Penetration Testing mailing list archives

RE: password cracking a web form, tried hydra and brutus

From: "Rob Shein" <shoten () starpower net>
Date: Wed, 4 Feb 2004 16:41:15 -0500

The problem is you're trying to use HTTP authentication, instead of
submitting the results to the form. Your better bet is to work something up,
in perl most likely (but any tcp-capable language will do), that will submit
requests just as would happen if you were to sequentially try various login
attempts on their web page.

There are also other ways you could poke at it...have you tried SQL
injection attacks in either the password or login field?

-----Original Message-----
From: aRt dE vIvRe [mailto:bishan4u () yahoo co uk] 
Sent: Monday, February 02, 2004 9:53 AM
To: pen-test () securityfocus com
Subject: password cracking a web form, tried hydra and brutus

hi,

we are conducting a PT for a website. In order to password 
crack the login/password form authentication (which happens 
to be squirrelmail, written in php, looks similar to the 
login page of yahoo or msn)  I was looking for some tools.

I came across Hydra and Brutus. When I tried Brutus on an 
inhouse dummy site, after configuring the parameters the 
target would automatically become <target>redirect.php. I 
googled but couldnot find a solution to it.

Then I tried hydra at with following command:
# hydra  -l smg -p we2su 192.168.0.3  http /webmail/src/login.php

it resulted as:
[80][www] host: 192.168.0.2   login: smg   password: we2su

which is a wrong result since I had given the wrong password.

I get the same result for valid or invalid passwords.

Am I doing anything wrong?

Is there any other tool which does what I'm looking for?

Pls. help me with this :)

Regards,
B'shan

--------------------------------------------------------------
-------------
--------------------------------------------------------------
--------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

password cracking a web form, tried hydra and brutus aRt dE vIvRe (Feb 02)
- RE: password cracking a web form, tried hydra and brutus Rob Shein (Feb 05)
  - RE: password cracking a web form, tried hydra and brutus aRt dE vIvRe (Feb 05)
    - Re: password cracking a web form, tried hydra and brutus lists AT dawes DOT za DOT net (Feb 05)
    - RE: password cracking a web form, tried hydra and brutus Rob Shein (Feb 06)
- <Possible follow-ups>
- RE: password cracking a web form, tried hydra and brutus Sasa Jusic (Feb 06)