Hack Like a Pro: How to Crack Online Passwords with Tamper Data & THC Hydra

Did he write is next hydra tutorial on hacking web forms yet?

How about VPN

OTW:
ok thanks..

Diya:

Welcome to Null Byte!

Yes, you can hack the password of the person without even knowing the username, but it is much faster if you know the username as Snowman says. I would also agree with Snowman that asking you questions in precise and proper English, without the text acronyms (js, knw,evn), is important to conveying what you are looking for.

OTW

Hi

Having trouble finding these password lists in Kali , type in command line to the T , with no luck

Brook:

Can you provide me a screenshot?

OTW

have worked out, had no space in my typing doh

Would love to go in more on hacking wifi surveillance cameras :-)

Brook:

Hydra can be used to hack any web app including web surveillance cameras. In my next Hydra tutorial, I show you how to use it hack web forms of any type.

OTW

Great tutorial, really looking forward to the next one

Hi everybody.
I've only one problem:

When i try a list of pass, when i'm hacking My Facebook account or My google account, hydra says that all the pass are valid pass!

I've sniffed with wireshark the port and the ip address of the site (Facebook, google etc) and i'm dure that is all right in The command in My terminal.. The port is 443. Have you dome solution about this problem?? I've already googled but no solution was found..

How about a screenshot.

I would like to see a tutorial about FB hacking, remotely.
Not in local Wifi, and not a simple phising page via kali LINUX.

thanks bro !

Does this work for all sites ? Or should I ask : Is this going to work on a specific website I would like to break in ? I will wait for response .Thank you

Alexandra:

It will work for password cracking of any online application.

OTW

Not really. It's depend on individual security, it mean it depend on your victim and your 'way' to crack it.

hey OTW, i am new here, and like you stated above, i tried the whole process just as is. now there is this funny thing coming up on my screen. I would like you to share some thoughts regarding it, Thanks!

you have to write -P instead of -p

Ankit:

What are you asking me? It looks like it cracked the admin password. Congrats!

OTW

hahaha, thats the point.. it says it has cracked the password, but the password isn't "/usr/share/wordlists/rockyou.txt", cos its my own router :p

now if i have to go through each password on that wordlist, isn't this whole process just futile?

I'm having the same issues, I don't know if the password is blank or what? Someone please respond.

If the password is not on the list you are using, it won't find it. Try another list.

The weird thing is that hydra displayed: "username: mysql password: /home/user/desktop/rockyou.txt 1 out 1 target successfully completed, 1 valid password found" so I though the password was blank or hydra is saying the password is in that wordlist. Because it usually displays: 0 valid password found.

Ankit:

Did you run all the way through the password list? Of course, you have to run through the entire list. What do you mean it is futile?

OTW

Greetings. Is this one of those routers with l:admin p: (blank) ?

Try: #~hydra -t 5 -V -f -l admin -e ns -p rockyou.txt xxx.xxx.xxx
Maybe you need to tweak this a little, maybe not.

Thanks, that worked. ;)

^^

It worked in displaying the password, but it gave me the wrong password, because I tried to log in and it keeps saying access denied.

Run same cmd chg 5 to 10. If same result take the -t and number out.

The -f is force stop on right password.

BTW this is the part where if this is your server that you can vet if the pwsd is correct.

Can anyone give me some syntax if i were to crack an online form that i know the username to, for example what would go in the <formparamters> and <failurestring> spaces???

hello admin
can u tell me the full roll of tamper data in cracking pass

and
hyfra search wrong password :/

i was wondering if you can tell me a bit more about THC-Hydra like i don't understand about how you use the passwords file and users file to crack passwords

I am new to all this awesome topics and am trying to hack a facebook password, (MIne of course) just to learn more about LINUX Because I think it is great. What would be the process to doing that? is there a tutorial anywhere I can study from?

go to openclassroom the best site web to learn all in informatique

could you help me in getting in "administative" account into my router? this is the login.asp page

my router is a Gemtek hybrid wimax/lte device. I did not found any useful on the web about "admin" account and the manufacturer is a lot far away to support me properly.

this are all the info I got from source page:

document.write('<td><input type="text" class="inputname" id="username" name="username" onKeyPress="if(event.keyCode == \'13\') Validate();" size="20" maxlength="65" autocomplete="off"></td>');

document.write('<td><input type="password" class="inputpwd" id="userpasswd" name="userpasswd" onKeyPress="if(event.keyCode == \'13\') Validate();" size="20" maxlength="64" autocomplete="off"></td>');

and
function checkascii(obj)
{
for(i=0;i<obj.value.length;i++)
{
if(obj.value.charCodeAt(i)>126||obj.value.charCodeAt(i)<32)
{
return false;
// obj.value=obj.value.replace(new RegExp(obj.value.charAt(i),"g"),"");
these were the only info I read from source login.asp page. thx for Ur help?

hey i'm new at this, i want to ask what is the function of Tamper Data? do you use it to know IP address and port of a website?

