Hydra showing all passwords as valid when only 1 password is valid [closed]
I am doing my final year project at university and it's about looking at vulnerabilities within an IoT device, so I have brought the Amcrest IP2M-841W-V3 ip security camera.
As I have setup the camera myself, I know the username and password, and the device is only accessible on the local network. I am trying to use Hydra to get the password. I know it uses only http and when trying to login/logging in, I know it uses POST requests.
If I use burpsuite to intercept the packets during a login attempt, it shows me 'POST /RPC2_Login. I have tried that and get 0 valid passwords found.
I also know that the sessionID changes after every attempt regardless of a successful log in or not. So I tried adding the sessionID and that still gave me the wrong result (I can't remember if it gave me no result or said every password was correct. Either way, it didn't give me only the correct password.).
I think one of the reasons might be that regardless of a successful login attempt or not, the status code is 200, so because there's a successful response from the server, that's why it is returning all passwords as valid? idk
Can anyone tell me how to correct the hydra command so it will show the correct password and only the correct password?
