Bruteforce Login-page Using Hydra and Python Script (DVWA)

April 28, 2017 | Views: 13963

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

What is DVWA?

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

You can download DVWA here.

and install it on your lamp server

What is bruteforce?

In a simple way, Bruteforce is a technique which applies all possible value of usernames and passwords, or any required field, to satisfy our problem needs.

You can learn more about bruteforce here.

How to bruteforce low and medium security using Hydra?

Hydra is a very fast tool used to perform rapid dictionary attacks. Here we are going to use Hydra and perform bruteforce attack based on HTTP-form-get.

The syntax is:

hydra <target-site> -l admin -l  -P <path to your password list> http-form-get <path to directory to make login attempt including error message and cookie details>

This will only work on the site which uses HTTP-form-get method.

The hydra command which I used to break DVWA bruteforce low and medium security is:

hydra http-form-get -l admin -P rockyout.txt 'DVWA-master/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect. :H=cookie: security=low; PHPSESSID=l6au67gu3uclemji3f95vndr65'

How to bruteforce high security using python script?

In high security, they used a hidden field to check a CSRF token along with our username and password. This CSRF token changes its value on each request. So our normal hydra won’t work here. We need to get our own tool. I used python script which gets the CSRF token by scrapping it. I bruteforced the username and password along with the CSRF token which is unique for each request.

You can find my script, which I used to bruteforce high-level security, here:

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?