Pentest result from HYDRA-THC

A finding I made today was, if you were to use hydra to crack a SMTP email, the email account would generally be logged out and requires verification if he were to login his IM or email account.  Which made me suspect what would happen if hydra actually gotten into the actual correct password but due to verification it would not show a success.  What I did was I froze my account by sending thousands of invalid login to my email account via hydra.  After that, I verified that I am not able to login to my email account, as it requires verification.  Without entering the verification code or logging in, I continued hydra but with the correct password of mine this time.  What I found out was hydra had successfully gotten my email’s password.  My finding is that you do not need to be worried about verification code at all.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: