name or Password is incorrect."

    results is not correct:
    DATA] 16 tasks, 1 server, 3917162 login tries (l:1/p:3917162), ~244822 tries per task
    [DATA] attacking service http-post-form on port 80
    [80][www-form] host: 192.168.200.250 login: admin password: emy2999
    [STATUS] attack finished for 192.168.200.250 (valid pair found)
    1 of 1 target successfuly completed, 1 valid password found
    Hydra (http://www.thc.org/thc-hydra) finished at 2012-10-04 23:40:25

Similar Threads

  1. Hydra brute force on login.php
    By arozarbt in forum BackTrack 5 General Topics
    Replies: 2
    Last Post: 02-09-2013, 10:48 PM
  2. Replies: 1
    Last Post: 03-22-2011, 03:49 PM
  3. speed of hydra login cracker
    By y4&hd33p in forum Beginners Forum
    Replies: 1
    Last Post: 03-08-2011, 05:10 AM
  4. login: root password: toor won't work on clean install
    By cybersmurf in forum Beginners Forum
    Replies: 2
    Last Post: 02-08-2010, 03:04 PM
  5. telnet password with hydra
    By ammadeyy in forum OLD Newbie Area
    Replies: 3
    Last Post: 10-30-2009, 05:44 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •