[THC-Hydra with password only login form]

Forget about the last post, i forgot to enable decompression. I've used various tools (Burp Suite, Fiddler) to intercept the traffic and all I get is the same page as before entering a password

[THC-Hydra with password only login form]

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Sat, 03 Dec 2016 10:01:40 GMT
Server: nginx
Vary: Accept-Encoding
X-Jimdo-Instance: i-0a4ec76da6fce403c
X-Jimdo-Wid: s742dd563442b66d6
transfer-encoding: chunked
Connection: keep-alive

1354
        [{W H   OQQ <Dz  ? B  ! 
d  Ir8e l
$ FU x	h  ~   *I 
 Iw   c n  q [ }   ^ ?<    t m  x29"q? 9{Ù     0 

This is the raw server response when I enter a password. Unfortunately, the website seems to be built with Jimdo so I guess it's a lot harder to attack than a simple PHP-based form.

Thank you for your help!

[THC-Hydra with password only login form]

So I haven't found out the server response so far - it seems to be pretty tricky to get it to output something - but I managed to get it working with your proposed parameters and providing -l with ''. For some reason, my both my KALI (in a VM) and Windows (natively) environments seem to crash after 16 attemtps... I've tried ncrack before but I didn't get it to work either, I'll have a look at now. Also tried Burp Suite, both Free and Pro version, but after some time the targeted server didn't show any response anymore although the Burp intruder kept trying

 

 

 

[THC-Hydra with password only login form]

Thank you! Attempts take place, -P '' doesn't work for me, it tells me that it can't file the specified file so I wrote -P passwords.txt instead. What do you mean by 

1 hour ago, digip said:

If success is a valid response in the page, fine, but if not, replace with the error messge or whatever text says to do, such as :F=Login: which should not be there if successful.

The HTML of the website defines a 

<p class="cc-protected-note">

<br/>

Password:

</p>

 

which is visible on the website.

 

So I would use:

hydra -V -f -l passwords.txt -P passwords.txt www.<url>.com http-post-form "/protected:password=^USER^:do_login=yes:Submit=Log+In:F=Password::"

 

(Note the double :: at the end of Password, I use it because the HTML contains it like this and also -P passwords.txt because it doesn't matter, right? ^PASS is not specified so -P isn't expanded, right?)

[THC-Hydra with password only login form]

Hello,

 

I’m trying to get THC-Hydra working on a website form which doesn’t require a username but hydra wants me to specify it with either –l, –L or -C.

The form field in question needs the following parameters, as far as I’ve found out using Burp Suite Free Edition:  password=test&do_login=yes&Submit=Log+in

I’m also not sure what service to use and what success or failure message the server sends (Burp Suite doesn't show it and the website doesn't display any message - it just refreshes and shows the same page), currently I’ve tried http-form-post with the following parameters hydra –t 5 –L users.txt –f –x 2:6:a www.<url>.com http-form-post “/protected:password=^PASS^:S=success”

(Note that I’ve specified, with –L users.txt, a username file but this is not required by the website’s form field)

The website’s form can be found under www.<url>.com/protected, how do I tell hydra to target the /protected page, and no only the www.<url>.com part?

 

What can I do?

 Any ideas?