Please, be aware that post has mistake in hydra command: when you first try to get correct username you want to check for "Invalid username" error, not "Invalid password". Only when you will have username you should launch hydra with "Invalid password" error check.
Hope that helps!
I write to better educate myself as I go through CTFs and Bug Bounties. If anything I have written is incorrect, please let me know and send me a link to an article to read to better educate myself.
Location
Seattle
Education
Information Technology BA and Software Engineering Bootcamp Grad
That's interesting because it worked for me.... I was under the impression that the command "hydra -L rockyou.txt -p aaa 35.xxx.xxx.xxx http-post-form "/73fxxxxxxx/login:username=^USER^&password=^PASS^:Incorrect password" " was using the rockyou.txt for the usernames and waiting for the error to change to "incorrect password" to tell me that it was the correct username... no??
You need to use an error message which isn't on the page when it finds the right username. In this case, the login page will display the message "Invalid username" until you find the right one, which will then change to "Invalid password". So you want Hydra to know that it succeeds when the "Invalid username" is no longer displayed.
Please, be aware that post has mistake in hydra command: when you first try to get correct username you want to check for "Invalid username" error, not "Invalid password". Only when you will have username you should launch hydra with "Invalid password" error check.
Hope that helps!
That's interesting because it worked for me.... I was under the impression that the command "hydra -L rockyou.txt -p aaa 35.xxx.xxx.xxx http-post-form "/73fxxxxxxx/login:username=^USER^&password=^PASS^:Incorrect password" " was using the rockyou.txt for the usernames and waiting for the error to change to "incorrect password" to tell me that it was the correct username... no??
You need to use an error message which isn't on the page when it finds the right username. In this case, the login page will display the message "Invalid username" until you find the right one, which will then change to "Invalid password". So you want Hydra to know that it succeeds when the "Invalid username" is no longer displayed.
Thanks for the great post!
Where do you get the /73fxxxxxxx from?