Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

HTTP brute force with hydra no results

El | Last updated: Jul 17, 2021 04:32PM UTC

I'm trying to solve a brute force login exercise (https://portswigger.net/web-security/authentication/password-based/lab-username-enumeration-via-subtly-different-responses) using hydra and I do not know what I'm doing wrong, the below hydra command returns false positives or none at all (depending how I modify the expression) hydra -L usernames.txt -P passwords.txt target-domain-name https-post-form "/login:username=^USER^&password=^PASS^:Invalid" -v Does using hydra with portswigger require some additional configuration ?

Uthman, PortSwigger Agent | Last updated: Jul 19, 2021 10:52AM UTC

Hi, Have you tried using the instructions in the solution provided instead of Hydra?

Th3Panda | Last updated: Jul 31, 2021 06:42PM UTC

Hello, after several tries and information research I could have success with hydra. Thanks to you I solved my command. With: hydra -L users.txt -P pass.txt target https-post-form "login:username^USER^&password=^PASS^:S=302" And optionally I used the flag -t 64 to speed up. And I've got my user and pass. My issue was in the command I was using http-post-form instead https. You're fault is the failure sentence. Always is shown as Invalid username or password, but sometimes with ".", then you must to find something is always stable: 302 response when succes: S=302

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.