Finding usernames by THC-Hydra

Hello,
I want to find a PhpMyAdmin username via THC-Hydra. The login page code is:

<div class="item">
            <label for="input_username">Username:</label>
            <input type="text" name="pma_username" id="input_username" value="" size="24" class="textfield">
        </div>
        <div class="item">
            <label for="input_password">Password:</label>
            <input type="password" name="pma_password" id="input_password" value="" size="24" class="textfield">

I used below command:

$ hydra -L /usr/share/dict/cracklib-small -p 123 192.168.56.5 http-post-form '/phpmyadmin/index.php:pma_username=^USER^&pma_password=^PASS^:incorrect'

But the result is:

[80][http-post-form] host: 192.168.56.5  login: agonized  password: 123
[80][http-post-form] host: 192.168.56.5  login: agnomen  password: 123
[80][http-post-form] host: 192.168.56.5  login: agonize  password: 123
[80][http-post-form] host: 192.168.56.5  login: agreeableness  password: 123
[80][http-post-form] host: 192.168.56.5  login: agreeable  password: 123
[80][http-post-form] host: 192.168.56.5  login: agreed  password: 123
[80][http-post-form] host: 192.168.56.5  login: agrarian  password: 123
[80][http-post-form] host: 192.168.56.5  login: agreers  password: 123
[80][http-post-form] host: 192.168.56.5  login: agreeably  password: 123
[80][http-post-form] host: 192.168.56.5  login: agree  password: 123
[80][http-post-form] host: 192.168.56.5  login: agreements  password: 123
[80][http-post-form] host: 192.168.56.5  login: agricola  password: 123
[80][http-post-form] host: 192.168.56.5  login: agribusiness  password: 123
[80][http-post-form] host: 192.168.56.5  login: agrees  password: 123
[80][http-post-form] host: 192.168.56.5  login: agreer  password: 123
[80][http-post-form] host: 192.168.56.5  login: agrimony  password: 123
[80][http-post-form] host: 192.168.56.5  login: agreement  password: 123
[80][http-post-form] host: 192.168.56.5  login: agreement's  password: 123
[80][http-post-form] host: 192.168.56.5  login: agreeing  password: 123
...

Which part of my command is wrong?

In this tutorial, the author using THC-Hydra to find the username? Am I wrong?

Thank you.

Hey @Jason,

The way that Hydra knows that a particular credential works is using the “Fail String” which in your case is set to “incorrect”.

'/phpmyadmin/index.php:pma_username=^USER^&pma_password=^PASS^:--->incorrect<---'

So, after trying out a username/password combo, if the response doesn’t contain the word “incorrect”, then hydra considers that username/password combo to be correct.

It is possible that the “Login Failed” page doesn’t contain the “Fail String” which you’ve provided and hydra eventually thinks that authentication was successful for all combinations.

To Fix,

  1. Check if the login failed page has this keyword
  2. Add the -f flag so that hydra will terminate on the first successful attempt.

Something is wrong:

hydra -F -l /usr/share/dict/2151220-passwords.txt -P /usr/share/dict/2151220-passwords.txt -e ns -vV 192.168.56.5 http-post-form '/phpmyadmin/index.php:pma_username=^USER^&pma_password=^PASS^:--->incorrect<---'

Result:

