Jump to content


  • Content Count

  • Joined

  • Last visited

About refr3sh

  • Rank

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Forget about the last post, i forgot to enable decompression. I've used various tools (Burp Suite, Fiddler) to intercept the traffic and all I get is the same page as before entering a password
  2. HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate Content-Encoding: gzip Content-Type: text/html; charset=UTF-8 Date: Sat, 03 Dec 2016 10:01:40 GMT Server: nginx Vary: Accept-Encoding X-Jimdo-Instance: i-0a4ec76da6fce403c X-Jimdo-Wid: s742dd563442b66d6 transfer-encoding: chunked Connection: keep-alive 1354 [{W H OQQ <Dz ? B ! d Ir8e l $ FU x h ~ *I Iw c n q [ } ^ ?< t m x29"q? 9{Ù 0 This is the raw server response when I enter a password. Unfortunately, the website seems to be built with Jimdo so I guess it's a lot harder to attack th
  3. So I haven't found out the server response so far - it seems to be pretty tricky to get it to output something - but I managed to get it working with your proposed parameters and providing -l with ''. For some reason, my both my KALI (in a VM) and Windows (natively) environments seem to crash after 16 attemtps... I've tried ncrack before but I didn't get it to work either, I'll have a look at now. Also tried Burp Suite, both Free and Pro version, but after some time the targeted server didn't show any response anymore although the Burp intruder kept trying
  4. Thank you! Attempts take place, -P '' doesn't work for me, it tells me that it can't file the specified file so I wrote -P passwords.txt instead. What do you mean by The HTML of the website defines a <p class="cc-protected-note"> <br/> Password: </p> which is visible on the website. So I would use: hydra -V -f -l passwords.txt -P passwords.txt www.<url>.com http-post-form "/protected:password=^USER^:do_login=yes:Submit=Log+In:F=Password::" (Note the double :: at the end of Password, I use it because
  5. Hello, I’m trying to get THC-Hydra working on a website form which doesn’t require a username but hydra wants me to specify it with either –l, –L or -C. The form field in question needs the following parameters, as far as I’ve found out using Burp Suite Free Edition: password=test&do_login=yes&Submit=Log+in I’m also not sure what service to use and what success or failure message the server sends (Burp Suite doesn't show it and the website doesn't display any message - it just refreshes and shows the same page), currently I’ve tried http-form-post with th
  • Create New...