Penetration Testing mailing list archives

RE: password cracking a web form, tried hydra and brutus

From: Sasa Jusic <sjusic () pamela zesoi fer hr>
Date: Fri, 6 Feb 2004 15:03:52 +0100

Hi,

You can try Curl. It is great tool and it has an option for submitting data
using HTTP POST method. As said before, the problem is you're trying to use
HTTP authentication, instead of submitting the data to the form. I think
that SquirrelMail is using POST method for submitting user data to the
server, so this could be the solution for your problems.

Another important issue in brute-forcing Web logins is the usage of cookies.
Some applications (like Webmin) require you to send the cookie value (which
has been sent in the previous reply from the Web server) as part of your
login request. In this case you must store the cookie value in separate
file, and than use it in your login request (you can do it also with curl,
switches -c, -b).

Best Regards,

Sasa.

-----Original Message-----
From: aRt dE vIvRe [mailto:bishan4u () yahoo co uk]
Sent: 2. veljaèa 2004 15:53
To: pen-test () securityfocus com
Subject: password cracking a web form, tried hydra and brutus

hi,

we are conducting a PT for a website. In order to password crack the
login/password form authentication (which happens to be squirrelmail,
written in php, looks similar to the login page of yahoo or msn)  I was
looking for some tools.

I came across Hydra and Brutus. When I tried Brutus on an inhouse dummy
site, after configuring the parameters the target would automatically
become <target>redirect.php. I googled but couldnot find a 
solution to it.

Then I tried hydra at with following command:
# hydra  -l smg -p we2su 192.168.0.3  http /webmail/src/login.php

it resulted as:
[80][www] host: 192.168.0.2   login: smg   password: we2su

which is a wrong result since I had given the wrong password.

I get the same result for valid or invalid passwords.

Am I doing anything wrong?

Is there any other tool which does what I'm looking for?

Pls. help me with this :)

Regards,
B'shan

---------------------------------------------------------------
------------
---------------------------------------------------------------
-------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

password cracking a web form, tried hydra and brutus aRt dE vIvRe (Feb 02)
- RE: password cracking a web form, tried hydra and brutus Rob Shein (Feb 05)
  - RE: password cracking a web form, tried hydra and brutus aRt dE vIvRe (Feb 05)
    - Re: password cracking a web form, tried hydra and brutus lists AT dawes DOT za DOT net (Feb 05)
    - RE: password cracking a web form, tried hydra and brutus Rob Shein (Feb 06)
- <Possible follow-ups>
- RE: password cracking a web form, tried hydra and brutus Sasa Jusic (Feb 06)