This will give you an idea on how to brute force http forms with THC-Hydra
This is a continuation from How to brute force your router so if you havn\'t read it check it out !!!
Watch the video for a live example.
 

 
IMPORTANT: This is for educational purposes only, dont go around attacking sites, thats how you get into trouble

In this example I will be brute forcing an admin account on this site which has been setup just for this (the user has already been deleted).
The url I will be using in this example is http://www.sillychicken.co.nz/administrator/ which is the path to the Joomla admin login page.

Video best viewed in full screen mode (icon between timer and volume)

BACKGROUND:
A couple of things that need to be identified:

• Postback page
• Post Parameters
• Failed attempt unique text

Post back page

This is normally the same page as the login but not always so. So just view the source code of the page and find the form with a method="post". The action value is the page which the values will be "posted" to.

This is the section from the administrator login page for Joomla:

As you can see the page to post to is "index.php"

Post Parameters

These can be found by viewing the source code of the login page. All tags within the form will be posted.

The post name will be the "name" attribute of the tag. The value will be the "value" attribute if it has one defined.

Alternativly you can use firefox with the Tamper Data extension which works great.

Failed attempt unique text

This is text that is found on the webpage when a login attempt fails. This text must be exclusive to a failed login attempt.

 
Putting it all together:

The site:

www.sillychicken.co.nz/administrator/

The post back page:

index.php

 

The postback values are:

usrname=(user input)

pass=(user input)

submit=Login

 

which have been extracted from the page source:
 

Now if we try to login into the admin page we get a javascript popup which says "Incorrect Username, Password ......"

"Incorrect Username" sounds like text that would not show up, had it been a successful login so we will use this.

Let's combine it all into hydra:

 

hydra -l {username} -P {password list path} -s {port} -f {Site Address} http-post-form

"{Path to postback page}:{USERNAME_NAME}=^USER^&{PASSWORD_NAME}=^PASS^:{failed login text}"


My command looks like:

hydra -l hydra -P password.lst -s 80 -f www.sillychicken.co.nz http-post-form "/administrator/index.php:usrname=^USER^&pass=^PASS^&submit=Login:Incorrect Username"

 
Command break down:

hydra --> The hydra program
-l --> (lower case "L" not to be confused with a upper case i) single username to target. Use uppercase -L to specify a username list) i have setup the "hydra" account for this demo and has already been deleted
-P --> Provide path to password lis. -p to try a single password ie "passw0rd"
-s --> Port to target default port for http is 80
-f --> Exits the program after the first match is made

{Site Address} I.E www.sillychicken.com. Do not include http://
http-post-form --> service to brute force. Hydra README has the command as http-form-post       using that will give you an error
{Path to postback page} everything after the site address must start with "/"
{USERNAME_NAME} --> the name of the username postback variable
^USER^ --> this will be replaced with the username specified by -l or -L username list
^PASS^ --> this will be replaced with the password from the defined list
{Failed login text} --> text that will only be found in a failed login
note* ensure quotes are from after http-post-form " TO END OF COMMAND

You will get an output line with username and password if you are successful.
Watch the video for a live example.
This attack is only as good as your dictionary .
Next how to brute force web forms, make sure to come back and check it out!!


IMPORTANT: This is for educational purposes only, dont go around attacking sites, thats how you get into trouble

Comments (10)

...
written by LilaWISE26 , August 09, 2010

I guess that to receive the home loans from banks you must present a great motivation. Nevertheless, once I have received a bank loan, because I was willing to buy a building.

...
written by LatinUnit , July 29, 2010

What he did was actually wrong, if you pay attention the submit buttom values were subm1t with a "1" not "i"

...
written by video izle , May 27, 2010

thanks, good..

http://www.trtube.info

...
written by mmm , May 17, 2010

nice

...
written by mi , November 26, 2009

I have problem my line command look thiese:

hydra -l user -P passwrd.txt -e ns www.victim.co http-post-form "/login index. php
hr. login_nicname=^USER^&login_password=^PASS^login=Log+In

ERROR : CANT RESOLVE WWW.VICTIM.COM
EROR SEVER CAN SCAN

i ping web site before runnig thc hydra please help

...
written by joan , August 12, 2009

When I get responses from an http server that are very similar to the ones I get in a fail login on yahoo or gmail. I mean, some text appear in the same structure of the web page does not change after they appear.
Can I still use hydra?

(Everyone would be using it to hachk mails)

...
written by hunter4 , July 11, 2009

Ok promis last question: i just did it again and i though it probly somthing to do with hydra because ive tried like 15 sites and all correctly expesially couple of em and it pairs em all up failed login string is correct aswell? Im using hydra5.4WINDOWS

...
written by hunter4 , July 11, 2009

i barly could find a good tut now u dont help me

...
written by 1 , May 27, 2009

[img=[img][img][img][img][img][img][img]]

...
written by jeast , January 30, 2009

Thanks a lot for this article, because in the manual impossible to find detailed information your example is better to understand

Write comment

Name

Website

Comment

smaller | bigger

Add Comment