Tamper Data is not to find the IP address and port of the website. That can be found through nmap and other simple tools. Tamper Data helps us to understand how the web form is using our info. It displays the type of requests and the responses from the server. In that way, we can tailor our password cracking in THC Hydra.

Hi

I am using Kali Linux and need some help with hydra for dictionary attack. Is there a way to make it faster other that changing -t? I have 2.7 million combinations and it's taking a long time. I can use only hydra and the hint given is to automate hydra. I have searched but with no luck. Any help is welcome...

Guys i want to hydra gtk bruteforce mail.in.com(email) but i can't find out its target,port,protocol info .. i head it can be found online but so far no luck, I'll be grateful if someone provides me with some info

Hi, I'm a little confused on the process. Am I interpreting it correctly that this program makes several attempts at cracking the password on a site and most of them fail and then it stops when it gets the successful password? I'm talking about a website where I have the username and need to get the password to log on. Won't it trigger some sort of security if its done this way and there are multiple failed log in attempts? Sorry if I'm missing something, I'm new to all of this and just trying to get an idea of how this whole thing works.

Hi, I tried to run hydra.exe from thc-hydra-windows-master archieve on windows 7 and nothing happens. Please advice, how to proceed!

Archives and Instructions found at: https://github.com/vanhauser-thc/thc-hydra and https://github.com/maaaaz/thc-hydra-windows

thc-hydra-master ARCHIEVE FOUND AT: https://github.com/vanhauser-thc/thc-hydra

thc-hydra-windows-master ARCHIEVE FOUND AT: https://github.com/maaaaz/thc-hydra-windows

README FILE also at : http://textuploader.com/oyhn

Thanks

Andy:

Use THC-Hydra in Linux. It works.

Thanks but I do not use Linux and I do not know anything about Linux. I am using windows 7.

Andy:

If you want to be hacker, you must use Linux. We are all using Kali Linux. You can't really be hacker using Windows. Check out my article here on why.

I also have a series on learning Linux here .

OTW

I know this is a late comment, but on tamperdata, where does it show you the type (eg; POST) and where does it show you the 'post' details? Thanks for your help.

Bash: command not found.._

Hey, this was an incredible tutorial but I have a couple questions...

1)Say my potential victim is on their own computer...What method do I use to get their username? I think I saw you have a tutorial on how to install software on their computer...but then why not just install a keylogger...If I come across as a jerk I appologize I'm just trying to learn :)

2)Is there a way to anonymize yourself? I think you can use tor? or would it just be easier to go through a free vpn?

3)Could you make a list or send me to a link of what the letters mean in your script and how to know when to put them in and where in the script they go (like -l, -p, etc.)

Thanks again for the awesome tutorials

Forgot to mention. Welcome to Null Byte.

Oi mate,

1. OTW's Tutorials.

1.1 Keylogger is fine if all you want is a thin data stream and 90's to boot. (If you can get a keylogger in, you could of got something better in?)

2. Sure.

2.1 ToR is kinda anonymous still: Rouge fdral nodes but you are in a crowd. They purposely degrade the performance of the ToR network as well.

2.2 VPN: Log retention? (Pretty sure it's (un)official that every backbone fiber line is tapped now.)

3. Umm: Probably not but maybe. In the mean time for your viewing enjoyment. :~ thc-hydra --help

;-p

Thanks a lot! That actually helped a lot

I tried to hack a gmail acc, and everything worked out fine until gmail blocked me for too many try.
I think they banned me after 150 requests.

I were just wondering about there was a way to pass this "ban." ?

I need to use wordlists over 150 words if it should be realistic, so there is no way that i can use wordlists beneath 150.

If anyone have a idea how to pass the block,
would a reply be highly appreciate!
thanks :)

OTW
Looks like i came late
but i hope , you reply
the post was very good
but right now , iam not using linux , instead windows
i have tried password cracking with cain and abel and it worked
but i needed a tool to hack online //telnet - http - smtp//
i know only brutus in this category and it keeps failing to crack even very simple telnet logins
i need help and possibely guidence
iam reading "Hacking for dummies" to learn more
also iam a CCNA-MCITP - and soon CCNP - If that matters
thank you in advance

Amr:

I strongly suggest that you install Kali Linux if you want to really learn hacking.

OTW

Hello ! I need some help for hacking an instagram account. I know this might be illegal but that account is made by someone in our school and he's using it to show everyone private information about some of my friends, aswell as about me. If you can't help me out, it's okay, but if you can, that'd be great ! :)

Hey OTW. How do I open Kali linux? I have a Mac:)

Did you install it in a VM?

What is a VM? Just download it from kali linux.

Did you read my tutorial on installing Kali?

Where is it? I don't see the tutorial! I appreciate your help:)
Do you have a link?

Take a look at this tutorial .

Thanks. I'll look at it:)

Hello OTW, I have a few questions...

I tried it so far but now when I want to break the password of gmail account, I need to get the IP from gmail.com or by the person who own the account? What is the best method to find out the IP and the port?

The next question is about the word lists, when I use the command - /user/share/wordlists - I get given word lists? I can use them?

sorry for my questions, but I'm trying to understand it and get forward ...

Thank you!

Beni:

First, THC-Hydra is a brute force password cracking tool. Gmail will not allow you to continue to guess indefinitely, so it is probably the wrong tool for this job.

That having been said, you can use any wordlist you want. Some are better than others. It's important to choose the appropriate wordlist for the job to increase your chances of success.

OTW

you have a tutorial what could be the right way to continue in this?

Hello, any progress with the tutorial about hydra and web form? I was looking through your articles but was not able to find something. Thanks!

I'll have one out so soon, so keep coming back.

Hi OTW!! I am new here and I started with this tutorial. But I have got a problem. In step 4. When i wrote cd/usr/wordlists cmd says that this directory doesnt exist. How can I fix this?

Simon:

Welcome to Null Byte!

The command should be "cd /usr/share/wordlists". You copied it incorrectly.

OTW

...patiently waits for almost a year since original article was written for promised follow up that is said to be "coming soon"...

The follow up is here.

Thanks! :D

Tried just about every combo of commands I could think of. I have an xfinity router that does not have the pop-up style login. I also could not figure out how to add the username and pw to the url in a way that attempted authentication.

When trying the different types of requests (http-get, http-get-form, etc) I would either get all the passwords working or all of them failing when the correct password was the fifth entry in the word list.

Thanks for any help!

You showed how to install tamper data,but you didn't show us how to install hydra. I tried looking up download links to hydra but I couldn't find any! You need to show how to download hydra!

Hydra is built into Kali. No need to download anything.

What if you use Windows 7 instead of Kali?

Windows is not a hacking platform.

I think I'll install virtual box and use kali that way. Then,I might could start hacking from there. Is there a better way?

Yes

What is a better way? Should I use brute force instead? I installed brute force one time and it didn't give me the shortcut.

This is brute force.

What about burpsuite?

Also,is there a more simple way to crack passwords? You know,like putting the URL of the site down and typing in the username of who's password you want to crack and then it processes it and cracks it?

Will this be effective for obtaining passwords to sites that require no username?

Jonathan:

I have never tried it with a site that requires just a password, but I don't see why not. When you are building the command, just leave out the username. Give it a try and let us know how it works.

How does Hydra know what website to crack on? Like if I'm trying to brute force on Steam , how will it know that I'm not trying to brute force let's say facebook if I have them both on tab? Is that what the port and ip was for? And one more question how does it bypass the password limit lock? I'm a HUGE fan of yours awesome guides

It doesn't work through your browser. It only attacks the IP and port you specify. Likely it cannot bypass such preventative measures. Brute force attacks will not be effective against locks.

Can I hack games like Smallworlds? Like breaching data and stuff?

Yes

This might be a very idiotic question. But how do i open Tamper Data after I've installed it to Firefox?

Good question

In the Menu bar-> tools-> Tamper data

any one know what is the direbuster and how can i work it

I have a tutorial on dirbuster. It basically finds the directories of a website.