[ATTEMPT] target 192.168.56.5 - login "/usr/share/dict/2151220-passwords.txt" - pass "" - 2 of 2151222 [child 1] (0/0)
[ATTEMPT] target 192.168.56.5 - login "/usr/share/dict/2151220-passwords.txt" - pass "!" - 3 of 2151222 [child 2] (0/0)
[ATTEMPT] target 192.168.56.5 - login "/usr/share/dict/2151220-passwords.txt" - pass "! love you" - 4 of 2151222 [child 3] (0/0)
[ATTEMPT] target 192.168.56.5 - login "/usr/share/dict/2151220-passwords.txt" - pass "!!" - 5 of 2151222 [child 4] (0/0)
[ATTEMPT] target 192.168.56.5 - login "/usr/share/dict/2151220-passwords.txt" - pass "!!!" - 6 of 2151222 [child 5] (0/0)
[ATTEMPT] target 192.168.56.5 - login "/usr/share/dict/2151220-passwords.txt" - pass "!!!!!" - 7 of 2151222 [child 6] (0/0)
[ATTEMPT] target 192.168.56.5 - login "/usr/share/dict/2151220-passwords.txt" - pass "!!!!!!" - 8 of 2151222 [child 7] (0/0)
[ATTEMPT] target 192.168.56.5 - login "/usr/share/dict/2151220-passwords.txt" - pass "!!!!!!!" - 9 of 2151222 [child 8] (0/0)
[ATTEMPT] target 192.168.56.5 - login "/usr/share/dict/2151220-passwords.txt" - pass "!!!!!!!!" - 10 of 2151222 [child 9] (0/0)
[ATTEMPT] target 192.168.56.5 - login "/usr/share/dict/2151220-passwords.txt" - pass "!!!!!!!!!!" - 11 of 2151222 [child 10] (0/0)
[ATTEMPT] target 192.168.56.5 - login "/usr/share/dict/2151220-passwords.txt" - pass "!!!!!!1" - 12 of 2151222 [child 11] (0/0)
[ATTEMPT] target 192.168.56.5 - login "/usr/share/dict/2151220-passwords.txt" - pass "!!!!!!888888" - 13 of 2151222 [child 12] (0/0)
[ATTEMPT] target 192.168.56.5 - login "/usr/share/dict/2151220-passwords.txt" - pass "!!!!!2" - 14 of 2151222 [child 13] (0/0)
[ATTEMPT] target 192.168.56.5 - login "/usr/share/dict/2151220-passwords.txt" - pass "!!!!1111" - 15 of 2151222 [child 14] (0/0)
[ATTEMPT] target 192.168.56.5 - login "/usr/share/dict/2151220-passwords.txt" - pass "!!!123" - 16 of 2151222 [child 15] (0/0)
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=2fec2d69511d0edb10aced4cba71d506
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=b0837ca9fabbd8656a00f2c58f41ce19
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=83954a4ad001feef9a7a055e8c6153e6
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=e29f409b7093f3e05a33a80d7bca49da
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=da7e704bb889dd6d6e04bd7352b11c13
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=f978ae36c50bcf5dc8b46d37b74eb48a
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=0f345bf3fedf771384f14aae773d7fa6
[80][http-post-form] host: 192.168.56.5   login: /usr/share/dict/2151220-passwords.txt   password: !!
[STATUS] attack finished for 192.168.56.5 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-10-06 15:24:16

Look at username ==> /usr/share/dict/2151220-passwords.txt
It’s mean that THC-hydra not working properly.
I did another way:

hydra -l root -P /usr/share/dict/2151220-passwords.txt -e ns -vV 192.168.56.5 http-post-form "/phpmyadmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1:denied"

I did that command and output is:

VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ATTEMPT] target 192.168.56.5 - login "ROOT" - pass "ROOT" - 1 of 2151222 [child 0] (0/0)
[ATTEMPT] target 192.168.56.5 - login "ROOT" - pass "" - 2 of 2151222 [child 1] (0/0)
[ATTEMPT] target 192.168.56.5 - login "ROOT" - pass "!" - 3 of 2151222 [child 2] (0/0)
[ATTEMPT] target 192.168.56.5 - login "ROOT" - pass "! love you" - 4 of 2151222 [child 3] (0/0)
[ATTEMPT] target 192.168.56.5 - login "ROOT" - pass "!!" - 5 of 2151222 [child 4] (0/0)
[ATTEMPT] target 192.168.56.5 - login "ROOT" - pass "!!!" - 6 of 2151222 [child 5] (0/0)
[ATTEMPT] target 192.168.56.5 - login "ROOT" - pass "!!!!!" - 7 of 2151222 [child 6] (0/0)
[ATTEMPT] target 192.168.56.5 - login "ROOT" - pass "!!!!!!" - 8 of 2151222 [child 7] (0/0)
[ATTEMPT] target 192.168.56.5 - login "ROOT" - pass "!!!!!!!" - 9 of 2151222 [child 8] (0/0)
[ATTEMPT] target 192.168.56.5 - login "ROOT" - pass "!!!!!!!!" - 10 of 2151222 [child 9] (0/0)
[ATTEMPT] target 192.168.56.5 - login "ROOT" - pass "!!!!!!!!!!" - 11 of 2151222 [child 10] (0/0)
[ATTEMPT] target 192.168.56.5 - login "ROOT" - pass "!!!!!!1" - 12 of 2151222 [child 11] (0/0)
[ATTEMPT] target 192.168.56.5 - login "ROOT" - pass "!!!!!!888888" - 13 of 2151222 [child 12] (0/0)
[ATTEMPT] target 192.168.56.5 - login "ROOT" - pass "!!!!!2" - 14 of 2151222 [child 13] (0/0)
[ATTEMPT] target 192.168.56.5 - login "ROOT" - pass "!!!!1111" - 15 of 2151222 [child 14] (0/0)
[ATTEMPT] target 192.168.56.5 - login "ROOT" - pass "!!!123" - 16 of 2151222 [child 15] (0/0)
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=fe3f0e1d4cb13b89f0629286211b4ef3
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=ef2512677eb44cc432475b6ea462e57a
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=ba4550ea30d1031b4177cb3ee0212abb
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=5ca21e74ad5bfaaf089564ed74d444c2
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=dec221e7ae0a346ae88e635409442c71
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=f24752737dfcd76c84fb71016131e223
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=c0d22f748b3c56dc87e24bb13edd6b14
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=4af706573a7f382fa2ac693da2fc6b1d
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=d6a6ab67f7ce2d81d32f960ae69e4d87
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=3994336cc75c372f958285239e4846f8
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=873c97547103307ff1a671b2c176ee8d
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=c76bb9bbf6f2fa3b380da4edb86f832d
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=7ae7e653327a25ca2e9be2c960c684af
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=e0adc46ca96e9590b7bc221a6919c504
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=66d96dc9c1043cd6a34f1e2b6b63d0d7
[80][http-post-form] host: 192.168.56.5   login: ROOT   password: !!!!!
[80][http-post-form] host: 192.168.56.5   login: ROOT   password: !
[STATUS] attack finished for 192.168.56.5 (waiting for children to complete tests)
[VERBOSE] Page redirected to http://192.168.56.5/phpmyadmin/index.php?token=ef6cf11622f2399e12b4cbdec17d06f5
[80][http-post-form] host: 192.168.56.5   login: ROOT
[80][http-post-form] host: 192.168.56.5   login: ROOT   password: !!!!!!!!
[80][http-post-form] host: 192.168.56.5   login: ROOT   password: !!
[80][http-post-form] host: 192.168.56.5   login: ROOT   password: !!!!!!
[80][http-post-form] host: 192.168.56.5   login: ROOT   password: ROOT
[80][http-post-form] host: 192.168.56.5   login: ROOT   password: !!!
[80][http-post-form] host: 192.168.56.5   login: ROOT   password: !!!123
[80][http-post-form] host: 192.168.56.5   login: ROOT   password: !!!!1111
[80][http-post-form] host: 192.168.56.5   login: ROOT   password: !!!!!!888888
[80][http-post-form] host: 192.168.56.5   login: ROOT   password: !!!!!!!!!!
[80][http-post-form] host: 192.168.56.5   login: ROOT   password: !!!!!!1
[80][http-post-form] host: 192.168.56.5   login: ROOT   password: ! love you
[80][http-post-form] host: 192.168.56.5   login: ROOT   password: !!!!!!!
[80][http-post-form] host: 192.168.56.5   login: ROOT   password: !!!!!2
1 of 1 target successfully completed, 16 valid passwords found

When I want to login in PhpMyAdmin then it show me:

#1045 - Access denied for user 'root'@'localhost' (using password: YES)

Server have below open ports:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-06 15:06 EDT
Nmap scan report for 192.168.56.5
Host is up (0.00065s latency).
Not shown: 990 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
110/tcp  open  pop3
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
143/tcp  open  imap
445/tcp  open  microsoft-ds
901/tcp  open  samba-swat
3306/tcp open  mysql

I tried connect to MySQL via CLI:

# mysql -u root -p ROOT -h 192.168.56.5 -P 3306
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'192.168.56.6' (using password: YES)

What is the problem?

Are you sure the sql server allows the given IP login rights?
Usually by default sql servers only allow login from localhost

It is a CTF VM and I want to learn from it.

Do you have to use hydra? Like is that part of the ctf?

If not then sqlmap would be my suggested tool rather.

Hard to answer Properly without knowing he details of the ctf though.

