I want to check my page that only have one ip without hostname(http://ip.ip.ip.ip/dologin.htm)
Now I want to check it for brute force from hydra.
What I tried is:
hydra -l admin -p admin ip.ip.ip.ip http-post-form "/dologin.htm:P2=^PASS^&Login=:1"
P2: form of password
LOGIN: form of username(This is empty - no user name )
:1: for bad password attempting(doesn't have message for entering bad password)...
So the result is:
When I enter correct password in hydra it says your password is wrong ...
What should I do?
Thanks
The problem is you failur condition (:1).
From the source we can see that the format for option field is as follows:
The option field (following the service field) takes three ":" separated values and an optional fourth value, the first is the page on the server to GET or POST to, the second is the POST/GET variables (taken from either the browser, or a proxy such as PAROS) with the varying usernames and passwords in the "^USER^" and "^PASS^" placeholders, the third is the string that it checks for an invalid or valid login - any exception to this is counted as a success. So please: * invalid condition login should be preceded by "F=" * valid condition login should be preceded by "S=". By default, if no header is found the condition is assume to be a fail, so checking for invalid login. The fourth optional value, can be a 'C' to define a different page to GET initial cookies from.
So you should be able to supply a success condition instead of a fail condition.
Therefore change your :1 to :S=string from the page after successful login.