Web Cracking

2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite
ords with THC-Hydra & Burp Suite Null Byte

WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE
FOLLOW US
HAC K L I K E A P R O
How to Crack Online Web Form Passwords with THC-Hydra &

Burp Suite
BY OCCUPYTHEWEB 05/12/2016 7:29 PM PASSWORD CRACKING
W elcome back, my hacker novitiates!
In an earlier tutorial, I had introduced you to two essential tools for cracking online passwordsTamper Data and THC-Hydra. In that guide, I
promised to follow up with another tutorial on how to use THC-Hydra against web forms, so here we go. Although you can use Tamper Data for
this purpose, I want to introduce you to another tool that is built into Kali, Burp Suite.
Step 1
Open THC-Hydra
So, let's get started. Fire up Kali and open THC-Hydra from Applications -> Kali Linux -> Password Attacks -> Online Attacks -> hydra.
Step 2
Get the Web Form Parameters

To be able to hack web form usernames and passwords, we need to determine the parameters of the web form login page as well as how the form
responds to bad/failed logins. The key parameters we must identify are the:
IP Address of the website
URLGADGET HACKS NEXT REALITY INVISIVERSE

WONDERHOWTO DRIVERLESS NULL BYTE
type of form
field containing the username FOLLOW US
field containing the password
failure message
We can identify each of these using a proxy such as Tamper Data or Burp Suite.
Step 3
https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 1/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte
Using Burp Suite

Although we can use any proxy to do the job, including Tamper Data, in this post we will use Burp Suite. You can open Burp Suite by going to
Applications -> Kali Linux -> Web Applications -> Web Application Proxies -> burpsuite. When you do, you should see the opening screen like
below.
Next, we will be attempting to crack the password on the Damn Vulnerable Web Application (DVWA). You can run it from the Metasploitable
operating system (available at Rapid7) and then connecting to its login page, as I have here.
We need to enable the Proxy and Intercept on the Burp Suite like I have below. Make sure to click on the Proxy tab at the top and then Intercept on
the second row of tabs. Make certain that the "Intercept is on."
FOLLOW US
Last, we need to configure our IceWeasel web browser to use a proxy. We can go to Edit -> Preferences -> Advanced -> Network -> Settings to open
the Connection Settings, as seen below. There, configure IceWeasel to use 127.0.0.1 port 8080 as a proxy by typing in 127.0.0.1 in the HTTP Proxy
field, 8080 in the Port field and delete any information in the No Proxy for field at the bottom. Also, select the "Use this proxy server for all
protocols" button.
Step 4
Get the Bad Login Response

Now, let's try to log in with my username OTW and password OTW. When I do so, the BurpSuite intercepts the request and shows us the key fields
we need for a THC-Hydra web form crack.
After collecting
WONDERHOWTO GADGET HACKSthis information,
NEXT I then
REALITY INVISIVERSE forward
DRIVERLESS the request from Burp Suite by hitting the "Forward" button to the far left . The DVWA returns a
NULL BYTE
message that the "Login failed." Now, I have all the information I need to configure THC-Hydra to crack this web app!
FOLLOW US
Getting the failure message is key to getting THC-Hydra to work on web forms. In this case, it is a text-based message, but it won't always be. At
times it may be a cookie, but the critical part is finding out how the application communicates a failed login. In this way, we can tell THC-Hydra
to keep trying different passwords; only when that message does not appear, have we succeeded.
Step 5
Step 5
Place the Parameters into Your THC Hydra Command

Now, that we have the parameters, we can place them into the THC-Hydra command. The syntax looks like this:
kali > hydra -L <username list> -p <password list> <IP Address> <form parameters><failed login message>
So, based on the information we have gathered from Burp Suite, our command should look something like this:
kali >hydra -L <wordlist> -P<password list>

192.168.1.101 http-post-form "/dvwa/login.php:username=ÛSER^&password=^PASS^&Login=Login:Login failed"
A few things to note. First, you use the upper case "L" if you are using a username list and a lower case "l" if you are trying to crack one username
that you supply there. In this case, I will be using the lower case "l " as I will only be trying to crack the "admin" password.
After the address of the login form (/dvwa/login.php), the next field is the name of the field that takes the username. In our case, it is "username,"
but on some forms it might be something different, such as "login."
Now, let's put together a command that will crack this web form login.
Step 6
Choose a Wordlist
Now, we need to chose a wordlist. As with any dictionary attack, the wordlist is key. You can use a custom one made with Crunch of CeWL, but
Kali has numerous wordlists built right in. To see them all, simply type:
kali > locate wordlist
In addition, there are numerous online sites with wordlists that can be up to 100 GB! Choose wisely, my hacker novitiates. In this case, I will be
using a built-in wordlist with less than 1,000 words at:
/usr/share/dirb/wordlists/short.txt
Step 7 FOLLOW US
Build the Command
Now, let's build our command with all of these elements, as seen below.
kali > hydra -l admin -P /usr/share/dirb/wordlists/small.txt 192.168.1.101 http-post-form

"/dvwa/login.php:username=ÛSER^&password=^PASS^&Login=Login:Login failed" -V
-l indicates a single username (use -L for a username list)

-P indicates use the following password list
http-post-form indicates the type of form
/dvwa/login-php is the login page URL
username is the form field where the username is entered
ÛSER^ tells Hydra to use the username or list in the field
password is the form field where the password is entered (it may be passwd, pass, etc.)
^PASS^ tells Hydra to use the password list supplied
Login indicates to Hydra the login failed message
Login failed is the login failure message that the form returned
-V is for verbose output showing every attempt
Step 8
Let Her Fly!

