https-form-post stops after first found

[ghost]

https-form-post stops after the first password is found. When running:

hydra https-form-post ":username=^PASS^&password=&login-form-type=pwd&returnLocation=index.html:Not found" -x 5:7:1 -l none -v -o userIDs.txt -t 50

50 threads are spawned (as per the -t argument), but once one thread finds a solution, it stops all the other threads. I can verify this by doing:

hydra https-form-post ":username=^PASS^&password=&login-form-type=pwd&returnLocation=index.html:Not found" -x 5:7:1 -l none -v -o userIDs.txt -t 5

^ Returns 5 valid solutions, which is correct since once one thread gets an answer, the user ids are sequential so the next 5 threads return. Then it stops.

hydra https-form-post ":username=^PASS^&password=&login-form-type=pwd&returnLocation=index.html:Not found" -x 5:7:1 -l none -v -o userIDs.txt -t 10

^ Now it returns 10 valid solutions because all 10 threads had valid user IDs. But then it stops.

It should ONLY stop on the first found item if "-f" is sent. If I do send "-f":

hydra https-form-post ":username=^PASS^&password=&login-form-type=pwd&returnLocation=index.html:Not found" -x 5:7:1 -l none -v -o userIDs.txt -t 10 -f

^ Now returns only 1, even though all the other threads stopped.

As you can see, I am trying to do username enumeration with hydra instead of actual password cracking.

[vanhauser-thc]

Hi!

well, you are trying to do achieve something that is not what it was planned for :-)
however you did it wrong. try this:
create a list of potential usernames (here: the numbers of length 5-7) and save it as usernames.txt
then run hydra:
hydra https-form-post ":username=^USER^&password=^PASS^&login-form-type=pwd&returnLocation=index.html:Not found" -L usernames.txt -p badpass -v -o userIDs.txt -t 10

[ghost]

That would certainly work, but I wanted to leave as small a footprint on the machine as possible, so I was using the password generation capabilities for the IDs. If this isn't a bug (since -f is supposed to make it stop at the first confirmed login, and without it, it shouldn't stop), then it might be good to state that somewhere in the hydra -U https-form-post.

[vanhauser-thc]

the -f option results that ALL attempts on ANY account are terminated once one password is found for ANY account. so the -f option will make what you want unfeasible :-)
I you want to leave a small footprint on the machine I hope what you do is legal ... ...

[ghost]

Ah, gotcha. Thats good to know.

And yes, I am a security consultant doing a few pentests. This was the first time I had to do user id enumeration like this, and I couldn't figure out why hydra wasn't playing well. Thanks for the clarification