Burteforcing webapplications with hydra

Bruteforcing Webapplications using hydra

Hydra tool is used to brute force , we could brute force both network and web services as well . It supports ipv6,proxy and it also has graphical user interface (GUI) . Hydra approximately supports 51 protocols 

But in this blog is all about bruteforcing webapplications with hydra 

Some of the flags we are going to learn , just have a peek  

-l (small)       : When we wanted to give a Single Username  

-L ( Capital ) : When we wanted to give a List of User Names  

-p ( small )    : When we wanted to give a Single User Password  

-P (Capital)   : When we wanted to give a List of Passwords  

-V (verbose) : Shows Output onto the terminal in detailed mode

-t (tasks)       :  specifies the number of requests we wanted the hydra tool to send per second

Firstly we need to gather some info about the website or we can say the webpage to be accurate before we launch our brute-force attack on the website and the info is as follows :  

1) Which method is the website using is it GET or POST while sending the credentials (actually POST is the appropriate method to send the credentials but some websites(unsecure) use the GET method to send the credentials, but you might think that GET method doesn’t have  http body to send the message then how is it sending ? And You are completely right ! But is send’s the credentials to the server using the url parameters, GET has a limitation on the length of the values, generally 255 characters ) 

2) The variables the credentials are stored into  

3)The path of the webpage 

4) Finally The error message the website gives when we enter the incorrect credentials or the Message displayed by the webpage when the user gets after entering the correct credentials

So firstly let's come to know that which method we are using to send the credentials , there are quite a few ways to find out , one way is to enter any random text and login  Fig:1.1 and after clicking on the login option , if you see that text that you have entered on the url bar then it is using  GET method with no doubt and also lets see the variables and the path of the webpage but to demonstrate let me show you in burp suite , when we inspect the login request  Fig:1.2

Fig:1.1

Fig:1.2

So from the above fig:1.2 we can come to an understanding that we are using the POST method to send the credentials And at the same time we can see that our credentials “randomusername” (user name) is stored in the variable login and the “randompassword” (password) is stored in the variable called password , security_level=0 , form=submit(this denotes the press of the login button) and  the path of the webpage is /login.php

Now as we are done with the three steps , we are left with one last step , we need to get the error message that pops up when we enter invalid credentials or the successful message when we successfully login into the website as we don’t know the password of the website we could get the error pop up message

Fig:1.3

Here we can see that we got the error message  “Invalid credentials or user not activated”  Fig:1.3

Now are we made with our information gathering part now let’s use them to Brute force using the hydra tool !!

Command: 

hydra 192.252.8.3 http-post-form "/login.php:login=^USER^&password=^PASS^&security_level=0&form=submit:F=Invalid" -L usernames.txt -P passwords.txt -V -f -t 3  you could see the results in Fig:1.4

Fig:1.4

Now let’s breakdown the command and understand what we did  : 

Firstly the ip address that we could see is the ip address of the website that we wanted to brute force , if you want you could give the name of the website , its fine either ways  

http-post-form  

says that we are using post method to send our credentials so that hydra also sends it the same way if its get then http-get-form 

"/login.php 

we have opened the double quotation marks as this is the part of the syntax and then we have given the path of the webpage we wanted to brute force , most of the times we are brute forcing the index.html page where you could see any path on the url so just leave it something like “/.

:login=^USER^&password=^PASS^&security_level=0&form=submit

The colon “:” denotes the we wanted to move to the next part .Here we are telling our tool hydra that login is the variable that takes the username value and coming to ^USER^ the carrot symbols denotes that the hydra tool should replace text within with the file that contains a  list of usernames that is provided (will see the file in the next part of the command) and password is the variable that stores the password an it must be replaced with the file the that contains list of passwords that is provided (will see the file in the next part of the command).

:F=Invalid“

And again moving to the next part  “:”  .  F denotes that the text “Invalid” occurs when we fail to successful login into the site so that hydra can interpret accordingly and we have ended the double quotation marks 

-L usernames.txt -P passwords.txt 

The flag –L specifies to the tool that we wanted to give a list of user names and the file you can see usernames.txt and –P denotes that we wanted to specify file for passwords  and as we can see that the name of the file is passwords.txt (these are the files that I have created) , if you are using Kali Linux you can use rockyou.txt file  in /usr/share/wordlists directory

-V -f 

-V is verbose this flag , Because of this flag we can see every hit and trail of the hydra tool , if we don’t mention this it will only display the correct combination of username and password if it exists

-f  flag tells to end the hit and trail after getting the correct combination of username and password . Not in all cases you are supposed to use this flag -f because there is a chance that we could get credentials of another user too if the combination matches.

-t 3 : 

by default hydra sends 16 requests per second to the server with different combinations of usernames and passwords with the –t flag we will set the number of requests to be sent per second and make it stealthy so that someone watching the network traffic won’t feel suspicious and in our case it is set to send 3 requests per second 

And we can also give the successful message instead of error message that pops up when we give invalid credentials Fig:1.5

Fig:1.5

The Fig:1.5 displays the webpage after logging in using the credentials and that we have got using the hydra tool and now let’s try to brute force by giving any text that is displayed if and only if we are successfully log in so let’s copy some portion of the text from it .

Fig:1.6

And here in Fig:1.6 you could see that we are able to successfully get the credentials while mentioning the successful message

Command : 

hydra 192.252.8.3 http-post-form "/login.php:login=^USER^&password=^PASS^&security_level=0&form=submit:S=bWAPP,               or a buggy web application, is a free and open source" -L usernames.txt -P passwords.txt -V -f -t 3

And if you did not mention F or S in the command by default the command hydra interprets as F as you can see below  Fig :1.7 

Fig:1.7

Command : 

hydra 192.252.8.3 http-post-form "/login.php:login=^USER^&password=^PASS^&security_level=0&form=submit:Invalid credentials or user not activated" -L usernames.txt -P passwords.txt -V -f -t 3

Let’s say that wanted to brute force a specific user , it’s possible by using the option –l which allows us to give one username and we could give the file that contains the list of passwords Fig: 1.8

Fig:1.8

Now you know that somebody might use a particular password in the organization then you can give one password  using the flag –p and file for usernames Fig:1.9

Fig:1.9

                                           Thank You