Now, let her fly! Since we used the -V switch, THC-Hydra will show us every attempt.
After a few minutes, Hydra returns with the password for our web application. Success!
Final Thoughts
Although THC-Hydra is an effective and excellent tool for online password cracking, when using it in web forms, it takes a bit of practice. The key
to successfully using it in web forms is determining how the form responds differently to a failed login versus a successful login. In the example
above, we
WONDERHOWTO identified
GADGET HACKS NEXT the failed
REALITY login DRIVERLESS
INVISIVERSE message,NULL
but
BYTEwe could have identified the successful message and used that instead. To use the successful
message, we would replace the failed login message with "S=successful message" such as this:
FOLLOW US
"/dvwa/login.php:username=ÛSER^&password=^PASS^&S=success message" -V
Also, some web servers will notice many rapid failed attempts at logging in and lock you out. In this case, you will want to use the wait function
in THC-Hydra. This will add a wait between attempts so as not to trigger the lockout. You can use this functionality with the -w switch, so we
revise our command to wait 10 seconds between attempts by writing it:

"/dvwa/login.php:username=ÛSER^&password=^PASS^&Login=Login:Login failed" -w 10 -V
I recommend that you practice the use of THC-Hydra on forms where you know the username and password before using it out "in the wild."
Keep coming back, my hacker novitiates, as we continue to expand your repertoire of hacker techniques and arts!
Cover image via Shutterstock
Related
HACK LIKE A PRO HACK LIKE A PRO HACK LIKE A PRO HACK LIKE A PRO

How to Crack Online Passwords with How to Hack Web Apps, Part 1 (Getting How to Hack Web Apps, Part 4 (Hacking How to Hack Web Apps, Part 3 (Web-
Tamper Data & THC Hydra Started) Form Authentication with Burp Suite) Based Authentication)
100 Comments
FLOKI
2 YEARS AGO 3
Great tutorial! I was wondering if this makes alot of noise on the server, and if it does, is the wait function the best way to prevent it? I always run into getting locked
out, or ip banned! Any cool tricks you could share?
Thanks again OTW, for another great tutorial!
REPLY
MANWUZI
1 YEAR AGO 2
I think I might be kinda late. but you can use a proxychain that changes your ip frequently....
I think I might be kinda late. but you can use a proxychain that changes your ip frequently....
REPLY
SWEETCORN
1 YEAR AGO 1
How do I find the IP address? I don't see it anywhere in the burpsuite pics?
REPLY
OBUNTU CRACKS
11 MONTHS AGO 1
type: ping <targetwebsite.com> -c1
WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE REPLY
TEO VIRGHI
1 YEAR AGO FOLLOW US 1

