1

I am actually testing a brute force attack with hydra on a kali linux machine (for educational purposes). I want to find the administrator password of a Joomla website. The Web server is on a dmz and my attacks are sent from the wan (there is a firewall between the subnets)

with the command: 

hydra 10.12.14.3 -L login_list.txt -P password_list.txt http-post-form "/administrator/index.php/dvwa/vulnerabilities/brute/index.php:username^USER^&passwd=^PASS^&Login=Log in:Username and password do not match or you do not have an account yet."

this actually send me this

1 of 1 target successfully completed, 8 valid passwords found

Only one password from the list was good. Whith some research on internet, i saw that the problem is probably on the last part where we declare what message comes when a bad combination:

Username and password do not match or you do not have an account yet.

this is what i get when i put a bad login and password on the joomla administrator panel, and it's not a pop-up, only a text message.

I have also tested the next command but there is the same problem:

hydra 10.12.14.3 -L login_list.txt -P password_list.txt http-post-form "/administrator/index.php/dvwa/vulnerabilities/brute/index.php:username^USER^&passwd=^PASS^&Login=Log in:Username and password do not match or you do not have an account yet:H=Cookie: security=low; PHPSESSID=82eac819f87e261479e2e9c743b644a4"

and 

hydra 10.12.14.3 -L login_list.txt -P password_list.txt http-post-form "/administrator/index.php/dvwa/vulnerabilities/brute/index.php:username^USER^&passwd=^PASS^&Login=Log in:F=incorrect:H=Cookie: PHPSESSID=82eac819f87e261479e2e9c743b644a4; security=low"

My research was on Internet in general but also in this website. Any solutions worked.

John
  • 11
  • 3
  • 2
    Welcome to Information Security! Is your question that the commands you have tried have not found a successful combination despite the output of the program reporting that good passwords had been found? – amccormack May 21 '15 at 08:04
  • @amccormack The commands that I have tried return successful combination for every combination but only 1 combination can be successful. – John May 21 '15 at 08:26
  • It may help to get a grab of what is happening on the wire using a tool like Wireshark. – Atsby May 21 '15 at 08:52
  • @Atsby Sure Wireshark can always help for situation like this, in my case the tcp paquet are sent from the Kali machine to the server (10.12.14.3) who answers to every paquets. But I think the problem is that in my command, hydra don't know if a password matched or not. I mean, he can't do the difference between a good and a bad password. By this way every password are good for hydra. And at this point, I block. – John May 21 '15 at 09:03
  • @SilverlightFox No it's the same problematic with a different situation and I saw this page this week and have tested the different "answer" that actually don't work. – John May 21 '15 at 09:47
  • 1
    @John I meant using WS (or other packet sniffer) to inspect what's really on the http result page, to ensure that the pattern you're trying to match actually occurs in it. You could probably do a wget fetch even. The main point is not to necessarily trust what you see in a browser since there is JS etc that can affect what is displayed. – Atsby May 21 '15 at 10:07
  • @Atsby I'm sorry but if I understand, I can check in WS if the variable like username or passwd matchs in the JS file and if it's the correct name ? Is that possible with Wireshark ? (I'm sorry for my bad english) – John May 21 '15 at 11:11

0 Answers0