Hydra brute force error

brute force

hydra http://192.168.0.24:1234/ http-form-post "/password=^PASS^:Invalid password!" -P pass.txt -t 10 -o hydra-http-post-attack.txt
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-01-03 12:12:37
[INFO] Using HTTP Proxy: http://127.0.0.1:8080
[ERROR] the variables argument needs at least the strings ^USER^ or ^PASS^: Invalid password!

I'm not sure why I am getting the error as there is the ^PASS^ string. There is no username on the application.

The full URL of the login form is: http://192.168.0.24:1234/

Can anyone help?

Best Answer

About your question:

When using hydra, it's not required to put http:// before the host that you're going to attack.
To specify the port, please use the -s flag.
You need to specify the -l flag otherwise an error will show up.
In the POST request you have to specify the file that is going to receive the POST request (e.g. index.php, password.php, validate.php, etc.)
And last, but not least, you have to specify the Success case or the Fail case.

Try the following command, it is the best I can do with the information provided:

hydra -l '' -P pass.txt 192.168.0.24 -s 1234 http-post-form "/index.php:pass=^PASS^:F=Invalid Password!" -t 10 -o hydra-http-post-attack.txt

I tried it myself and it does not generate any kind of error.

Good luck!

Best Answer

Related Solutions

SSH Security – Why Brute Force Password Guessing Won’t Work?

Increase hydra brute force login attempts

Related Question