Hi everyone,

Just trying to learn a bit about HTTP authentication, using it on my router at home from which I know the password.

I have gone through a lot of reading, and spending my limited time on reading about http authentication and usage of Hydra but I am just stuck.

The problem is Hydra keeps saying all passwords from my created list are correct.

I use the typical command for HTTP-post:

hydra -l admin http-post-form "/login.lp:user=^USER^&password=^PASS^:The username or password you've entered is incorrect. Please check and try again." -P /pentest/passwords/crunch/netvigatorrouterpass -vV -o hydraattack.txt -t 1

I attach the HTTP code at the end so you can be sure I used the right names for PASS & USER.

This command keeps saying all the passwords from the file are all correct. I narrowed it down to 2 possible problems:

a) some error with the "bad password" code, but this is so straightforward I doubt this can be the problem.
b) the authentification seems to be done through a cookie (there is a cookie activated in the webpage named xAuth_SESSION_ID) and there is a function being called in the HTTP that seems to use it. Could this be the reason? how to deal with this cookie/function to get things right?

I appreciate suggestions/solutions/further reading or any tutorials that might be around, I have looked for long time but can't find any.



LOGIN page HTTP code

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Home Gateway - Login</title>
<link rel="stylesheet" type="text/css" href="/styles.css">
<body height="100%" style="margin:0px;">
<h1>THOMSON - Home Gateway</h1>
<h4>To view the Web interface of your device, JavaScript must be supported and enabled on your browser! <br><br>Please enable scripting and refresh your browser.</h4>

<script type="text/javascript">
function disable_fields(theForm)
var len = theForm.elements.length;
for (var i = 0; i < len; i++) {
// Don't disable "hidden" fields
theForm.elements[i].disabled = 1;

function setLanguage(langCode)
document.langSelect.elements[0].value = langCode;

function noenter()
{ return !(window.event && window.event.keyCode == 13); }

var hex_chr = "0123456789abcdef";
function rhex(num)
str = "";
for(j = 0; j <= 3; j++)
str += hex_chr.charAt((num >> (j * 8 + 4)) & 0x0F) +
hex_chr.charAt((num >> (j * 8)) & 0x0F);
return str;

* Convert a string to a sequence of 16-word blocks, stored as an array.
* Append padding bits and the length, as described in the MD5 standard.
function str2blks_MD5(str)
nblk = ((str.length + 8) >> 6) + 1;
blks = new Array(nblk * 16);
for(i = 0; i < nblk * 16; i++) blks[i] = 0;
for(i = 0; i < str.length; i++)
blks[i >> 2] |= str.charCodeAt(i) << ((i % 4) * 8);
blks[i >> 2] |= 0x80 << ((i % 4) * 8);
blks[nblk * 16 - 2] = str.length * 8;
return blks;

* Add integers, wrapping at 2^32. This uses 16-bit operations internally
* to work around bugs in some JS interpreters.
function add(x, y)
var lsw = (x & 0xFFFF) + (y & 0xFFFF);
var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
return (msw << 16) | (lsw & 0xFFFF);

* Bitwise rotate a 32-bit number to the left
function rol(num, cnt)
return (num << cnt) | (num >>> (32 - cnt));

var realm = "Home Gateway";
var nonce = "3582308:809191:292abca9b586846f450b1c8ed1e6a4 64";
var qop = "auth";
var uri = "/login.lp";

function submitAuthentication()
var user = document.getElementById("user").value;
var pwd = document.getElementById("password").value;
document.getElementById("password").disabled = true;
var HA1 = MD5(user + ":" + realm + ":" + pwd);
var HA2 = MD5("GET" + ":" + uri);
document.getElementById("hidepw").value = MD5(HA1 + ":" + nonce +
":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);

<form method="post" action="login.lp" name="authform" id="authform">
<input type="hidden" name="rn" value="-1961196096">
<input type="hidden" name="hidepw" id="hidepw" value=""/>

