RE: password cracking a web form, tried hydra and brutus

From: Sasa Jusic (sjusic@pamela.zesoi.fer.hr)
Date: Fri Feb 06 2004 - 09:03:52 EST

• Next message: Bartholomew, Brian J: "RE: OPST vs CEH"
• Previous message: Travis Schack: "Re: Remote connection to Webmin Service (Port 10000)"
• Maybe in reply to: aRt dE vIvRe: "password cracking a web form, tried hydra and brutus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

You can try Curl. It is great tool and it has an option for submitting data
using HTTP POST method. As said before, the problem is you're trying to use
HTTP authentication, instead of submitting the data to the form. I think
that SquirrelMail is using POST method for submitting user data to the
server, so this could be the solution for your problems.

Another important issue in brute-forcing Web logins is the usage of cookies.
Some applications (like Webmin) require you to send the cookie value (which
has been sent in the previous reply from the Web server) as part of your
login request. In this case you must store the cookie value in separate
file, and than use it in your login request (you can do it also with curl,
switches -c, -b).

Best Regards,

Sasa.
>-----Original Message-----
>From: aRt dE vIvRe [mailto:bishan4u@yahoo.co.uk]
>Sent: 2. veljaèa 2004 15:53
>To: pen-test@securityfocus.com
>Subject: password cracking a web form, tried hydra and brutus
>
>
>hi,
>
>we are conducting a PT for a website. In order to password crack the
>login/password form authentication (which happens to be squirrelmail,
>written in php, looks similar to the login page of yahoo or msn) I was
>looking for some tools.
>
>I came across Hydra and Brutus. When I tried Brutus on an inhouse dummy
>site, after configuring the parameters the target would automatically
>become <target>redirect.php. I googled but couldnot find a
>solution to it.
>
>
>Then I tried hydra at with following command:
># hydra -l smg -p we2su 192.168.0.3 http /webmail/src/login.php
>
>it resulted as:
>[80][www] host: 192.168.0.2 login: smg password: we2su
>
>which is a wrong result since I had given the wrong password.
>
>I get the same result for valid or invalid passwords.
>
>Am I doing anything wrong?
>
>Is there any other tool which does what I'm looking for?
>
>Pls. help me with this :)
>
>Regards,
>B'shan
>
>
>
>
>
>
>
>
>
>---------------------------------------------------------------
>------------
>---------------------------------------------------------------
>-------------
>
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Bartholomew, Brian J: "RE: OPST vs CEH"
• Previous message: Travis Schack: "Re: Remote connection to Webmin Service (Port 10000)"
• Maybe in reply to: aRt dE vIvRe: "password cracking a web form, tried hydra and brutus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:48 EDT