refr3sh

Forget about the last post, i forgot to enable decompression. I've used various tools (Burp Suite, Fiddler) to intercept the traffic and all I get is the same page as before entering a password

HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate Content-Encoding: gzip Content-Type: text/html; charset=UTF-8 Date: Sat, 03 Dec 2016 10:01:40 GMT Server: nginx Vary: Accept-Encoding X-Jimdo-Instance: i-0a4ec76da6fce403c X-Jimdo-Wid: s742dd563442b66d6 transfer-encoding: chunked Connection: keep-alive 1354 [{W H OQQ <Dz ? B ! d Ir8e l $ FU x h ~ *I Iw c n q [ } ^ ?< t m x29"q? 9{Ù 0 This is the raw server response when I enter a password. Unfortunately, the website seems to be built with Jimdo so I guess it's a lot harder to attack than a simple PHP-based form. Thank you for your help!

So I haven't found out the server response so far - it seems to be pretty tricky to get it to output something - but I managed to get it working with your proposed parameters and providing -l with ''. For some reason, my both my KALI (in a VM) and Windows (natively) environments seem to crash after 16 attemtps... I've tried ncrack before but I didn't get it to work either, I'll have a look at now. Also tried Burp Suite, both Free and Pro version, but after some time the targeted server didn't show any response anymore although the Burp intruder kept trying

Thank you! Attempts take place, -P '' doesn't work for me, it tells me that it can't file the specified file so I wrote -P passwords.txt instead. What do you mean by The HTML of the website defines a <p class="cc-protected-note"> <br/> Password: </p> which is visible on the website. So I would use: hydra -V -f -l passwords.txt -P passwords.txt www.<url>.com http-post-form "/protected:password=^USER^:do_login=yes:Submit=Log+In:F=Password::" (Note the double :: at the end of Password, I use it because the HTML contains it like this and also -P passwords.txt because it doesn't matter, right? ^PASS is not specified so -P isn't expanded, right?)

Hello, I’m trying to get THC-Hydra working on a website form which doesn’t require a username but hydra wants me to specify it with either –l, –L or -C. The form field in question needs the following parameters, as far as I’ve found out using Burp Suite Free Edition: password=test&do_login=yes&Submit=Log+in I’m also not sure what service to use and what success or failure message the server sends (Burp Suite doesn't show it and the website doesn't display any message - it just refreshes and shows the same page), currently I’ve tried http-form-post with the following parameters hydra –t 5 –L users.txt –f –x 2:6:a www.<url>.com http-form-post “/protected:password=^PASS^:S=success” (Note that I’ve specified, with –L users.txt, a username file but this is not required by the website’s form field) The website’s form can be found under www.<url>.com/protected, how do I tell hydra to target the /protected page, and no only the www.<url>.com part? What can I do? Any ideas?