Web PenTesting Workshop — Using The Hydra Tool To Brute Force Username & Passwords (Ex.2)

Before Starting:

• Passwords are meant to be easy to bruteforce.
• Lab difficulty: Low

Exercise Objective: “Your goal is to get the administrator’s password by brute forcing.”

Similar to Ex.1, I will use the same “seclists” to attempt and find the admin user’s password, but this time I used the Hydra tool.

I opened a terminal and changed directory to the “seclists” passwords folder.

I kept my BurpSuite instance opened for this attack from Pt.1.

Hydra command used:

hydra -l admin -P 500-worst-passwords.txt -f 10.0.31.27 http-get-form "/vulnerabilities/brute/:username=^USER^&password=^PASS^Login=Login: password incorrect" -VfI

Vulnerabilities and Mitigations:

• “GET” request vulnerability.

Looking at the source, whenever a user attempts to log in the code uses a “GET” request instead of a “POST” request.

Using a “GET” request allows for the user and password to show in the URL.

NOTE: Admin password changes as other students play/attempt exercises on the server.

More info:
https://portswigger.net/support/using-burp-to-brute-force-a-login-page

• Using simple, not unique usernames passwords. If you noticed the wordlist’s name that was used, “500-worst-passwords”, it will easily tell you another vulnerability that can easily be mitigated by using a more difficult password.
• Same goes for the “admin” username, for this exercise the username & password was meant to be easy so the concept is easier to grasp.