In this tutorial, I will be demonstrating how to brute force authentication on HTTP and HTTPS services.
Basic Hydra usage – HTTP
hydra -l <USER> -p <Password> <IP Address> http-post-form “<Login Page>:<Request Body>:<Error Message>”
-l Single Username
-L Username list
-P Password list
-t Limit concurrent connections
-V Verbose output
-f Stop on correct login
Brute forcing authentication using Hyrda on a web service requires more research than any of the other services. We will need three main things from the website. The login page, request body, and the error message.
Website Login Page
Let’s start with the main login page we can see the Username and Password fields.
Now that we can see the website we need to inspect the page. Right click on the page and select “inspect element” from the drop-down menu.
Now that we are in the “inspect elements” section we need to get into the headers area.
Select the Network tab and then attempt to login (This will fail to log in). After the login fails click on the POST Method and then click on “Edit and Resent.”
In this view, we need to focus on four things. Hostname/IP, Login Page, Request Body, and the error message.
With all the information that we have collected now let’s build the hydra command.
Change the <Login page> this value has to start with “/” backspace.
Change <Request body> with the format from the page. We do need to modify the username and password. Replace the failed username with ^USER^ and the failed password with ^PASS^. This change will allow hydra to substitute the values.
Change the <Error Message> with the failed login error message.
Change the <IP Address> with either an IP address or hostname.
Change the <User> with either username or username list.
Change the <Password> with either a password or password list.
Layout of command: hydra -L <USER> -P <Password> <IP Address> http-post-form “<Login Page>:<Request Body>:<Error Message>”
hydra -L usernames.txt -P passwords.txt 192.168.2.62 http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login Failed”
After running the command we were able to brute force the user information from the website.