Why I have more than one valid passwords with Hydra?

Asked Nov 30 '17 at 15:31

Active Dec 01 '17 at 08:24

Viewed 210 times

I am trying to do a brute force with Hydra on a web page but it isn't DVWA so I don't have control over code.

The failed result has 200 OK response and "Area protegida" message.

I tried it with this command:

hydra -l admin -P /root/Desktop/dict.txt http://***********.net http-post-form "/:usuario=^USER^&contrasena=^PASS^:Area protegida"

And I obtain more than one valid password, obviously false valid passwords.

What can I do?

edited Dec 01 '17 at 08:24

asked Nov 30 '17 at 15:31

Seems you're hitting a page telling you it's a protected area, the 200 code appears to because that page loaded successfully. You'll need to rethink your approach. – iainpb Nov 30 '17 at 15:39
As you can see in the code, I didn't use the 200 ok response in it. I know I shouldn't use this response code in the command and for this, I use the error message `Area protegida`, which only appear when yout tried to login with incorrect credentials. – Iratzar Carrasson Bores Nov 30 '17 at 15:46
Obviously, I don't have the access to the website so I can't analays the `PHPSESSID` parameter in the Cookie wherewith my post is not duplicate. – Iratzar Carrasson Bores Nov 30 '17 at 15:50
Yes, the cuestion is the same, but the solution is not the same because of this cuestion it is aimed at DVWA platform and my cuestion is applyed on published web site. Farthermore, this cuestion is solved therefore the people wont continue responding alternative solutions. – Iratzar Carrasson Bores Dec 01 '17 at 08:21

0 Answers0