Open in app

Sign in

Write

Sign in

DVWA Brute Force Tutorial (Low Security)

Danny Beton
4 min readJul 16, 2016

--

*** Nothing contained in this article is intended to teach or encourage the use of security tools or methodologies for illegal or unethical purposes. Always act in a responsible manner. Make sure you have written permission from the proper individuals before you use any of the tools or techniques described here.

This is tutorial demonstrates how you can complete a brute force attack on DVWA (Damn Vulnerable Web Application) on low security.

Lab requirements

  • Kali Linux
  • DVWA v1.9 running on a separate machine

This tutorial assumes you have setup the required lab environments to run the penetration test. If you need help setting up DVWA, check this out. If you need help setting Kali on your VM, here is a good place to start.

Step 1, recon.

Firstly, we must do our homework and understand what is happening when the user submits a form. For instance, is it a GET or POST request? Where is the request going to? What data is being sent?

Luckily for us, Kali comes with a powerful tool called Burp Suite. Burp Suite is a huge tool, and does a ton of different stuff. For the purpose of this tutorial we’ll just be focusing on how we can use it for our brute force attack.

Burp Suite is going to act as a proxy server. Essentially, what this means is that we route our requests through Burp Suite — it sits in the middle. This is an over simplified description, but you get the idea. If you’re interested in learning more about proxy servers, here is some reading.

HTTP request now:
Our browser -> Target server

HTTP request through a proxy:
Our browser -> Proxy server -> Target server

With Burp Suite sitting in the middle, we can intercept the request from our browser before it reaches the target server. There is a number of reasons why we would want to do this. In the context of this attack we are doing it so we can inspect the HTTP request.

Setting up the proxy server

For this to work we need to point our browser to the proxy server, so all requests go through it. So, lets do that. Go ahead and open up Burp Suite.

Click Proxy in the top row of tabs, then select Option. You’ll see the proxy server address.

Kali’s default installed browser is Ice Weasel. Go ahead and open that up, and we’ll point it to our Burp Suite proxy server. In the url bar type about:preferences, this will take you to the settings page. On the left select Advanced, from the tabs on the right select Network. Click Settings and enter the proxy server address.

With our proxy configured, we’re almost good to go. Head to the target page (http://target.site/dvwa/vulnerabilities/brute/) and enable the Burp Suite interceptor.

Inspect the login request

With interceptor enabled, any requests made from our browser will be stopped by the proxy server. Then we can inspect, modify, drop or forward the request.

Without entering any credentials, hit the login button and let’s take a look at the request. You should see this:

There is some key info here:

  • Its a GET request
  • The login paramaters (username=&password=&Login=Login)
  • The cookie (security=low; PHPSESSID=ahs8eugnukjkh9auegathrbfg5)

With all this info, we can recreate the request and use it in our brute force attack.

Step 2, the attack.

Our weapon of choice is THC Hydra. Hydra can perform rapid dictionary attacks against an authentication service.

Hydra has a bunch of options, to learn more about them just type hydra -h in the terminal for more info and examples.

Here’s the info we’re going to providing Hydra for our attack:

  • target server
  • URL path
  • username
  • password dictionary
  • cookie
  • failure message

For the username, we’re going to cheat a bit and assume we know the username is admin. You can also provide Hydra with username dictionary, but for now, we’ll just focus on the password.

The failure message is the response we get from the login form when submit a bad login. It’s just a string that Hydra searches the response HTML for to see if the login succeeded or failed. For instance, the message we get in red under the login form after a bad login attempt is “Username and/or password incorrect.”.

The complete command will look like this:

hydra 192.168.0.11 -l admin -P /usr/share/set/src/fasttrack/wordlist.txt http-get-form “dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=Low;PHPSESSID=eogppved743ckngeo0so6tnp87"

In action:

The tutorial for brute forcing on medium and high security will follow soon.
If you got stuck or have any questions, leave a comment, I’ll do my best to get back to you.

If you’re ready, move on to the next tutorial for the medium security level.

Happy hacking,

Danny

Security
Web Development
Hacking
Penetration Testing
It Security

--

--

Danny Beton

Written by Danny Beton

95 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams