0

As in the title, hydra will only execute one try per task before hanging.

$ hydra -l admin -P /usr/share/wordlists/wfuzz/general/common.txt -u 10.10.68.141 http-post-form "/admin:user=^USER^&pass=^PASS^:F=invalid:H=Cookie:PHPSESSID=f92meothea0jd8u7faabbnk1p6" -I -t 1 -vV

[DATA] max 1 task per 1 server, overall 1 task, 949 login tries (l:1/p:949), ~949 tries per task
[DATA] attacking http-post-form://10.10.68.141:80/admin:user=^USER^&pass=^PASS^:F=invalid:H=Cookie:PHPSESSID=f92meothea0jd8u7faabbnk1p6
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "@" - 1 of 949 [child 0] (0/0)
                                                                                                                                                                                                                                           
$ hydra -l admin -P /usr/share/wordlists/wfuzz/general/common.txt -u 10.10.68.141 http-post-form "/admin:user=^USER^&pass=^PASS^:F=invalid:H=Cookie:PHPSESSID=f92meothea0jd8u7faabbnk1p6" -I -t 10 -vV

[DATA] max 10 tasks per 1 server, overall 10 tasks, 949 login tries (l:1/p:949), ~95 tries per task
[DATA] attacking http-post-form://10.10.68.141:80/admin:user=^USER^&pass=^PASS^:F=invalid:H=Cookie:PHPSESSID=f92meothea0jd8u7faabbnk1p6
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "@" - 1 of 949 [child 0] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "00" - 2 of 949 [child 1] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "01" - 3 of 949 [child 2] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "02" - 4 of 949 [child 3] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "03" - 5 of 949 [child 4] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "1" - 6 of 949 [child 5] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "10" - 7 of 949 [child 6] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "100" - 8 of 949 [child 7] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "1000" - 9 of 949 [child 8] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "123" - 10 of 949 [child 9] (0/0)
                                                                                                                                                                                                                                           

$ hydra -l admin -P /usr/share/wordlists/wfuzz/general/common.txt -u 10.10.68.141 http-post-form "/admin:user=^USER^&pass=^PASS^:F=invalid:H=Cookie:PHPSESSID=f92meothea0jd8u7faabbnk1p6" -I -t 11 -vV

[DATA] max 11 tasks per 1 server, overall 11 tasks, 949 login tries (l:1/p:949), ~87 tries per task
[DATA] attacking http-post-form://10.10.68.141:80/admin:user=^USER^&pass=^PASS^:F=invalid:H=Cookie:PHPSESSID=f92meothea0jd8u7faabbnk1p6
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "@" - 1 of 949 [child 0] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "00" - 2 of 949 [child 1] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "01" - 3 of 949 [child 2] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "02" - 4 of 949 [child 3] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "03" - 5 of 949 [child 4] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "1" - 6 of 949 [child 5] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "10" - 7 of 949 [child 6] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "100" - 8 of 949 [child 7] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "1000" - 9 of 949 [child 8] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "123" - 10 of 949 [child 9] (0/0)
[ATTEMPT] target 10.10.68.141 - login "admin" - pass "2" - 11 of 949 [child 10] (0/0)

I'm pretty sure it's not the server, since I've tried the same thing using wfuzz which executes all passwords in the list no problem. Is this a bug or am I using Hydra wrong?

not_only_but_also
  • 1
  • 1
  • Why are you already supplying a session id? –  Dec 21 '20 at 01:04
  • @MechMK1 it was giving false positives without one, with each of the tries returning successful. I followed some advice in another post that loading a session id would avoid this: https://security.stackexchange.com/questions/37020/why-does-hydra-return-16-valid-passwords-when-none-are-valid -- however either with or without the session id, each task only runs one try. – not_only_but_also Dec 21 '20 at 02:50

1 Answers1

0

Depending on the version of Hydra, you may be doing it wrong :/

You're not properly using the optional parameters to http-post-form, this is used like so:

http-post-form "/form-path:form-vars:pass-or-fail:C=/get-path:H=headers-data"

(try hydra -U http-post-form for more details)

The "C=" parameter specifies a GET issued to the URL /get-path in order to populate any dynamic cookies, this should work for PHPSESSID (from hydra v9). Note this is not compatible with an explicit "H=Cookie\:", but you may use "h=..." to combine both sets of cookies. Hydra v9 will perform a GET first anyway.

But more importantly, you did not escape the ":" in "H=Cookie:" so hydra may get confused by your parameters. Hydra v9 is more forgiving of this. AFAIR hydra v8 will fail (and v8 also expects a space after the colon).

Another issue may be HTTP/1.1 interaction (hydra is fairly stateless and its implementation of HTTP/1.1 has some rough edges), try adding a "Connection: close" header to see if that helps.

mr.spuratic
  • 7,937
  • 25
  • 37