Password Cracking Twitter With THC Hydra

Question

I am looking to password crack my twitter account using THC Hydra but am running into some sort of syntax error. Here is what I have:

hydra -l email@domain.com -P passphrase.txt -s 80 -f https://twitter.com https-post-form "/session:%5Busername_or_email%5D=email@domain.com&session%5Bpassword%5D=^PASS^:did not match"

The file "passphrase.txt" contains only 1 password which is the correct one. However, I am getting an argument error:

[ERROR] the variables argument needs at least the strings ^USER^ or ^PASS^: (null) Segmentation Fault

How else do I need to pass the variables as an argument into the command? Is the http-post-form variable setting correct for twitter? I am not exactly sure if it is the right string for the USER and PASS variables.

Thank you.

There have been problems with Hyrda lately. SIGSEGV's may never occur regardless of the config and supplied settings. — Yorick de Wid, Sep 01 '16 at 22:30
You can't bruteforce twitter! Not even your own account. You are creating a large load on Twitter servers which can be seen as DOS. — Silver, Jan 13 '17 at 09:18

score 2 · Answer 1 · edited Sep 03 '18 at 12:27

I'm not sure how you're legally brute forcing Twitter. But you could try to drop the http from the URI. That fixed the segfault errors for me. It seems it can be triggered by unexpected syntax.

It does also look like you aren't supplying the necessary ^USER^ parameter as specified in the error message you pasted. It must be there even if you aren't trying to brute force it. You will then specify with -l or -L the scope of usernames to try.

Also a lot of the answers online for proper syntax of Hydra are based on different versions but valid syntax is changing between versions. Check the man ( man hydra )to get what works for sure. In the man page it shows there's a -U option for different services which describes proper usage of that service e.g. hydra -U http-post-form shows how to supply http-post method brute parameters.

I'm on version 8.2 which comes with the current version of Kali Rolling (Jan 2017) and this command works:

hydra -P /var/www/html/cewl10.x.x.x -l admin 10.x.x.x http-post-form "/otrs/xxx.pl:User=^USER^&Password=^PASS^:username" -V

score 0 · Answer 2 · answered Sep 02 '16 at 12:06

0

Am I missing something or is the ^USER^ missing in your URL? You don't need to hardcode your email, you specify it in the -l user@domain.com command line param.

answered Sep 02 '16 at 12:06

kaidentity

2,634
13
30

Here is what I have thus far. It is giving me a "Segmentation Fault": `hydra -l user@domain.com -P passphrase.txt -s 80 -f https://twitter.com https-post-form "/session:%5Busername_or_email%5D=^USER^&session%5Bpassword%5D=^PASS^:F=did not match"` – Travis Patron Sep 02 '16 at 17:06

Password Cracking Twitter With THC Hydra

2 Answers2