Hydra Brute force attack with Burpsuite
Hydra is a very fast online password cracking tool using brute force, which can perform rapid dictionary attacks against more than 50 Protocols, including Telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several databases and much more. THC (The Hackers Choice) created Hydra for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.
When using hydra for HTTP login, their are some very important things to look for before starting any brute force attack. Is the website using cookies, does the website have any PHP session ID’s? Does the login page do a GET or POST on the web server?
For this tutorial I will explain using cookies.. This way it will cover all basic. In case if you don't need cookies then also you can use same method.
I will be using DVWA for demo and it is also suggested to use your lab for testing, before moving to real time applications.
Login to DVWA (admin/password) --> Brute Force
Enter any random username and password, it will give you error.. (right username and password are admin/password).
Start burp suite
Got to Proxy --> Intercept, Turn intercept off.
Goto Proxy --> HTTP History
Configure Mozila for burp suite
To configure mozila
Mozila Preference --> Network configuration --> Proxy
Now proxy is configured login again in DVWA and you will see entry in burp suite dashbaord.Click on entry which have URL /vulnerability/brute.....
Here you can see we have Cookies in header, we will use those cookies.
Now we need to setup hydra for attack. To setup we will need attack string which have
- request type ( In this case it is GET request, check in burpsuite)
- URL (In this case it is /vulnerability/brute/)
- Attack Parameter (In this case it will be username and password)
- Verification String (This is used to identify wrong attempt, in our case it will be incorrect , you can get it by false login)
- Header (session/cookies) (from Burp suite)
Command for Hydra is
hydra -L <User List> -P <Password List> <Server IP> <Attack String>
You can use -L for user list or -l in case of single user.
With about command reference, command for this attack will be
hydra -l admin -P usr/share/john/password.lst 10.100.100.11 <attack string>
For attack string
- request type : http-get-form
- URL : /vulnerability/brute/
- Attack Parameter : username=^USER^&password=^PASS^&Login=Login
- Verification String : incorrect
- Header : -H cookies: PHPSSSID: ...........................; security:high
So our final command will be
hydra -l admin -P /usr/share/john/password.lst 10.100.100.11 http-post-form "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:incorrect:H=Cookies: PHPSSID:alskdjffjdklsl234432; security=high;"
Make sure to put ':' and 'H=' at right place.
Here is attached video for detailed explanation.