0

I have a number of relatively small password files that I'd like to use with Hydra in one go without having to manually merge them but it seems that it doesn't natively support this or stdin.

From https://security.stackexchange.com/a/198871/29845, I thought that something like the following could achieve this:

hydra -l admin -P <(cat passwords/adobe_top100_pass.txt passwords/common-passwords.txt passwords/common_roots.txt) 172.31.0.51 http-post-form '/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:S=Monkey!' -I

However, for some reason, Hydra cannot "see" the passwords:

Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-02-11 16:08:51
[DATA] max 3 tasks per 1 server, overall 3 tasks, 3 login tries (l:1/p:3), ~1 try per task
[DATA] attacking http-post-form://172.31.0.51:80/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:S=Monkey!
[ATTEMPT] target 172.31.0.51 - login "admin" - pass "" - 1 of 3 [child 0] (0/0)
[ATTEMPT] target 172.31.0.51 - login "admin" - pass "" - 2 of 3 [child 1] (0/0)
[ATTEMPT] target 172.31.0.51 - login "admin" - pass "" - 3 of 3 [child 2] (0/0)
1 of 1 target completed, 0 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-02-11 16:08:52
root@kali:/media/sf_VM_transit#

I've tried many, many variations of this from only using one file in the process substitution to using cat alternatives but nothing has worked.

The closest that I've gotten is using > instead of < but that simply cats the file before executing the command:

root@kali:/media/sf_VM_transit# hydra -l admin -P >(cat passwords/mut.txt) 172.31.0.51 http-post-form '/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:S=Monkey!' -I -V
entry1
adminpass
entry3Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-02-11 16:12:39

Hydra must be able to see something because it counts the number of logins correctly.

mythofechelon
  • 217
  • 1
  • 11
  • do you have to have it all on one line? Why not just cat up all the lists into a temp file, run it, then unlink the temp? 3x the lines, but simple. – dandavis Feb 11 '20 at 17:54
  • What about something along the lines of `hydra -l admin -P <<<(cat passwords/adobe_top100_pass.txt passwords/common-passwords.txt passwords/common_roots.txt) 172.31.0.51 http-post-form '/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:S=Monkey!' -I`? – doneal24 Feb 11 '20 at 18:14
  • @dandavis That'd be a good backup option but I'm just curious at this point. @doneal24 That fails with error `bash: syntax error near unexpected token `('`. – mythofechelon Feb 11 '20 at 20:09

0 Answers0