Missing GET parameters and Hydra never ends

[andreafortunato]

Hello there,

I'm trying to learn the basics of brute force, using DVWA.
I don't know if I'm missing something but I think I have a problem with :H option...

First of all (maybe it can help): uname -a ==> Linux kali 5.10.0-kali4-amd64 #1 SMP Debian 5.10.19-1kali1 (2021-03-03) x86_64 GNU/Linux

The command I am using is very simple and it is the following (taken from #612):
hydra -l admin -p password 'http-get-form://192.168.32.129/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=Welcome:H=Cookie\: PHPSESSID=59oimk975a2200fu3a0v63apo6; security=low' -vV
But the output is:

The line [INFO] Using HTTP Proxy: http://127.0.0.1:8080 is there because not understanding what was happening, I tried to investigate using BurpSuite (I used export HYDRA_PROXY_HTTP="http://127.0.0.1:8080") and I encountered 2 major problems:

1. Using the H option, BurpSuite does not intercept any traffic and Hydra never ends;
2. Without the H option (hydra -l admin -p password 'http-get-form://192.168.32.129/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=Welcome' -vV), BurpSuite shows GET parameters are missing!
   
   Hit Forward and:
   
   Hit Forward and:
   
   and Hydra output
   

I've tried to change the command in so many different ways but the result doesn't change...
Am I doing something wrong? I would really like to understand and learn but unfortunately I'm stuck here and can't go on.

Thank you in advance and I apologize if I wrote something wrong or silly.

[vanhauser-thc]

did you see #612 ?

[andreafortunato]

Thanks for the quick reply!
Yes. As I wrote, I used the exact same command in #612 (I just added -vV and changed PHPSESSID=PLACE_YOUR_SESSION_ID_HERE; to PHPSESSID=59oimk975a2200fu3a0v63apo6;.

EDIT: Even doing tail -f /var/log/apache2/access.log:

1. Using the H option: absolutely nothing happens;
2. Without using the H option:

192.168.32.128 - - [15/Mar/2021:16:42:02 +0000] "GET /vulnerabilities/brute/ HTTP/1.0" 302 475 "-" "Mozilla/5.0 (Hydra)"
192.168.32.128 - - [15/Mar/2021:16:42:02 +0000] "GET /vulnerabilities/brute/?username=admin&password=password&Login=Login HTTP/1.0" 302 306 "-" "Mozilla/5.0 (Hydra)"
192.168.32.128 - - [15/Mar/2021:16:42:02 +0000] "GET /vulnerabilities/brute/../../login.php HTTP/1.0" 200 1814 "-" "Mozilla/5.0 (Hydra)"

EDIT 2: If I use a wrong destination IP:

1. Using the H option: the result does not change (Hydra continues indefinitely as in the first image)
2. Without using the H option: Hydra output

Process 5613: Can not connect [unreachable], retrying (1 of 1 retries)
[ATTEMPT] target 192.168.32.129 - login "admin" - pass "password" - 1 of 1 [child 0] (0/0)
Process 5613: Can not connect [unreachable]
[ERROR] Child with pid 5613 terminating, cannot connect
Process 5614: Can not connect [unreachable], retrying (1 of 1 retries)

So the problem seems to me to be the parameter :H=

[vanhauser-thc]

No this is the problem:

Process 5613: Can not connect [unreachable]

the target ip/port cannot be connected

[andreafortunato]

Yes, this was just a test with a wrong ip (on purpose, to see Hydra's output using the H: parameter as well).
It just seems to get stuck when I add H: to pass Cookies, whether the ip is right or not.

EDIT: I just read that I'm not the only one with this problem (#605, #584). Could it be a bug in version 9.1?
I'm sorry to see these "Closed Issues" only now but google doesn't index them...

[vanhauser-thc]

have you tried a checkout and compilation of this github state? could be that your distro has a broken binary

[andreafortunato]

I can confirm that now it works! (Hydra v9.2-dev)

1. git clone https://github.com/vanhauser-thc/thc-hydra
2. ./configure
3. make
4. make install

So I'll purge the pre-installed Hydra version (9.1) on Kali (I also tried to reinstall it but it doesn't work anyway).

Thanks so much for the help!