Normally, I use Burp Suite to do everything because it does everything. That is because I have the pro version. If you have the community version you know that some of the attacks are throttled and the vulnerability scanner just doesn’t exist. If you don’t have the pro version of Burp or just want to try a different toolset this tutorial will take you through attacking the initial login page of the Damn Vulnerable Web App (DVWA site, DVWA ISO).
Once the application is up and running you will be presented with the initial page.
Now what? You can either skip to the bottom and find it or we can brute-force the password and learn something. First thing we need to do is figure out what to attack. The easiest way is to look at the source code for the page.
A second way is to capture a request to the page using a proxy, in keeping with the spirit of not using Burp, I grabbed this one using OWASP Zap.
The three fields are username, password, and Login. The next crucial piece is knowing what a bad login displays. This gives Hydra a way of discriminating between valid and bad login attempts.
I’m going to use xHydra but will give the command to run Hydra from a shell if that is the only access that you have on a system. Launch Hydra, on Kali Linux it is under the /usr/bin directory. The following images show all of the options being set.
Set the IP of the DVWA server and the protocol in use, for this we are attacking the web form so http-post-form. To attack a login of any type you need two other things, a username and a password. The rockyou word list exists at /usr/share/wordlists. I created a short list of usernames to use also.
The next step is to tune the brute force attack. I can use 32 threads and a 1 second timeout because both of the virtual machines, a Kali Linux attacker and the DVWA target, are on the same local LAN segment and there is no concern of causing a denial of service. Also, piping the attack through the Zap proxy is optional and not necessary.
The next tab is where all of the heavy lifting happens. The http / https url field contains the ‘:’ separated string /login.php:username=^USER^&password=^PASS^&Login=Login:Login failed. Breaking out the string the /login.php is the login page. The username and passwords fields are linked to the ^USER^ amd ^PASS^ variables; these are the options set in the Passwords tab. The Login field is not linked to a variable but is used in the login string that we found in image 3. The last string Login failed is what we determined indicated a bad attempt.
Once you are all set to go just click Start on the last tab and watch it go. If you look really closely at password setup you’ll see that I cheated a bit and just ran a single password. I started running the rockyou wordlist and then realized that it would take a significant amount of time to complete.
To run this from a shell instead of the GUI use:
hydra –L UserNameFile –P PasswordFile –e ns –t 32 –u –f –m /login.php:username=^USER^&password=^PASS^&Login=Login <IP> http-post-form
-e ns checks for passwords that are the same as the username (s) and null (n)
-f exits after the first pair is found
-u is supposed to make the attack faster according to their readme but it doesn’t really say how. I think that it is a unique switch but I don’t have any proof.
Stay tuned for more DVWA updates on the challenges you now have access to since you brute forced this password.