How to get and use constantly changing cookie JSESSIONID values in Hydra?

Question

Related: how to get cookies from aspx site to use it with hydra

My problem is similar to the above case, I get "20 valid passwords found" but the server I'm trying to brute force sends the header set-cookie: JSESSINOID=XXXXXXXXXX in every single Response, so the JSESSIONID for the next request is different every time. Is there a way to get around this?

My syntax:

hydra XX.XXX.XX.XX -l admin -P pwlist.txt http-post-form “/Path/to/page.do:method=LoginAction&formName=loginform&pageType=1&userName=^USER^&password=^PASS^:Please enter valid User name and Password.:H=Cookie: JSESSIONID=XXXXXxxxxxXXXXXX”

Thanks for your help.

Honestly, I'd write a script in something like python to perform this. You're going to be better off in the long run, though it may take some time to learn it. You can use the requests library or something similar. — plast1K, Aug 04 '17 at 19:37

Potti · Answer 1 · 2017-11-02T05:19:50.430

2

You can keep the session ID in the http response in a variable in the python prox and you can also send this session key with http requests.

https://forums.kali.org/showthread.php?18055-Hydra-using-Proxy https://null-byte.wonderhowto.com/how-to/sploit-make-proxy-server-python-0161232/

edited Nov 02 '17 at 05:19

answered Nov 01 '17 at 07:47

Potti

21
4

How to get and use constantly changing cookie JSESSIONID values in Hydra?

1 Answers1