Hydra http-post brute force for success

  • I'm having an issue with my syntax to brute force my own account on a server for testing and reporting purposes to protect the rest of the community at hand.

    hydra -l username -P /root/Desktop/Test.txt url.zz.za http-post-form "/portal/xlogin/:ed=^USER^&pw=^PASS^:F=Invalid"

    I have used "FireForce" plugin for Firefox with a successful result in getting the password from a +-20 or so word list on my Desktop. I however now would like to move to a large wordlist but I am having issues doing this. I have attached screenshots of my Hydra code, my Intercept code as well as my results for a successful login and a failed login. Can someone examine this and provide feedback on this issue?

    *Notice: In FireForce where my failed message should be I have to re-reference the URL to the login page in order to pick it up as a failed attempt. It seems that the page redirects itself if it has passed the brute force test. Details on my username/password can be provided personally if need be.

    It seems the form that I'm using has unlimited retries and never times out or blocks my requests when using Fireforce or manual testing.

    Successful Attempt

    Hydra Results with Password in file

  • Soprono

    Soprono Correct answer

    6 years ago

    I monitored the responses that Hydra was sending over the network with Wireshark and my syntax was working to begin with. The only issue is that the page even when successfully accessed with the username and password stayed on the same page (302 Redirect for a correct combo) I had then edited my success string to look for "302" rather than "log out" or something the user would see. This means my final answer for this issues is as follows:

    hydra -l username -P /root/Desktop/Test.txt url.zz.za http-post-form "/portal/xlogin/:ed=^USER^&pw=^PASS^:S=302"

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM

Tags used