There are sites that doesn`t let you use burpsuit against them --> how can i bypass that , or if it is impossible can i use page source instead ????
REPLY
CRACKER|HACKER
2 YEARS AGO 1
I was right! It is -w!
REPLY
BUCKEROO BONZAI
2 YEARS AGO 1
Good article, but wouldn't it be more practical to use Burp Intruder since we are already going to be using it to intercept requests and responses. Also I have
encountered instances of hydra throwing false positives against POST forms as well as Telnet, any thoughts on this?
REPLY
URATTACKER!
2 YEARS AGO 1
burp is also used for killing iphone through a snapchat vulnerabilty
REPLY
WIZARD OT
2 YEARS AGO 1
Do you mean brute-forcing the account? Or as you describe "killing" the iPhone?
REPLY
BUCKEROO BONZAI
2 YEARS AGO 1
yeah URATTACKER i'm curious what do you mean by "Killing " iphone?
REPLY
URATTACKER!
2 YEARS AGO - EDITED 2 YEARS AGO 1
As DILL_ said "There is a vulnerability in the snapchat app for iphone that allows a hacker to perform a denial-of-service attack that can even crash the iphone. You
can use burp to exploit the vulnerability."_
REPLY
BUCKEROO BONZAI
2 YEARS AGO 1
OTW any thoughts on my statement from before?
REPLY
OCCUPYTHEWEB
2 YEARS AGO 1
Which statement?
REPLY
BUCKEROO BONZAI
https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/
2
6/21
BUCKEROO BONZAI
No i was asking about Hydra throwing false positives for web forms and telnet? Does it occur frequently because i have faced instances where where hydra throws
like two or three valid user names and passwords for a web form or telnet and then when i put them in they are not valid.
OCCUPYTHEWEB
2 YEARS AGO
FOLLOW US
2
Buckeroo:
Yes, it sometimes throws false positives. With web forms, it is totally dependent upon the "failed login" message that you use. If it doesn't see that, it will give you
a false positive. In addition, if you slow it down with the -W switch, you will get fewer false positives.
OTW
REPLY
BUCKEROO BONZAI
2 YEARS AGO 1
Thanks! as usual great help. Gonna go check out your python articles.
REPLY
BUCKEROO BONZAI
2 YEARS AGO 1
One more thing as far as the failed login message is that from the response headers or am i just looking for what is displayed on the page after a failed attempt
HTML, Pop up, etc.?
REPLY
_URBZ_
1 YEAR AGO 1
Wondering the same
REPLY
DILL _
2 YEARS AGO 1
There is a vulnerability in the snapchat app for iphone that allows a hacker to perform a denial-of-service attack that can even crash the iphone. You can use burp to
exploit the vulnerability.
Yes you can use burp intruder to perform brute force attacks on usernames and passwords. Much like everything else there is more than one way to do just about
anything. OTW simply showed you one of them.
REPLY
CHRIS WHT
2 YEARS AGO 1
Hey, sorry beginner here, how do I get the proxy of the site through metasploit like I got the main page but not the login one.
REPLY
OCCUPYTHEWEB
2 YEARS AGO 1
I think you are asking how to get the login of "Metasploitable"? It's at the IP/dvwa/login.php.
REPLY
VARUN GOW
2 YEARS AGO 1
Hey, as always thanks a lot OTW for all the information. I just have 2 questions which if you could answer would be greatly appreciated.
1.THC-Hydra is a brute force, and I suppose it won't work on Gmail, Hotmail or in fact any such sites? If not what tools are there that will?
2.Android, an open sources mobile OS has already Kali and backtrack running right from the App store itself, only rooting is required. Can you do a tutorial on its uses
and limitations too?
Thank You
REPLY
FOLLOW US
BLACKCAT
2 YEARS AGO 1
last time i tried brute forcing gmail it blocked me like after 500 attemps, do you have a method to pass the block otw or know how`?
you dont think you have wrote a atricle about it, maybe you should?
REPLY
OCCUPYTHEWEB
2 YEARS AGO 1
Anytime you are trying to hack a site with a lock out, dictionary or brute forcing is the wrong tool for the job.
REPLY
OBUNTU CRACKS
11 MONTHS AGO 1
your really looking 4 trouble
REPLY
PINCHES ULEMSEH
2 MONTHS AGO 1
You should always give social engineering first priority b4 tryn brute force.. Ucan always use phising sites but the quiZ is how du u get the victim get lured by ur
trap... U need to spoof gmail maill. Lets say pretend ts an email from google telling them to modify password or sms spoof using the google numbers..
But if u can get physical access with the target pc , mayb u can do a dns spoof for a gmail or the target site.. N ur target will hardly know whats going on,,,, so my
advice is that brut force should always b last option... Remembered anybod can be phised ur just need to know their weakness and exploit them.. Coz there is no
patch fo human stupidity
REPLY
BLACKCAT
2 YEARS AGO 1
But my problem is that i know that my victims password is on 8 symbols and two of them is numbers. (no big letters)
so i generated a custom wordlist just for that spesific situation with crunch.
now i just need to know the combination. But every website the victim are using has https and will proberly block me. How should i find out the combination then?
Isn't there a way to slow down the attack so the website not are blocking me? cuz i would have the time to wait a little longer than.
hacking small useless websites, that nobody have in mind to use anyway doesn't help me to crack the big sites.
I hope you have a solution
REPLY
OCCUPYTHEWEB
As the article says, you can use the -w switch to slow the attack. Hope that helps.
REPLY
TURKEY BRAWL
2 YEARS AGO 1
what would the ip address be when attacking DVWA on localhost. I greatly all the help you give on your channel
REPLY
WONDERHOWTO
OCCUPYTHEWEB
GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE
1
2 YEARS AGO
If DVWA is running on your Kali system, use 127.0.0.1. FOLLOW US

REPLY
TURKEY BRAWL
2 YEARS AGO 1
Thank you I got it to work
REPLY
STAFF_OF_AARON77
1 YEAR AGO - EDITED 1 YEAR AGO 1
Thanks great Tutorial

Thanks great Tutorial
REPLY
TURKEY BRAWL
2 YEARS AGO 1
i'm mostly having trouble when i set up the proxy for iceweasel and attempt to connect to DVWA from the localhost/DVWA it doesn't connect and therefore I can't
get the required responses for Burp Suite
REPLY
CHRIS WHT
1 YEAR AGO 1
Hey! I'm trying with a different website which has an http-post-form like this " /Login.aspx?ReturnUrl=%2f" but when I type in the command it says "Wrong syntax,
requires three arguments separated by a colon which may not be null: /Login.aspx?ReturnUrl=%2f" Idk what to do. Hope you can help.
REPLY
ROBERT ANTONOV
1 YEAR AGO 1
Hi CHRIS!
I have the some problem like you, maybe someone want to help us...
REPLY
CRACKER|HACKER
1 YEAR AGO 1
You need to add the variables into the form.
REPLY
HARSHA LULZSEC
1 YEAR AGO 1
tried several times but never successful.Anyone know how install Burp suite on windows 7? (everyone say install java 1st.WTF Done it years ago.)
REPLY
CRACKER|HACKER
1 YEAR AGO 1
Download it, extract it, run it. If it doesn't work on Java 8, try Java 7.
REPLY
HARSHA LULZSEC
FOLLOW US
Java 7 .after click on it nothing happen except opening cmd and closing once.
REPLY
BURNCT
1 YEAR AGO 1
Followed this tutorial to the T, but I'm still having issues. I keep getting "1 of 1 target successfully completed, 5 valid passwords found" (see below) when only ONE of
those passwords is actually the valid one. I'm trying this against a local Joomla 2.5 site on my home server.
80www-form host: 192.168.10.10 login: admin password: admin

