Looking for a little help. I have the user and the correct fail string and parameters for the Skill Assessment - Website in the Login Brute Forcing Module. I am not getting a hit with the usual password lists (rockyou-10.txt, rockyou (times out before completing). Any nudge in the right direction would be appreciated.
I have looked at other forum posts and noticed that others had similar issues. Appreciate any help.
part of the hydra arguments: http-post-form "/admin_login.php:user^USER^&pass=^PASS^:F=<form name='log-in'"
Hey! I would recommend using a larger rockyou.txt password list. rockyou-10.txt will not work! But as you said the largest one times out. There should be others larger than rockyou-10.txt and smaller than rockyou.txt. Just keep increasing the list size until you find it!
-onthesauce
I commented too soon on my own thread - my syntax is the same as yours. I’ve changed the F=<form name=‘log-in’" to S=‘log-out’ or S=‘HTB’" trying to find creds that work. I either get no password or passwords that don’t work.
http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=<form name='log-in'" is what I've been running over and over again.
I’ve tried running the sed commands against the rockyou.txt files (from the password policy example) trying to avoid the false positive passwords, but it hasn’t worked. I have no idea what I’m missing here.
The only thing I can see that seems odd is the ip starts with 68 and should probably be 168. But when you respawn the box it will give you a new ip to work with. Aside from that I would say this looks correct.