12Ara
Hydra returning all credentials as valid
I am setting up a brute-force with hydra, and receiving valid responses for almost all requests from passwords list. But on the web form I am still getting an error that credentials are wrong. What am I missing in the script?
System set up on the nginx, and the login/password pairs should be correct.
I tried
sudo hydra -l admin -P 10-million-password-list-top-1000000.txt -u -e snr -s 80 -m '/admin/:nick=^USER^&password=^PASS^' <ip goes here> http-get-form
But it looks like false-positives
The question is - what am I doing wrong with the configuration? App has several ports opened, and that is the http one. Is it possible, that authorisation is going through other protocol, not http?