I did SqlMap:

$ sudo sqlmap -u 192.168.56.5 --batch --dbs --crawl=2
do you want to check for the existence of site's sitemap(.xml) [y/N] N
[09:49:51] [INFO] starting crawler for target URL 'http://192.168.56.5'
[09:49:51] [INFO] searching for links with depth 1
[09:49:51] [INFO] searching for links with depth 2                                                         
please enter number of threads? [Enter for 1 (current)] 1
[09:49:51] [WARNING] running in a single-thread mode. This could take a while
[09:50:21] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[09:50:21] [WARNING] if the problem persists please check that the provided target URL is reachable. In case that it is, you can try to rerun with switch '--random-agent' and/or proxy switches ('--ignore-proxy', '--proxy',...)
[09:51:51] [CRITICAL] connection timed out to the target URL
do you want to normalize crawling results [Y/n] Y                                                          
do you want to store crawling results to a temporary file for eventual further processing with other tools [y/N] N
[09:51:51] [INFO] found a total of 2 targets
URL 1:
GET http://192.168.56.5?page=about
do you want to test this URL? [Y/n/q]
> Y
[09:51:51] [INFO] testing URL 'http://192.168.56.5?page=about'
[09:51:51] [INFO] using '/root/.sqlmap/output/results-10092020_0951am.csv' as the CSV results file in multiple targets mode
[09:51:51] [INFO] testing connection to the target URL
[09:51:51] [INFO] testing if the target URL content is stable
[09:51:52] [INFO] target URL content is stable
[09:51:52] [INFO] testing if GET parameter 'page' is dynamic
[09:51:52] [INFO] GET parameter 'page' appears to be dynamic
[09:51:52] [WARNING] heuristic (basic) test shows that GET parameter 'page' might not be injectable
[09:51:52] [INFO] heuristic (FI) test shows that GET parameter 'page' might be vulnerable to file inclusion (FI) attacks
[09:51:52] [INFO] testing for SQL injection on GET parameter 'page'
[09:51:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:51:52] [WARNING] reflective value(s) found and filtering out
[09:51:52] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[09:51:52] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:51:52] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[09:51:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[09:51:52] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[09:51:52] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[09:51:52] [INFO] testing 'Generic inline queries'
[09:51:52] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[09:51:52] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[09:51:52] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[09:51:52] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:51:53] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[09:51:53] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[09:51:53] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[09:51:53] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[09:51:53] [WARNING] GET parameter 'page' does not seem to be injectable
[09:51:53] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent', skipping to the next URL
URL 2:
GET http://192.168.56.5/index.php?page=about
do you want to test this URL? [Y/n/q]
> Y
[09:51:53] [INFO] testing URL 'http://192.168.56.5/index.php?page=about'
[09:51:53] [INFO] testing connection to the target URL
[09:51:53] [INFO] checking if the target is protected by some kind of WAF/IPS
[09:51:53] [INFO] testing if the target URL content is stable
[09:51:53] [INFO] target URL content is stable
[09:51:53] [INFO] testing if GET parameter 'page' is dynamic
[09:51:53] [INFO] GET parameter 'page' appears to be dynamic
[09:51:53] [WARNING] heuristic (basic) test shows that GET parameter 'page' might not be injectable
[09:51:53] [INFO] heuristic (FI) test shows that GET parameter 'page' might be vulnerable to file inclusion (FI) attacks
[09:51:53] [INFO] testing for SQL injection on GET parameter 'page'
[09:51:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:51:53] [WARNING] reflective value(s) found and filtering out
[09:51:53] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[09:51:53] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:51:53] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[09:51:54] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[09:51:54] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[09:51:54] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[09:51:54] [INFO] testing 'Generic inline queries'
[09:51:54] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[09:51:54] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[09:51:54] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[09:51:54] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:51:54] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[09:51:54] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[09:51:54] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[09:51:54] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[09:51:54] [WARNING] GET parameter 'page' does not seem to be injectable
[09:51:54] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent', skipping to the next URL
[09:51:54] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.sqlmap/output/results-10092020_0951am.csv'

[*] ending @ 09:51:54 /2020-10-09/

Any idea?

Sorry for the very delayed response.
Doubt it but do you still need help with this?

If yeah then do you have any details of the site/server/remote that you’re targeting?
Like have you run any initial recon exercises on the host? Identifying the backend would be handy. Usually easy enough to do by just visiting the site on your browser with the wappalyzer extension installed and shodan wouldn’t hurt either.
Knowing what you’re dealing with will go a much longer way in terms of time saving and knowing which attack vector to go with.

As a side note if you’re gonna use crawl with sqlmap you may as well be going at crawl=3 and it’s generally a good idea to always use the ‘—random-agent‘ flag. If you get blocked or dropped by any WAF (which you don’t seem to be in this case but going to mention it anyway) you can try using tor. Just make sure you have the tor service running then add ‘—check-tor’ & ‘—tor’ flags. Otherwise if you have proxies then use those.

Why it tell me that found the password but password not working?

Not sure how to answer that without knowing what you’re doing or using or trying or looking at or anything. Lol. Sorry man