I have one problem, when I start Tamper data and try to login. All good, but I dont know where I can get the ip adress, which I must write in the hydra commment?

I'm currently learning all about THC-Hydra because i find Brute Forcing one of the more interesting topics to learn about and discuss. I get how to use hydra -l username -p passwordlist.txt. When it comes to Tamper Data i get confused. I have programmed a login system in Php and i want to Pen-test it. I'm what would be considered a noob at this stuff. So my main questions are

-How do i understand Tamper Data in a simple way.

-How do i use hydra to get the password of an account of a login system i created in Php.

-What can i start learning to help me with this stuff.

Please Respond to this post and thank you for this helpful post!

Okay, I am severely confused on how to download Kali, I have the person IP address and was wondering if anyone would like to do this for me? Or at least help me download kali XD

So wonderful,But does he miss something? where is the next Hydra tutorial?

OTW
hi i am new in hacker things i installed kali linux one month ago
can i use xhydra to crack hotspot admin login account ?

please tell me how to use it right i tried to do that but it gave wrong password i think that because hotspot use proxy login page right ?

and i didn't understand tamper data usage and how to get the ip of a website
that is what tamper data gave when i try login to the hotspot

NOTE
maybe you will find some syntex mistake that because i am noot good in english
thanks for your article.

don't worry about ip i am using ping to get it but i can't get the port

Does an instant message web page records all the passwords of their usernames? Even if they enter their username and password using a software on their computer?

Is this correct? usr/share/wordlists# hydra -l username -P passwordlist.txt target <url> <formparameters> <failure string>

Where can I find the failure string?? Is it possible to do that? Thanks in adavance :)

Hello everyone

Does this strategy works on online games? And would i get IP ban or be blocked if i did crack a password... I know a lot of accounts on the game i go on stopped playing since 5 years .. Please tell me

I have further questions for the moderator or writer of this article. I am in desperate need of a tool to hack my own email. Beginners level as I understand nearly nothing about computers.

You ask why, because either I have forgotten the password or someone else hacked and hijacked my account and recovery options. I suspect the latter is more true but I can't get the ISP to do anything about it. They forum of help is super limited and pretty much they tell me they cant do anything I am SOL. I figure my account means I should be allowed to hack my own shit...I am ethical.

I have been through the utterly pointless circular system of contacting the email provider who snidely says ...figure it out on your own because we do not help people with free accounts now. They used to but not anymore and you cant get a real person anymore ...just a lot of run around via these automated options.

Once I gain access to my email... I plan to port all my emails and contacts to a better email system. I am tired of the no service unless their is profit in it attitude. And I am tired of them getting hacked but telling the rest of us that it isn't their problem. I do not like the attitude...I have been with them since the 2004ish mark (had more than one account).

I did set up a recovery but that was also compromised so that is a pointless endeavor. So if one of you genius types is willing to help me to get from point A to B...I would greatly appreciate it. I especially liked Allen Freemans hacking article. I do not think all hacker are disreputable...I think there are ethical people with these skills so I am seeking one of you to contact me.

Thanks....
great articles but way way beyond my head.

I was using HYDRA GTK where on different executions, HYDRA displayed successful password every-time with a different set of string. Each of them was invalid. If any-one faced this problem or knows the solution, please help.

I have a problem when I tried THC hydra

I used this code.....
hydra -l <email> -P \Users\neo\documents\rockyou.txt -e ns -V -S -s 465 smtp.gmail.com smtp

And the result is..

Hydra (http://www.thc.org/thc-hydra) starting at 2017-11-10 15:52:51
INFO several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
DATA max 16 tasks per 1 server, overall 64 tasks, 14344400 login tries (l:1/p:14344400), ~14008 tries per task
DATA attacking service smtp on port 465 with SSL
ERROR socketpair creation failed: Connection timed out
ERROR socketpair creation failed: Connection timed out
ERROR socketpair creation failed: Connection timed out
ERROR socketpair creation failed: Connection timed out
ERROR socketpair creation failed: Connection timed out

why its happening and what is the solution?

Can I crack a website who not have password? The website only need user to login

Can anyone help me and tell me what I'm doing wrong trying a facebook hack but hydra stops after 10 trys I'm am just learning please help me learn hydra so I can use it correctly thank you

Step 1: Please Help

Step 2: