Penetration Testing mailing list archives
Re: THC-Hydra web form attack
From: pentest () eternalrealm net
Date: Thu, 22 May 2008 00:42:31 +0200
On Tue, 20 May 2008, Application Tester wrote:
How to do a web form attack from command line hydra. I have a webmail (/webmail/src/login.php) to crack passwords as part of my PT. I have tried the following but failed. hydra -l username -P dictionary.txt -o output.txt -t 4 mydomainname.com http-post-form -m /webmail/src/login.php Hydra (http://www.thc.org) starting at 2008-05-20 11:53:41 [DATA] 4 tasks, 1 servers, 213560 login tries (l:1/p:213560), ~53390 tries per task [DATA] attacking service http-post-form on port 80 select: Bad file descriptor
Hi, you need to specify into which parameters of login.php hydra should insert the username and passwords. If you take a look at the README file distributed with hydra you'll notice that the http-post-form module parametrization uses the following syntax: <url>:<form parameters>:<failure string> Within the form parameters the keywords "^USER^" and "^PASS^" are used to mark the positions where the username and passwords you supplied will be inserted. Assuming that the parameters of your login.php script are named "username" and "password" and the response to a failed login contains the string "failure" you could use a parametrization like hydra -l username -P dictionary.txt -o output.txt -t 4 mydomainname.com http-post-form "/webmail/src/login.php:username=^USER^&password=^PASS^:failure" Take a look at the README and the source code of the http-form-post module (hydra-http-form.c) for further information. Furthermore there is a patch available for this hydra module which is supposed to fix a bug concerning calls of free(). Refer to the description of the hydra-http-form-patch at http://packetstorm.linuxsecurity.com/groups/thc/indexdate.html Patch link: http://packetstorm.linuxsecurity.com/groups/thc/hydra-http-form.patch tic ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- THC-Hydra web form attack Application Tester (May 21)
- Re: THC-Hydra web form attack Ulises2k (May 22)
- Re: THC-Hydra web form attack Rodrigo Montoro(Sp0oKeR) (May 22)
- Re: THC-Hydra web form attack pentest (May 22)