Come abilitare un test di penetrazione del modulo post http?

Naviga le tue risposte
0

Non ottengo i risultati corretti e non sono sicuro di cosa sto facendo male: 

$ ./hydra -l admin -x 3:9:a http://localhost http-post-form "/admin/login:j_username=^USER^&j_password=^PASS^:failed" -s 8088             Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-09 11:24:35
[WARNING] The service http has been replaced with http-head and http-get, using by default GET method. Same for https.
[WARNING] You must supply the web page as an additional option or via -m, default path set to /
[DATA] 16 tasks, 1 server, 5646683825432 login tries (l:1/p:5646683825432), ~352917739089 tries per task
[DATA] attacking service http-get on port 80
[ERROR] Child with pid 3320 terminating, can not connect
[ERROR] Child with pid 6620 terminating, can not connect
[ERROR] Child with pid 8496 terminating, can not connect
[ERROR] Child with pid 9260 terminating, can not connect
[ERROR] Child with pid 7440 terminating, can not connect
[ERROR] Child with pid 6012 terminating, can not connect
[ERROR] Child with pid 5368 terminating, can not connect
[ERROR] Child with pid 6228 terminating, can not connect
[ERROR] Child with pid 8104 terminating, can not connect
[ERROR] Child with pid 7644 terminating, can not connect
[ERROR] Child with pid 10152 terminating, can not connect
[ERROR] Child with pid 2484 terminating, can not connect
[ERROR] Child with pid 4788 terminating, can not connect
[ERROR] Child with pid 7948 terminating, can not connect
[ERROR] Child with pid 9040 terminating, can not connect
[ERROR] Child with pid 2648 terminating, can not connect
[ERROR] Child with pid 6116 terminating, can not connect
[ERROR] Child with pid 2684 terminating, can not connect
[ERROR] Too many connect errors to target, disabling http-get://localhost:80
0 of 1 target completed, 0 valid passwords found
[ERROR] 1 target did not resolve or could not be connected
Hydra (http://www.thc.org/thc-hydra) finished at 2014-01-09 11:24:47

Puoi dirmi cosa c'è di sbagliato nel mio test? Il mio modulo in http://localhost:8088/admin/login assomiglia a: 

  <form name='f' class="marg-left" id="inputForm" method="post" action="j_spring_security_check" >
                       <br>
                   <h4 class="title">   <h4 class="loginfailed">
                       Login failed</h4>
                   Login</h4>
                   <label>
                       <span>Username</span>
                       <input id="id1" class="textInput" type="text" name="j_username" />
                   </label>
                   <label>
                       <span>Password</span>
                       <input class="textInput" type="password" name="j_password" />
                   </label>
                   <div class="buttons">
                       <button type="submit" >Login</button>
                       <button type="reset" >Reset</button>
                   </div>
                   </form>
    
posta Niklas Rosencrantz 09.01.2014 - 11:28
fonte

1 risposta

1

sembra che tu abbia messo l'opzione port (-s) dopo l'URL del modulo HTTP Post e di conseguenza Hydra sta ignorando tale opzione.

Se osservi il messaggio di errore, puoi vedere che sta tentando di connettersi alla porta 80 (impostazione predefinita) 

[ERROR] Too many connect errors to target, disabling http-get://localhost:80

Vorrei provare a spostare l'opzione -s in precedenza nella riga di comando, che probabilmente lo classificherà.

    
risposta data 09.01.2014 - 11:41
fonte

Leggi altre domande sui tag

Cosa succede se i tentativi di password si esauriscono? Con un attacco "man in the middle", l'utente malintenzionato può scoprire le chiavi di sessione Client / Server con una chiave segreta AS / TGS compromessa?