21 hours 43 minutes
password, brute forcing web applications
are learning objectives are to understand the different tools in Cali the brute force web logins.
Hydro's might go to tool because I think it's really, really fast compared to burp suite.
Perhaps we can be very very slow and if you have a community edition um it's slow. I mean you can see the output. I think you can see it a whole lot better than you can hydra.
But if I'm in a hurry
I want to use hydra. It can be a little tricky to get the syntax down and I'm gonna show you to do that.
So you'll have to you can grab the the request and the response in Burp suite. So here's the request. You see it's a post request and you see the posted data at the bottom here.
So I'll grab all that.
And what you do is if you take a look at this hydro string,
I know the user's cyber, erI
I'm using Rock, you
the iP address of the host
and it's gonna be an HD team http form post. So it's a post request.
And then I grabbed that string that I did from. Burp suite and put it in here. But you'll notice for log, I have the carrots between user and the carrots between past upper case and then at the end I have s for success equals location. So when it's a successful log in
it will have locations somewhere in the response and that's what Hydra is looking for and you can see it worked. I got log in cyber every password Quartey
So burp suite, like I said, burp suite is slower than hydra but you have a whole lot more visibility in the response length and what it is, you know, is a 200 responses at 30 to redirect.
So burps. But I think it gives you a whole lot more granular data,
but if you're using the Community edition and you're forcing 1000 passwords that's going to take you a really long time
and time is of the essence. No A C. P.
So here's burp suite, you're gonna grab the request.
Usually I grab it um in repeater, you send it to intruder clear the positions, then highlight, test, click add
and then I put my password list in there
and you start the attack. You can see this is another sniper attack
And you see Quartey we got a 30 to redirect and the length is different compared to everything else uh in this intruder
Cool. Or Sewell it's great. So if you want to get a more targeted password list, this is the tool for you. If it says something on the website that gives you clues that you know this person likes a certain
thing, then you can use cool to scrape that web page
and maybe that's part of the login name.
Always check for default passwords as well. You can save a whole lot of time
if you just research with the default password is for that service or that uh content management system or whatever you may find.
And it could be that easy. So you may not even have to waste your time trying to brute force the login.
So with that let's go to a demo.
Alright, so I'm on this web page. I see this person really loves turtles
and I see these are a few of their favorite turtles. I don't know what this means, but it could be a clue that that might be part of their password.
So how do I figure out? I see it's a Wordpress site which is great. Right? I go to recent posts. I see there's one that says hello world by user author user.
So I can enumerate there. There's a user name user
um in this Wordpress site without even having to use WP scan. So what do I do now? I'm gonna go into log in and we can confirm this manually if there's someone named user. So I can just put anything with user
and I see error. The password you entered for the user name is incorrect. What if I just type anything
and see if there's a different response
says unknown user name. So this is great. It's a very verbose error message. Good for us. Bad for them.
So what I want to do is I want to use
Cool because I want to scrape that
that turtle page
and see if the password might be in there.
So I'm going to use. Cool.
My depth is one. My minimum word length is five. I'm gonna write to something called turtle dot txt
from the output of this tool. And here's the turtle page and we'll let this run. Let's cat this.
So we have a whole bunch of different words here.
We can cat we can see how many
How long it is. There's 71 words.
If you want to brute force this with burp suite. This might take a while. So that's why I really like hydra.
How do I use hydro? So I'll do user here.
I'll type whatever password I'm gonna go to
log in and I'll see the post request.
So I'm gonna grab
Their quest pale. Oh I'm gonna grab this whole string here
and this is what I'm gonna use to help me with my hydro payload.
So if I get hydra,
I am going to
paste oops, paste it
You'll see hydro l I know there's a user named user. My password list. Is that custom one from Cool Turtle dot txt the I. P. Address of our Wordpress site. It's a post request. I pasted this whole long string here. You'll notice I put the character the carrots over user in the carrots over password.
Everything else is the same as
the request payload here, right? Everything else is the same.
And I have F for failure. So f we know if we enter user and it says error,
right? We saw that when we entered user errors right? There is a failure. We'll see error.
So that's why I have that at the end. So let's give this a try.
So we do see that the user did in fact make one of his favorite turtles, his password or her password. Let's let's log in and see if it works.
So we do see in fact that that was the correct password.
We could do that in burp suite as well.
Turn intercept on.
We don't need that. Make sure proxy is
we can leave proxy on. This should only be one request
All right. I'm going to send this to intruder.
I'm gonna go to positions. I'm gonna clear this all out. I already know what my user is. I'm gonna add password. We're using sniper
and my payload. I'm just going to load that turtle dot txt file.
So here it is. Turtle.
And I'm just gonna let this run
Like I said, it's a lot more granular. I see 200. I see what the length is.
I hope the correct password is not the 71st in the list,
but you can sort by length and status
and you'll just see how long this takes compared to Hydro, which
you know that took a few seconds.
How are we doing here?
I'm gonna have to pause it because it's taken so long. I'll be right back.
So luckily I didn't have to wait for all 71. But you see here that this is granular in that I see status is different for this payload with a 30 to redirect
and a length. Uh that is different than the other
from here I can sort and see that
this is my password.
So I just want to show you the difference between hydra and Burp suite and and the good and bad of both.
Again, this is a little tricky to get the syntax right, but when you get it right, you can see it's a whole lot faster than Burp Suite, but Burp Suite you get a whole lot more data to look at.
So in summary, we should now understand the different tools in Cali to brute force Web log ins.