Hydra - 0 valid passwords found - with known password

[thornez]

I am new to Hydra and everything seems pretty straight forward, however, running an attack against my apache server/DVWA to test it out using a short password list I put together containing the actual real password results in the following:

1 of 1 target completed, 0 valid passwords found

I am running Kali Rolling, up to date, Hydra 8.1. Running verbose, I can see that it is in fact attempting the attack with all the passwords, including the correct one. Also, I have heard that there is a Hydra 8.2-Pre, which may address these issues, but thus far I have not figured out if that is actually the case as I do not see how to upgrade to that version.

Thank you for any help on this.

[stinkybit]

Maybe something is wrong with the parameters, url or failure string. There are Hydra examples for DVWA out there. You might also check the login page's source code and/or fire up burp to make sure...

[mmusket33]

Hydra provides too many false positives. MTeams suggest you use burpsuite pro. The version in kali is throttled back and slow. Search the net and you will find a source. There are some good tutorial videos thru youtube and you will need them.

MTeams

[P373]

Also, I have heard that there is a Hydra 8.2-Pre, which may address these issues, but thus far I have not figured out if that is actually the case as I do not see how to upgrade to that version.

Thank you for any help on this.

You can upgrade hydra yourself. just clone the latest version from github:

Code:

git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra
./configure
make
make install

Now logout and back in and run hydra 8.2.

[thornez]

Thank you for the help guys. I was able to update hydra even further, however, now I am receiving the message:

1 of 1 target successfully completed, 15 valid passwords found

So essentially hydra is seeing all of the passwords in my test passlist as being valid, when only one of them is. I have gone over my command a million times to see if it is something I am doing wrong when testing on DVWA, but I can not find anything. Here is the syntax. please let me know if you spot an issue. Thanks.

hydra -l admin -P passlist 192.168.1.84 http-post-form "/DVWA-1.9/login.php:username=^USER^&password=^PASS^&Login=Lo gin:Login failed" -V

I am thinking that musket33's suggestion to ditch hydra is my most likely course of action at this point.

[P373]

Your right thornez. I fired up hydra 8.2 and all the passwords were valid. I think I'll take mmusket33 advice as well.

[highway9]

Hi P373 thornez

I new here. Maybe you go this place for help burpsuite.

https://www.datafilehost.com/d/b4fa3ac4

[grid]

I haven't used hydra in awhile, but recall seeing this same thing when testing passwords hashed with PBKDF2.

BurpSuite Pro does seem like a good product, based on what the free one in Kali is like.

[zjhxmjl]

I am new to Hydra and everything seems pretty straight forward, however, running an attack against my apache server/DVWA to test it out using a short password list I put together containing the actual real password results in the following:

1 of 1 target completed, 0 valid passwords found

I am running Kali Rolling, up to date, Hydra 8.1. Running verbose, I can see that it is in fact attempting the attack with all the passwords, including the correct one. Also, I have heard that there is a Hydra 8.2-Pre, which may address these issues, but thus far I have not figured out if that is actually the case as I do not see how to upgrade to that version.

Thank you for any help on this.

hi,guy!did you have solution now?