Forum Discussion

Dark_Knight666's avatar
Dark_Knight666
Icon for Bronze III rankBronze III
21 days ago

Credential Access: Using Hydra

Hi team,

I was wondering whether anyone can please help me, as I'm stuck on Q10.

So the part I'm stuck on is trying to figure out how to put a command together to use - unix_users.txt and rockyou.txt to brute force an account that can log onto the web application for port 8000

Any suggestions are more than welcome!

Many thanks.

16 Replies

  • Hello,

    So there are various different things that could be tripping you up here.

    If you go to your target IP address and specify port 8000 you will be sent to a login page (in my case this was http://10.102.108.182:8000 as seen in the screenshot below)

     

    You need to identify what the login button request is actually pushing as the request in order to replicate it in your hydra request.

    • Make sure you are using the listing arguments for user list (-L) and password list (-P)
    • Ensure you are setting the failuremessage on the end so hydra knows what the request is successful - You can find this by visiting the site in a web browser as above and attempting to login. ("Login failed!")

     

    hydra -L /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/rockyou.txt -s 8000 10.102.108.182 http-post-form "/login:username=^USER^&password=^PASS^:F=Login failed!"

  • Hi, please confirm the port that you are supposed to be using. I used 8000 in my exercise and not the default 8080

    Try 10.102.46.217:8000

     

  • Briefing needs to be updated. I see why you got stuck here. The briefing says to use...
    hydra -l admin -P /path/to/wordlist.txt http-post-form \
    "http://example.com/login.php:username=^USER^&password=^PASS^&submit=Login:Invalid password"

    when hydra won't accept this. The correct format is:
    hydra -L /usr/share/wordlists/metasploit/unix_users.txt -P /usr/share/wordlists/rockyou.txt -s 8000 10.102.108.182 http-post-form "/login:username=^USER^&password=^PASS^:F=Login failed!"

    Wasted too much time troubleshooting the query when the briefing was wrong! Thanks LewisMutton​ Dark_Knight666​ KingMashaba​ for the write up here! Hope it helps others that are stuck on this question.

    • SamDickison's avatar
      SamDickison
      Icon for Community Manager rankCommunity Manager

      Hmm, I'll bring this up with support to see if they can do something about it. Sorry it wasted your time.

      • KingMashaba's avatar
        KingMashaba
        Icon for Bronze II rankBronze II

        Please do check this, the briefing notes need to be updated. Even the section on Credentials - ntds, which is in the same lab as this one. you cannot run secrectsdump.dy as stated in the notes, needs to be run as impacket-secrectsdump. 

  • Took me some of time to finally figure this one out. The hydra format that was presented in the briefing section is not working. Looks like you need to have your IP address before http-post-form. Used same and managed to get the username and password 

    • LewisMutton's avatar
      LewisMutton
      Icon for Bronze III rankBronze III

      Dark_Knight666​ Yes, I used Burp to check the request body when pressing login and make sure I was passing the correct parameter names for the username and password