80www-form host: 192.168.10.10 login: admin password: password2
80www-form host: 192.168.10.10 login: admin password: 12345
80www-form host: 192.168.10.10 login: admin password: password1
80www-form host: 192.168.10.10 login: admin password: password
I'm using the following command per the information found in Burp:
I'm using the following command per the information found in Burp:
hydra -l admin -P pass.txt 192.168.10.10 http-post-form

"/testsite/administrator/index.php:username=ÛSER^&passwd=^PASS^&lang=&option=com_login&task=login&return=aW5kZXgucGhw&9567f9b6921e51f0d45edb26177b2
612:Username and password do not match or you do not have an account yet." -W 10 -V
Any ideas?
REPLY
OCCUPYTHEWEB
1 YEAR AGO 1
The key is getting the "failed" message correct in the command
REPLY
BURNCT
1 YEAR AGO 1
"Username and password do not match or you do not have an account yet." is the failed message that pops up, though.
REPLY
OCCUPYTHEWEB
1 YEAR AGO 1
From my tutorial;
"Getting the failure message is key to getting THC-Hydra to work on web forms. In this case, it is a text-based message, but it won't always be. At times it may be a
cookie, but the critical part is finding out how the application communicates a failed login. In this way, we can tell THC-Hydra to keep trying different passwords;
only when that message does not appear, have we succeeded."
REPLY
BURNCT
1 YEAR AGO 1
So you're saying even if a text-based message pops up, it may not be the way a failed attempted is communicated? How would we indicate on the CLI if it's cookie
based then?
REPLY
WONDERHOWTO OCCUPYTHEWEB
GADGET HACKS NEXT REALITY
1 YEAR AGO
INVISIVERSE DRIVERLESS NULL BYTE
1
Burnct:
FOLLOW US
You are getting ahead of yourself. First, find out how the application communicates a failed attempt.
REPLY
BURNCT
1 YEAR AGO 1
Here's more information from the Burp's two interceptions during login. I'm not entirely sure how to find out in which way it "communicates" the failed attempt.
This seems pretty straight forward that it posts a message in plain text:
POST /testsite/administrator/index.php HTTP/1.1

Host: 192.168.10.101
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.10.101/testsite/administrator/
Cookie: PHPSESSID=59ivhamr6svumtpp18442evuk3; af5dc374e4af2e4345969e6b50136729=ucp00rfi9vpr11r436dr3idn36
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
GET /testsite/administrator/index.php HTTP/1.1

Host: 192.168.10.101
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.10.101/testsite/administrator/
Cookie: PHPSESSID=59ivhamr6svumtpp18442evuk3; af5dc374e4af2e4345969e6b50136729=ucp00rfi9vpr11r436dr3idn36
REPLY
BURNCT
1 YEAR AGO 1
LOL, I give up!
REPLY
PP
1 YEAR AGO 1
Have you figured this out? Did you try "Use a valid username and password to gain access to the administrator backend"?
REPLY
1
PP
1 YEAR AGO
FOLLOW US
I'm sort of struggling with this too. Did you try using "Use a valid username and password to gain access to the administrator backend"?
REPLY
_URBZ_
1 YEAR AGO 1
Where else other that the POST response or text would we find this? I struggled here also
REPLY
BURNCT
1 YEAR AGO 1
I read somewhere about using the cookie data to flag a failed response but not sure how to implement that.
REPLY
PP
You can get it using tamper data. It's an addon. Go to addons and search for tamper data and install it. Then navigate to the login page and fill out the user name
and password. Before clicking submit, open the tamper data tool and click 'start tamper'. Hit submit button on the website. A pop up will ask you whether you'd
like to tamper, discard, or submit. Hit submit. Then look through the entries in tamper data and click on it. It will give you the request along with the post data.
This works best if no other website is open; just the one you're trying to log into. Otherwise you're going to get a lot of pop ups asking you whether you'd like to
tamper, in which case you could just discard, but it's harder to find request you're looking for. Hope this helps. I saw OTW did an article about how to crack
passwords using tamper data and hydra. It's the same concept as when using burp essentially. I'm sure it provides a better instruction
REPLY
_URBZ_
1 YEAR AGO 1
I've been using the tamper data addon for years. It was the first thing I tried. I'm able to get this to work on most routers. However, the problem on my router is
that I cannot figure out the format of adding the username and passwd to the url bar. Thats all tamper data / burp suite shows. I've tried adding it after the
/check.php and nada.
REPLY
SINGULARITY
Hello World! hehe, im so funny. Jokes aside, I do have a question. I have been following your tutorial and have installed DVWA locally on kali linux (Dual booted) and
when I setup the proxy on Iceweasel, I cannot load any pages, not allowing Burp Suite to access any of the needed information. It loads for a bit, than quits. I took a
picture of my proxy settings but it was to big so I put a link to it below. Also, sorry if this is the most obvious thing, im tired and have been at this for a while. Sorry
for LQ, couldnt take a screenshot for a reason and used my phone.
REPLY
REPLY
IHAVEFORGOTTEN MYNAME
Solved
REPLY
CHRISTOPHE TANG
1 YEAR AGO 1
Hey OTW, really well explained tutorial, I have a question though : should I use proxy with hydra if I want to crack password for ONE account let's say my friend's
Facebook account? Will I get an ip ban or something like that ? And BTW , I really want to know if you could make a tutorial on how in Mr.robot episode 1, Elliot
hacked his psy's password by simply adding custom word to a dictionary and instant cracking. I know you can do it with crunch but it is only creating wordlist.
Thanks.
REPLY
CHRISTOPHE
WONDERHOWTO
TANG
GADGET HACKS NEXT REALITY
1 YEAR AGO
1
Hey OTW ! Your tutorials are vey well explained and I'm learning a lot. Could you please tell me if I should use a proxy list in order to crackFOLLOW US
an online account
with
crunch and hydra ? And can you teach us how did Elliot cracked his target's password in episode 1 of Mr. Robot ? They way he adds password to a password list and
instantly run the brute force . I'm waiting for your answers , thank you .
REPLY
OCCUPYTHEWEB
1 YEAR AGO 1
He used cupp.
REPLY
CHRISTOPHE TANG
sorry for double post and thanks for the reply, now that i managed to use CUPP this magical password creator, any clue on which type of password he cracked ?
Most online passwords has a tries/ip or tries/account limitaion, he treid a 90k password list :o
REPLY
CHRISTOPHE TANG
1 YEAR AGO 1
or do you have any tip on how to auto change ip addres in kali linux ?
REPLY
SHENIQUAX
1 YEAR AGO 1
So I was tryin to brute force a yahoo email , so I tested it first with my real email and made a .txt word list with 5 passwords and one of them was the right one and
the other 4 weren't.
I got and I type-

Hydra -l (my email) -P (my wordlist) -s 465 -S -v -V -t 1 smtp.mail.yahoo.com smtp
hydra checks all of the 5 words and says that all were invalid and no password was recovered even though the 3rd was my password, what my be happening?
REPLY
OCCUPYTHEWEB
1 YEAR AGO 1
You are missing probably the most important part of the Hydra command, the last section. That section defines how the server communicates that the password
was wrong. You didn't include it.
REPLY
SHENIQUAX
1 YEAR AGO 1
so what should I add to the end of the script? can you give me an example?
Hydra -l (my email) -P (my wordlist) -s 465 -S -v -V -t 1 smtp.mail.yahoo.com smtp - than whats the next part?
thanks for responding so quick :D
REPLY
OCCUPYTHEWEB
1 YEAR AGO 1
Please go back and re-read this article. There are several errors in your command.
REPLY
SHENIQUAX
1 YEAR AGO 1

Ok thanks :D
FOLLOW US REPLY

ZODO
1 YEAR AGO 1
I know that this is really late, but I still hope you respond. I followed your tutorial and did everything, but I still have one problem. I looked at the real time code for
the website and attempted a fake login and it told me that the error message was "error: "Incorrect Password" ". When I put that into hydra it just came up with the
screen you get when you open hydra. The command I'm using is
hydra -l (the email) -P Desktop/wordlist.txt 54.215.131.188 http-post-form "/api/auth/login:data%5Busername%5D=ÛSER^&data%5Bpassword%5D=ÛSER^:error:

"Incorrect username."" -V
Any help would be very much appreciated!
REPLY
KINGLEO KINGLEO
Great tutorial. I managed to get something similar to work on a test VPS I use to attack.
The issue however is that the auth.log file shows my IP when simply using hydra.
Therefore I tried using:
"hydra -s 22 -v -V -l root -P /usr/share/wordlists/testlist.txt -t 4 -w 60 SERVERIP ssh HYDRA_PROXY=socks5://121.40.102.199:1080"
and also tried using
"proxychains hydra -s 22 -v -V -l root -P /usr/share/wordlists/testlist.txt -t 4 -w 60 SERVERIP ssh"
Howerver in both cases it said in the auth.log file:
"reverse mapping checking getaddrinfo for MYHOMEIP failed - POSSIBLE BREAK-IN ATTEMPT!"
Can you explain why it has my home IP some how via "reverse mapping? My proxychains list has about 15 proxies in it using dynamic_chain. Im very confused.
REPLY
STAFF_OF_AARON77
1 YEAR AGO 1
A great tutorial from OTW but this one has a more detailed explanation for those still having trouble:
FOLLOW US
REPLY
DOG
While setting up Burpsuite and Iceweasel I did everything you stated and after that every page will result into unlimited loading........ and Burpsuite seems to only get
the GET request or parts of it. Of course when I put the proxy off in Iceweasel everything works perfectly fine.
EDIT:
Fixed it by going to options and enabling all the 'Intercept Client Request'.
REPLY
DOG
1 YEAR AGO 1
I tried the following commands which none of them worked....... :(:
hydra -l admin -p '/root/Desktop/Passwords/rockyou.txt' IP http-post-form "/login.cgi:username=ÛSER^&password=^PASS^:The username or password is not

correct." -V
hydra -l admin -p '/root/Desktop/Passwords/rockyou.txt' IP http-post-form "/login.cgi:username=ÛSER^&password=^PASS^=1234&submitValue=1:The username or
password is not correct." -V
REPLY
TRIPHAT
1 YEAR AGO 1
Try adding in your request a proper User-Agent an Referer headers

Add all additional fields in the request, like hiddenPassword and submitValue (kinda your second string, but you left out the param name in hiddenPassword)
Try shortening the trigger, use less words, possibly just one instead of full sentence ( like use only correct if applicable..)
DOG
1 YEAR AGO
FOLLOW US
1
Triphat, can you give me an example of what you mean? So far I have this:
hydra -l admin -p '/root/Desktop/Passwords/rockyou.txt' IP http-post-form

"/login.cgi:UserName=ÛSER^&password=^PASS^=1234&hiddenPassword=1234&submitValue=1:The username or password is not correct." -V
I am not sure what words are useless in the string?

Its just the IP/login.cgi as header.
Its just the IP/login.cgi as header.
REPLY
ABYSSOFDESPAIR
Hey, great tutorial. I follow those steps, but something is still wrong (I get 16 valid password, from which mine is none) and I don't really know what it is.
My command is:
hydra -l (my username) -P /usr/share/wordlists/rockyou.txt.gz 69.162.92.205 http-post-form

"/login.php:action=login&login=ÛSER^&autologin=1&password=^PASS^:Authentication failed." -V
Also my console shows me those "signs" instead of letters. I never encountered that before.
Thanks for incoming help :)
REPLY
NICHOLAS DISALVIO
1 YEAR AGO 1
The DHS uses Login.aspx......
REPLY
PUNIT CHAUDHARI
Please help me
I'm getting this:
DATA attacking
WONDERHOWTO service
GADGET HACKS NEXThttp-post-form
REALITY INVISIVERSEon DRIVERLESS
port 80 NULL BYTE
ATTEMPT target mysite - login "test" - pass "0" - 1 of 957 child 0
FOLLOW US
80www-form host: 185.27.134.143 login: test password: 03
1 of 1 target successfully completed, 16 valid passwords found
My command was:
hydra -l test -P /usr/share/dirb/wordlists/small.txt mysite http-post-form "/index.php:userlogin=ÛSER^&passlogin=^PASS^&log=Login:Please enter valid Username and
Password." -V
Please reply soon
REPLY
JACK MANS
7 MONTHS AGO 1
I get the same exact thing anyone know why and how to fix it?
REPLY
L BA HU`NG
Thanks for a awesome post.
I'm started hacking my web login of Wi-Fi router but there is a catch every time I entered a wrong password it refresh the page and doesn't show any wrong message.
What should I do?. Please help. The web file if you need: https://57cb3da913017b33230a33ee90f78e7b977fd794-
www.googledrive.com/host/0BzJkbqA_bKIEfllJR0RseVhTMF9VTktSUExPa3ZmSHRJN1NmRDRUc0wzVVFyMHc3UFF6NGc/GPON%20Home%20Gateway.rar
REPLY
OCCUPYTHEWEB
1 YEAR AGO 1
THC-Hydra is the wrong tool. Try using aircrack-ng for hacking the passwords on your WiFi router.
REPLY
WONDERHOWTO
LGADGET
BA HU`NG
HACKS NEXT REALITY
1 YEAR AGO
1
no i'm hacking the web login of my router not the wifi password. Thanks for the reply! FOLLOW US
REPLY
HENRIQUE ANDRADE
1 YEAR AGO 1
OTW, I tried to crack my own password and everything was going ok, but THC-Hydra didn't stop when the correct password was attempted.
What might be the problem?
REPLY
VOLK
1 YEAR AGO 1
Hey, after a long time trying I succeed in my tests! But...
80http-post-form host: **** login: ****

STATUS attack finished for **** (valid pair found)
1 of 1 target successfully completed, 1 valid password found
The password was found, but Hydra do not show it!

Any ideas?
P.S.: Sorry for my bad english.
REPLY
VOLK
1 YEAR AGO 1
Nobody? =(
REPLY
OCCUPYTHEWEB
1 YEAR AGO 1
Notice where the username and password appears in this tutorial. What does it say there when you run THC-Hydra?
REPLY
VOLK
1 YEAR AGO 1
My output is like yours, except this last screen:
In my case the "password : password" is not there.

Thanks for your time.
REPLY
OCCUPYTHEWEB
1 YEAR AGO 1
It says right there that it found the password "password" for the admin user.
REPLY
VOLK

Yes, but this is your screen, I just copied from your output trying to show whats is missing. I 'll try again and post my screenshot this time, just give me 2 min =)
FOLLOW US REPLY

VOLK
1 YEAR AGO 1
Image via postimg.org
REPLY
OCCUPYTHEWEB
1 YEAR AGO 1
How can I help you when you have obscured all the key information?
REPLY
COMMINGSOON
10 MONTHS AGO 1
I see green color.
REPLY
VOLK
1 YEAR AGO 1
Did I? Sorry. I did because the target is a website and the login is my own account.
I thought the target have nothing to do with it...
Just tell all information you need and I will be pleased to give to you =)
REPLY
SIMPLE SADMAN
11 MONTHS AGO 1
Thank you man, this is awesome! :)
I just have two questions: What about if I know that the username's password is written in another language, with maybe 2 numbers. Should I use kali linux
wordlists? Or should I create my own wordlists with crunch?
And how do I find the wordlists and passwordlists using the terminal?
I hope you can help me out :(
REPLY
COMMINGSOON
10 MONTHS AGO - EDITED 10 MONTHS AGO 1
If you know username and password then find wordlist with terminal use this command "locate wordlist" or "locate rockyou" (Kali Linux) then open with text editor
and find if there or not .. you can add in list if not found.
REPLY
COMMINGSOON
10 MONTHS AGO 1
I have problem like @BURNCT when scan my website with Hydra I get 208 valid passwords (lol)
Use: http-post-form
inputUsername, inputPassword, inputLogin - form (method="post")
Try everything
WONDERHOWTO (http-get-form,
GADGET HACKS NEXT REALITY http-post-form, use Cookie,...)
INVISIVERSE DRIVERLESS NULL BYTE but not works.
How can I use Hydra... "and hack like pro"? FOLLOW US

REPLY
SCALLE SCALLE
Hi
Thanks for the useful guide. However i dont manage to succeed. Some help would be appreciated. Below a print of Burp results and the command line in Hydra.
Hydra tells me after 'enter' the syntax rules but does not start the job.
Also : i use Hydra with Cygwin on Windows 7. Does it matter from WHERE i start the hydra command, i mean should i do it while being in the hydra dir, or should it
be the cygwin dir or just the root dir C ?
POST /login.php?action=in HTTP/1.1

Host: xxxxxx.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept-Language: nl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://xxxxxx.com/login.php
Cookie: visidincap526178=dBiizl5bQzKldS2WdMrM/ArT6VYAAAAAQUIPAAAAAAB6g3H+O0+VIC6UaHfrwDzi;
visidincap821436=nmDb/MkQTXm2VsdHkiWxuzYCN1cAAAAAQUIPAAAAAADrVUYTxunztOfbWaA78Xgm; _ga=GA1.2.242869812.1465591208
Connection: close
Content-Length: 82
formsent=1&redirecturl=index.php&requsername=blop&reqpassword=blop&login=Login
Wrong username and/or password. This is the fail message of the site.
hydra -l yyyyy -P cygwin64/john.txt 123.456.789.000 https-post-form "/login.php:requsername=ÛSER^&reqpassword=^PASS^&login=Login:Wrong username and/or

password." -V
REPLY
ABE BEN
8 MONTHS AGO 1
Great tutorial. However, I do not think this technique will work with a particular router I have. The router's login page uses a Java applet. Any idea how I can
approach cracking the password. Using hydra SSH gives me an error of password authentication not supported.
The IT department gave me a Motorola router (bought in 2010) to factory reset. The guy who set it up quit and did not document the password. There is no reset
button, and when connected to the serrial port, pressing the ESC key while booting for factory firmware when loading does not work until it is too late. From what I
understand, the IT guy who set this up was a real IT genious. Motorola will not help me with it without paying for support.
REPLY
FARID GHOREYSHI
Hello
(At first I have to say that my English is not native then if I have any problem , Excuse me)
My Router is Linksys and it has different web page login panel and there is no part that related to Username and Password
Also my Router doesn't have any Username field
Please see these pictures to see burp suite log:

http://share.pho.to/AQnpb
Now how should I write hydra command(Web form)?
REPLY
PERFECT
WONDERHOWTO GADGETSTORM
HACKS NEXT REALITY INVISIVERSE
2 MONTHS AGO - EDITED 2 MONTHS AGO
DRIVERLESS NULL BYTE
1
FOLLOW US use
All that happens is firefox says connection is not secure and there is no way around this while the proxy is changed as seen in this tutorial. Cant connect so I cant
firefox thus I cant use burpsuite or crack logins.
REPLY
TR0Y AN0
LAST MONTH - EDITED LAST MONTH 1
Hi there!
Thanks for this tutorial!
I found myself stuck, please see the print screen:
And from there, it does not go on...
I would really appreciate if I could get some guidance.
REPLY
REPLY
CHRISTY RAJIRAJ
3 WEEKS AGO 1
hi brthr , I need a help i need to view this cctv 123.231.114.138 , plzz help me to view?if u can give me username & password thats fine, if not can you plz tell me how
to view via kali linux 2016.2? plkzzz help me .... FOLLOW US
REPLY
KYRIAKOS DEMETRIOU
YESTERDAY - EDITED YESTERDAY 1
Hey OTW and nice post as always :)
Since i began researching about brute-forcing and wordlist attacks i have been very wondering if "partial brute-force/wordlist attacks exist". A succesful brute-force
attack against strong passwords may take hours, days and even weeks and it is undeniable that letting your computer operating for such long is not the best for the
machine's health. And also if we take into consideration that most users do not change their passwords that often i think that diving your brute-force attempts could
be a pretty good idea if you are not confident enough to let your machine operating 24/7. Isnt there a way to "pause" the brute-force attack either by saving the line of
the wordlist that you have stopped or maybe saving the last combination of characters and its length so you dont need to begin brute forcing again from the start?
P.S. Sorry for my bad english :P
REPLY
Share Your Thoughts
YOU
LOGIN TO COMMENT
Click to share your thoughts
HOT LATEST
HOW TO
Set Up a Headless Raspberry Pi Hacking

