Results 1 to 9 of 9

Thread: Hydra - 0 valid passwords found - with known password

  1. #1
    Join Date
    2015-Aug
    Posts
    19

    Hydra - 0 valid passwords found - with known password

    I am new to Hydra and everything seems pretty straight forward, however, running an attack against my apache server/DVWA to test it out using a short password list I put together containing the actual real password results in the following:

    1 of 1 target completed, 0 valid passwords found

    I am running Kali Rolling, up to date, Hydra 8.1. Running verbose, I can see that it is in fact attempting the attack with all the passwords, including the correct one. Also, I have heard that there is a Hydra 8.2-Pre, which may address these issues, but thus far I have not figured out if that is actually the case as I do not see how to upgrade to that version.

    Thank you for any help on this.

  2. #2
    Maybe something is wrong with the parameters, url or failure string. There are Hydra examples for DVWA out there. You might also check the login page's source code and/or fire up burp to make sure...

  3. #3
    Join Date
    2013-Jul
    Posts
    844
    Hydra provides too many false positives. MTeams suggest you use burpsuite pro. The version in kali is throttled back and slow. Search the net and you will find a source. There are some good tutorial videos thru youtube and you will need them.

    MTeams

  4. #4
    Join Date
    2016-Apr
    Posts
    100
    Quote Originally Posted by thornez View Post
    Also, I have heard that there is a Hydra 8.2-Pre, which may address these issues, but thus far I have not figured out if that is actually the case as I do not see how to upgrade to that version.

    Thank you for any help on this.
    You can upgrade hydra yourself. just clone the latest version from github:

    Code:
    git clone https://github.com/vanhauser-thc/thc-hydra.git
    cd thc-hydra
    ./configure
    make
    make install
    Now logout and back in and run hydra 8.2.

  5. #5
    Join Date
    2015-Aug
    Posts
    19
    Thank you for the help guys. I was able to update hydra even further, however, now I am receiving the message:

    1 of 1 target successfully completed, 15 valid passwords found

    So essentially hydra is seeing all of the passwords in my test passlist as being valid, when only one of them is. I have gone over my command a million times to see if it is something I am doing wrong when testing on DVWA, but I can not find anything. Here is the syntax. please let me know if you spot an issue. Thanks.

    hydra -l admin -P passlist 192.168.1.84 http-post-form "/DVWA-1.9/login.php:username=^USER^&password=^PASS^&Login=Lo gin:Login failed" -V

    I am thinking that musket33's suggestion to ditch hydra is my most likely course of action at this point.

  6. #6
    Join Date
    2016-Apr
    Posts
    100
    Your right thornez. I fired up hydra 8.2 and all the passwords were valid. I think I'll take mmusket33 advice as well.

  7. #7
    Join Date
    2016-Apr
    Posts
    2
    Hi P373 thornez

    I new here. Maybe you go this place for help burpsuite.

    https://www.datafilehost.com/d/b4fa3ac4

  8. #8
    Join Date
    2013-Apr
    Location
    Kali forums
    Posts
    805
    I haven't used hydra in awhile, but recall seeing this same thing when testing passwords hashed with PBKDF2.

    BurpSuite Pro does seem like a good product, based on what the free one in Kali is like.

  9. #9
    Join Date
    2016-Jul
    Posts
    1
    Quote Originally Posted by thornez View Post
    I am new to Hydra and everything seems pretty straight forward, however, running an attack against my apache server/DVWA to test it out using a short password list I put together containing the actual real password results in the following:

    1 of 1 target completed, 0 valid passwords found

    I am running Kali Rolling, up to date, Hydra 8.1. Running verbose, I can see that it is in fact attempting the attack with all the passwords, including the correct one. Also, I have heard that there is a Hydra 8.2-Pre, which may address these issues, but thus far I have not figured out if that is actually the case as I do not see how to upgrade to that version.

    Thank you for any help on this.
    hi,guy!did you have solution now?

Similar Threads

  1. Hydra provides all the user names and passwords falsely
    By baksadj in forum General Archive
    Replies: 3
    Last Post: 2015-06-03, 00:44

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •