Web PenTesting Workshop — Using The Hydra Tool To Brute Force Username & Passwords (Ex.2)
Before Starting:
- Passwords are meant to be easy to bruteforce.
- Lab difficulty: Low
Exercise Objective: “Your goal is to get the administrator’s password by brute forcing.”
Similar to Ex.1, I will use the same “seclists” to attempt and find the admin user’s password, but this time I used the Hydra tool.
I opened a terminal and changed directory to the “seclists” passwords folder.
I kept my BurpSuite instance opened for this attack from Pt.1.
Hydra command used:
hydra -l admin -P 500-worst-passwords.txt -f 10.0.31.27 http-get-form "/vulnerabilities/brute/:username=^USER^&password=^PASS^Login=Login: password incorrect" -VfI
Vulnerabilities and Mitigations:
- “GET” request vulnerability.
Looking at the source, whenever a user attempts to log in the code uses a “GET” request instead of a “POST” request.
Using a “GET” request allows for the user and password to show in the URL.
NOTE: Admin password changes as other students play/attempt exercises on the server.
More info:
https://portswigger.net/support/using-burp-to-brute-force-a-login-page
- Using simple, not unique usernames passwords. If you noticed the wordlist’s name that was used, “500-worst-passwords”, it will easily tell you another vulnerability that can easily be mitigated by using a more difficult password.
- Same goes for the “admin” username, for this exercise the username & password was meant to be easy so the concept is easier to grasp.