THC-Hydra - one good pass = shows all valid

Asked Dec 30 '14 at 16:58

Active Dec 30 '14 at 22:06

Viewed 118 times

As in title. I'm testing my router security and I came up with problem.

hydra 192.168.0.1 http-get-form "/:un=^USER^&pw=^PASS^:User Name or Password is incorrect." -L usernames -P passwords

usernames : admin

passwords : admin, root, toor, 1234, realpassword(correct one)

I get: 1 of 1 target successfully completed, 5 valid passwords found

Only realpassword is the correct one but Hydra says all of them are good.

When I go to 192.168.0.1, which is router page, cookie (I guess) from Hydra allows me to be logged in. Still, executing this command does not provide me password, only session.

Q: How can I find out what password is real?

[SOLVED]

I had to pick 'false response' which was visible for me but not from 'bad login' page source.

edited Dec 30 '14 at 22:06

asked Dec 30 '14 at 16:58

Fred

you didn't tell hydra what a failed password looked like – schroeder Dec 30 '14 at 19:25
`"User Name or Password is incorrect."` isn't enough? – Fred Dec 30 '14 at 20:16
1

Hydra will behave as you specify if it can't properly find that string. Double-check the string, syntax, case, etc. – schroeder Dec 30 '14 at 22:11

THC-Hydra - one good pass = shows all valid

0 Answers0