Brute Force Attack (Owaspbwa Lab, Hydra Tool)

Master Brute Force Attacks using the Hydra tool in the OWASPBWA lab environment.

A brute force attack uses trial-and-error to guess login info, encryption key, or find a hidden web page.

A brute force attack uses trial-and-error to guess login info, encryption key, or find a hidden web page. Hackers work through all possible combinations hoping to guess correctly.

Tools like BruteX, Gobuster, Dirsearch, Callow, and Hydra are used to perform these actions without putting in much manual effort.

(Vulnerable Machine Link and setup video in the bonus resources)

1. Cluster Bomb Brute force

Navigate to: OWASP Bricks → Bricks → Login Pages

When we input the wrong username & password it returns the “Wrong user name or password.” string.

Now turn on the intercept, type a random username & password, and send that request to Intruder.

Under the attack type, change it to Cluster Bomb since we will target two payloads at a time.

For the username list: /usr/share/wordlists/metasploit/http_default_users.txtFor the password list: /usr/share/wordlists/metasploit/http_default_pass.txt

If we start the attack we can see that the length tab is mostly all different then how can we determine the correct username & password?

If there is a problem then there exists a solution

What we can do here is we can filter down the responses to the ones that don’t give this error message.

Navigate to: Intruder → Options → Grep-Match

Clear the list and enter the expression “Wrong user name or password.” & then run the attack.

Except for ‘admin: admin’ everything else got flagged so probably we got the correct username & password.

Let’s give it a try.

Hoorah !!! I logged in as an admin.

Now we will use an advanced tool called “Hydra” that is made specifically for brute force.

Navigate to: bWAPP

Meaning of different parameters in the above command

192.168.29.74 →IP address of the targetHTTP-form-post →the type of brute force we want to perform based on how the credentials are being processed by the webpage. From the below diagram, we can see that it was a POST request.
(HTTP-get-form if they were processed with GET request)“ ” part →3 different thingsPath to the page we want to brute forceName from the username field, Name from the password field (can be seen in above ss) & the button itself.String or the message that we get when we specify the incorrect username and password.

-L param →for the file containing usernames
-P param →for the file containing passwords

(Within a few seconds & it’s done)

The valid credentials are
Login: bee
Password: bug

This time we will go with the DVWA page

• Hydra is not just useful for brute-forcing webpages
• It can also be used to brute-force different services like SSH, FTP, etc.

Example

Let’s first scan for the open ports using Nmap & -F parameter (which will scan most known ports)

Let’s try to target the SSH port with a Hydra brute force attack.

Since we were getting the “Warning” we just reduced the no. of parallel tasks to 4 (By default it was 16).

Since we have the credentials to log in let’s try to ssh into the machine.

ssh root@192.168.29.74 was not working & was giving the following output.

ssh done !!!

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2024 Ashutosh Singh Patel