Platform Running Kali Linux
HOW TO HACK W I-FI
Capturing WPA Passwords by Targeting

Users with a Fluxion Attack
HOW TO
4 Ways to Crack a Facebook Password &

How to Protect Yourself from Them
FOLLOW US
MAC FOR HACKERS
How to Get Your Mac Ready for Hacking
HOW TO
An Intro to Vim, the Unix Text Editor Every

Hacker Should Be Familiar With
NEWS
Malware Targets Mac Users Through Well-

Played Phishing Attack
HOW TO HACK W I-FI
Get Anyone's Wi-Fi Password Without

Cracking Using Wifiphisher
HOW TO
Crack Any Master Combination Lock in 8

Tries or Less Using This Calculator
HOW TO
Get Unlimited Free Trials Using a "Real"

Fake Credit Card Number
HOW TO HACK W I-FI
Cracking WPA2-PSK
WONDERHOWTO Passwords
GADGET HACKS Using
NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE
Aircrack-Ng
FOLLOW US
HACK LIKE A PRO
How to Secretly Hack Into, Switch On, &

Watch Anyone's Webcam Remotely

Web Cracking

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Web Cracking

Hochgeladen von

Copyright:

Verfügbare Formate

2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite

ords with THC-Hydra & Burp Suite Null Byte

How to Crack Online Web Form Passwords with THC-Hydra &

W elcome back, my hacker novitiates!

Get the Web Form Parameters

IP Address of the website

URLGADGET HACKS NEXT REALITY INVISIVERSE

Using Burp Suite

WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE

Get the Bad Login Response

Place the Parameters into Your THC Hydra Command

kali >hydra -L <wordlist> -P<password list>

kali > locate wordlist

kali > hydra -l admin -P /usr/share/dirb/wordlists/small.txt 192.168.1.101 http-post-form

-l indicates a single username (use -L for a username list)

Let Her Fly!

kali > hydra -l admin -P /usr/share/dirb/wordlists/small.txt 192.168.1.101 http-post-form

Cover image via Shutterstock

Thanks again OTW, for another great tutorial!

type: ping <targetwebsite.com> -c1

I was right! It is -w!

burp is also used for killing iphone through a snapchat vulnerabilty

OTW any thoughts on my statement from before?

Wondering the same

your really looking 4 trouble

I hope you have a solution

If DVWA is running on your Kali system, use 127.0.0.1. FOLLOW US

Thank you I got it to work

Thanks great Tutorial

You need to add the variables into the form.

WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE

80www-form host: 192.168.10.10 login: admin password: admin

hydra -l admin -P pass.txt 192.168.10.10 http-post-form

The key is getting the "failed" message correct in the command

POST /testsite/administrator/index.php HTTP/1.1

GET /testsite/administrator/index.php HTTP/1.1

LOL, I give up!

I got and I type-

thanks for responding so quick :D

WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE

hydra -l (the email) -P Desktop/wordlist.txt 54.215.131.188 http-post-form "/api/auth/login:data%5Busername%5D=^USER^&data%5Bpassword%5D=^USER^:error:

Any help would be very much appreciated!

Therefore I tried using:

"hydra -s 22 -v -V -l root -P /usr/share/wordlists/testlist.txt -t 4 -w 60 SERVERIP ssh HYDRA_PROXY=socks5://121.40.102.199:1080"

and also tried using

"proxychains hydra -s 22 -v -V -l root -P /usr/share/wordlists/testlist.txt -t 4 -w 60 SERVERIP ssh"

Howerver in both cases it said in the auth.log file:

WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE

I tried the following commands which none of them worked....... :(:

hydra -l admin -p '/root/Desktop/Passwords/rockyou.txt' IP http-post-form "/login.cgi:username=^USER^&password=^PASS^:The username or password is not

Try adding in your request a proper User-Agent an Referer headers

hydra -l admin -p '/root/Desktop/Passwords/rockyou.txt' IP http-post-form

I am not sure what words are useless in the string?

hydra -l (my username) -P /usr/share/wordlists/rockyou.txt.gz 69.162.92.205 http-post-form

Thanks for incoming help :)

The DHS uses Login.aspx......

Please reply soon

Thanks for a awesome post.

What might be the problem?

Hey, after a long time trying I succeed in my tests! But...

80http-post-form host: **** login: ****

The password was found, but Hydra do not show it!

P.S.: Sorry for my bad english.

My output is like yours, except this last screen:

80http-post-form host: login: