While working on my new setup of hacking environment, using Burp-Suite intruder is one of the best and easiest ways to do, but problem encounters in its effectiveness when using community version of it, so I switch to Hydra, instead of slow-brute attempts rate of Burp.
Refer to this YouTube Video for Live Execution: https://youtu.be/z4gF3VKkiqk
Let’s get familiar with what we are gonna see ahead, in this blog.
So, I was testing the vulnerable web apps, and then I found this Log-In form page.
I wasn’t sure what would be the username and password, so that’s for I thought the best way is to Brute Force the login form!
Note: For those who don’t know what is BRUTE FORCE ATTACK:
A brute force attack uses trial-and-error to guess login info, encryption keys, or find a hidden web page. Hackers work through all possible combinations hoping to guess correctly. These attacks are done by ‘brute force’ meaning they use excessive forceful attempts to try and ‘force’ their way into your private account(s).
This is an old attack method, but it’s still effective and popular with hackers. Because depending on the length and complexity of the password, cracking it can take anywhere from a few seconds to many years.
Now for cracking that logins pages credentials I used Hydra, a kali Linux tool!
How to use Hydra and Brute Force Any Login Page
Hydra is a very straightforward tool, but before using it we should know how to use it:
How to define Username
We will use the -l
flag for Login, because we already have the login username, if we don’t know already we will use -L
.-l admin
Defining Password
We don’t know the password so, we will use -P
and wordlist available on Kali in the /usr/share/wordlists/ directory.-P /usr/share/wordlists/rockyou.txt
IP Address for Website we are going to attack
Easy guess!10.10.10.43
Specifying Method
Easy enough, we can get this from Burp-suite or inspect the element network sectionhttp-post-form
Specifying the Path to Attack
The URL after the website's name where the login page is located/department/login.php
Finding & Specifying Location of Username/Password Form(s)
We can directly use burp-suite to intercept the request and get the formula in which username and password are being sent.username=admin&password=admin
Moment of Truth!
sudo hydra <Username/List> <Password/List> <IP> <Method> "<Path>:<RequestBody>:<IncorrectVerbiage>"
Here’s our actual command!sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.253.130 http-post-form "/dvwa/login.php:username=admin&password=^PASS^:Invalid Password!"
After a few minutes, we uncover the password to sign in!admin:password
When in doubt, use brute force.
- Ken Thompson