I’m going to cover 3 different tools that we can use to brute force services login and HTTP/HTTPs login pages.
Hydra
Once we find a port that is running a service, we can try to brute the login and hopefully get valid credentials. Here is basic syntax:
hydra -L username.txt -P passwords.txt ssh://127.0.0.1The username.txt and passwords.txt are text files with different usernames and passwords. Hydra will attempt each username and password combo. To target a different service we would need to change ssh to the service name. Some examples are: ftp, smb, rdp, mysql, pop3, imap.
If we know either the username or password for an account then we don’t need a wordlist. Here is an example if we know the username. If we knew the password we would change -P to -p password123.
hydra -l root -P passwords.txt ssh://127.0.0.1Burp Suite/ Zap
To brute force an HTTP/ HTTPs login page we could use Burp Suite or Zap. We will need to intercept a login request, then modify the username and password field. I will show you an example for both Burp Suite and Zap. Here is the login page:
Burp Suite
We will need to launch Burp Suite then configure our browser to use Burp Suite as a proxy. In Firefox go to settings > search proxy > edit > http proxy: 127.0.0.1 > port: 8080 > turn on ‘Also use this proxy for HTTPS’. Now turn proxy on in Burp Suite and try to login to the page. We should get a request similar to this:
Click Action > send to intruder. On the right click Clear. Now we can specify which field we want to brute force. If we want to brute force both the username and password field we will double click value then click Add. Change Sniper to Cluster Bomb. Here is what it should look like:
Now click on Payloads. Payload 1 is going to target the username slot. Payload 2 is going to target the password slot. We can either load a wordlist file or manually type in some entries. After adding some content to the payload section we can hit Start Attack. We should requests being sent to the webserver now. Now the tricky part can be telling what a successful attempt looks like. We can look for a 200 status code, different length.
Zap
Zap is very similar to Burp Suite. To start our brute force we must make sure our browser is using Zap as a proxy. We can send a request and see if Zap receives the request.
We can see the username and password variables are easily picked up by Zap. Now we will right clik the request > attack > fuzz
Now we double click the field we want to brute force > add > add. If we want a file we change string to file then select a file. Another good option is to turn on follow redirects. To do this go Options > Follow redirects. When ready click Start Fuzz. We can look at response code, response header size, response body size to find the valid credentials.
ffuf
We can also use ffuf to brute force HTTP/HTTPs login. We will need to save the Burp Suite request into a text file. Then we will need to adjust the username and password value. If we want to brute force the password it would look like: password=FUZZ. This will only brute force the password field.
ffuf -request req.txt -request-proto http -w rockyou.txtIf we want to brute force both the username and password then we need to edit the request.txt. It would look something like username=USERFUZZ&password=PASSFUZZ.
ffuf -request req.txt -request-proto http -w users.txt:USERFUZZ -w rockyou.txt:PASSFUZZWe may have to filter out some of the noise. If size is the issues then do -fs SIZE or look for a specific response code -mc 200.