thc-hydra against a web form with json
Hi mates,
iam playing around with kali and thc hydra the last days but now iam stuck.
After successfully bruteforcing my ftp server and my router i was wondering what to do next :)
I bought a new robotic moan lower (that the right word ?! :) and that thing has wifi and a web login too.
Problem with it is, that its obviously not the same kind of login like my router used (which i got into using hydra :).
I did some research on the inet but i dont find anything related to that which would have helped me. I captured the logins from both (original page and hydra) with wireshark and obviously hydra isnt doing what i was hoping for ^^:
/*original attempt*/
W ZE6%@@fpPYt<<S
Q=POST /services/session HTTP/1.1
Host: 192.168.0.112
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.0.112/login
Content-Length: 88
Cookie: i18next=en
Connection: keep-alive
{"username":"admin","password":"TESTSUCH",":type":"urn:seluxit:xml:bastard:session-1.0"}
/*hydra attempt*/
W ZEY@@fpP^Gx+Z
"0)POST /services/session HTTP/1.0
Host: 192.168.0.112
User-Agent: Mozilla/5.0 (Hydra)
Content-Length: 32
Content-Type: application/x-www-form-urlencoded
username=admin&password=TESTSUCH
hydra command: hydra 192.168.0.112 http-form-post "/services/session:username=^USER^&password=^PASS^:Unauthorized" -l admin -p TESTSUCH -V -f -t1 -w10
Can you tell me where to start ? what iam doing wrong? what to search for ? what to learn ? howto manipulate the hydra command with the informations i have ? iam really stuck here... ANY help would be appreciated!
Thanks in advance,
dietmar