Author Topic: hydra false positives - password crack doesnt work (Read 2334 times)

zoup · « **on:** September 10, 2014, 06:43:54 pm »

Hi, i am trying to learn with hydra (version 7.6) on the cli in Kali linux (latest version).
I use this online test site for trying it out.
http://testasp.vulnweb.com

I registered as user opera and tried to crack my password.
It doesnt work. Before i tried hydra on my router too. Nothing.

The problem is that i get false positives. The password is the last
in the list and hydra tells for every password from the list that
it is the right one. Which is not.

This is the command i use:

hydra -vV -l opera -P testwordlist -o found -t5 87.230.29.167 http-post-form "/Login.asp?RetURL=/Default.asp?:tfUName=^USER^&tfUPass=^PASS^:Invalid login"

I tried it with higher waiting response time but still get the false positive results.

What am i missing ?

Kulverstukas · « **Reply #1 on:** September 10, 2014, 07:07:20 pm »

I haven't used Hydra that much, I recommend to look into Medusa. For both when cracking online passwords, you need to tell the cracker how the output looks like of a correct and incorrect logins if they spit out html or someshit. I don't think it's needed for standard HTTP auth forms though.

zoup · « **Reply #2 on:** September 11, 2014, 03:53:47 pm »

I read some tutorials and the help for the http-post-form module and it says that the third argument is the response for an
BAD input. But i think hydra can't recognize this for some reason. I could use S= or F= too and i tried but i had the same result.
Maybe someone knows an answer but nevertheless i try some medusa now too.

proxx · « **Reply #3 on:** September 11, 2014, 09:05:13 pm »

Quote from: zoup on September 11, 2014, 03:53:47 pm

I read some tutorials and the help for the http-post-form module and it says that the third argument is the response for an
BAD input. But i think hydra can't recognize this for some reason. I could use S= or F= too and i tried but i had the same result.
Maybe someone knows an answer but nevertheless i try some medusa now too.

Run it through burp , you will be able to see and control exactly what is going on.

zoup · « **Reply #4 on:** September 12, 2014, 06:44:54 pm »

Thank you proxx for this good tip. I set burpsuite as proxy and run the command again. 404 error. So i changed the
ip to the dns name and it worked.

hydra -w50 -l opera -P testwordlist -o found -t5 testasp.vulnweb.com http-post-form "/Login.asp?RetURL=/Default.asp?:tfUName=^USER^&tfUPass=^PASS^:Invalid login"

Still a beginner

proxx · « **Reply #5 on:** September 12, 2014, 11:33:07 pm »

Quote from: zoup on September 12, 2014, 06:44:54 pm

Thank you proxx for this good tip. I set burpsuite as proxy and run the command again. 404 error. So i changed the
ip to the dns name and it worked.

hydra -w50 -l opera -P testwordlist -o found -t5 testasp.vulnweb.com http-post-form "/Login.asp?RetURL=/Default.asp?:tfUName=^USER^&tfUPass=^PASS^:Invalid login"

Still a beginner

That has to feel good, to have figured shit yourself

Pointers are no problem at all , I am a beginner in many fields, also a noob at times.
People like yourself that want/can is the kinda ppl that seek and find home here on EZ.

EvilZone

News:

Author Topic: hydra false positives - password crack doesnt work (Read 2334 times)

zoup

hydra false positives - password crack doesnt work

Kulverstukas

Re: hydra false positives - password crack doesnt work

zoup

Re: hydra false positives - password crack doesnt work

proxx

Re: hydra false positives - password crack doesnt work

zoup

Re: hydra false positives - password crack doesnt work

proxx

Re: hydra false positives - password crack doesnt work