Jump to content

Help using Hydra on web form


Rombro

Recommended Posts

Hi I am very new to all this. I am trying to learn how to use Hydra. I've done some reading online and had a go at using it against my own router. I am using Burpsuite to get the POST and response info.

My router login page does not have a field for a login only for a password. The default password being "admin".

On trying to login to the router using an incorrect password I get the following output:

POST /login.cgi HTTP/1.1
Host: 10.1.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.1.1.1/login_main.html
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 28

login_option=0&password=asdf

and the response I get back is:

HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Sat, 19 Sep 2015 16:27:20 GMT
Content-Type: text/html
Connection: close

<html>
<head>
<meta HTTP-EQUIV='Pragma' CONTENT='no-cache'>
<script language="JavaScript">
function back_page()
{
   var loc = 'login.html';
   var code = 'location="' + loc + '"';
   eval(code);
}
</script>
</head>
<body>
<script language="JavaScript">
     alert("Invalid password");
     back_page();
</script>               
</body>
</html>

Given I am just tryint to test out Hydra at the moment and learn it I figured I'd give it the correct login credentials so it only has to make one attempt. My hydra command is as follows:

hydra -l 0 -p admin 10.1.1.1 http-post-form "/login_main.html:login_option=^USER^&password=^PASS^:Invalid password" -V

However I am getting no joy. It is not able to identify "admin" as the correct password.

Any help would be greatly appreciated.

Link to comment
Share on other sites

you will have more success scripting your own tool rather then depending on some one else's tools...

As cooper said. Open up a packet capture tool and look at the client/server headers...

if u can duplicate what u see on the wire with hydra.

Test with a single "-u admin -p password" until u see the proper results

You can use curl or wget...

Edited by i8igmac
Link to comment
Share on other sites

if you send a proper request, you should see a response...

if you already have a scripting language of choice. you truly are better off. a tool like Hydra is developed for a broad range of protocolS. any plugins modules or firewalls this server may have installed could potentially cause Hydra to miss...

you need to look at the traffic, investigate 2 scenarios...

what would a failed response look like?

what would a successful response look like?

what I have done in the past through a scripting language, sort through your password list processing each line with wget

you can then grep threw the output files generated by wget.

this is a fun subject. I encourage you to spend the time and experiment on other services as well... you will come across firewall rules that make this subject much more exciting :-)

Like a chess game with your eyes closed.

Edited by i8igmac
Link to comment
Share on other sites

So you will know what a false result looks by intercepting the server response with wireshark? So if you get a response other than a failed one it might be a successful login? If it were something like a website where you could create an account you would be able to successfully login and collect the positive login response.

So something like:

Sorry for shitty pseudo code here.

for line in (wordlist.txt); do wget --user=admin --password=line <url>

checkfiles()

if login !=fail break;

print user & password;

done

Am I close here?

Link to comment
Share on other sites

if you send a proper request, you should see a response...

if you already have a scripting language of choice. you truly are better off. a tool like Hydra is developed for a broad range of protocolS. any plugins modules or firewalls this server may have installed could potentially cause Hydra to miss...

you need to look at the traffic, investigate 2 scenarios...

what would a failed response look like?

what would a successful response look like?

what I have done in the past through a scripting language, sort through your password list processing each line with wget

you can then grep threw the output files generated by wget.

this is a fun subject. I encourage you to spend the time and experiment on other services as well... you will come across firewall rules that make this subject much more exciting :-)

Like a chess game with your eyes closed.

So I've got the response for both a failed login and a successful login. The failed one is the response in the OP, the successful one is just the router control panel page. And in the case of the hydra command I am feeding it the correct login information (or at least that is what I'm trying to do - not sure if I've got it right thats the problem) so it should work but it still does not identify the password as correct.

Given that the response for a fail is in the form of an alert box, how do I script something to parse through the text of an alert box? Or do I not need to do that? I'm a little confused.

Link to comment
Share on other sites

Appologies for the double post I couldn't find the edit button. Is there one?

Ignore the parsing alert box thing I've figured it out. I have managed to build the wget command to log into the site and the compared the output for a successful and unsuccessful login manually. The command is:

wget --save-cookies cookies.txt --keep-session-cookies --auth-no-challenge --post-data 'login_option=0&password=nope' http://10.1.1.1/login.cgi

The login_option and login.cgi come from burpsuite output as in OP.

Now I just need to build a script to automate it - happy days! Thanks for the help so far guys.

Link to comment
Share on other sites

I should make a tutorial on traffic watching and how to reproduce the stream with tools like curl, wget, netcat and ruby...

Apt-get install tcpick

This is a tool I use daily, its a lot like tcpdump... a console base traffic sniffer...

With 2 consoles run these 2 commands...

tcpick -i wlan0 -bPS -C

tcpick -i wlan0 -bPC -C

Now with your web browser, log into the web page... you will see the traffic in both consoles.

One console will show your client request... the other console will show your server response ...

You can then press ctrl-c with both console's to kill the application... copy the data you see into a text editor...

You can now start both console's back up then run your hydra, wget, curl tests... watch the traffic and identify when you have a proper authentication...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...