Password Brute-Forcing Web Logins

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
18 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:00
password, brute forcing web applications
00:04
are learning objectives are to understand the different tools in Cali the brute force web logins.
00:09
Hydro's might go to tool because I think it's really, really fast compared to burp suite.
00:14
Perhaps we can be very very slow and if you have a community edition um it's slow. I mean you can see the output. I think you can see it a whole lot better than you can hydra.
00:24
But if I'm in a hurry
00:27
I want to use hydra. It can be a little tricky to get the syntax down and I'm gonna show you to do that.
00:33
So you'll have to you can grab the the request and the response in Burp suite. So here's the request. You see it's a post request and you see the posted data at the bottom here.
00:47
So I'll grab all that.
00:50
And what you do is if you take a look at this hydro string,
00:54
I know the user's cyber, erI
00:56
I'm using Rock, you
00:58
the iP address of the host
01:00
and it's gonna be an HD team http form post. So it's a post request.
01:06
And then I grabbed that string that I did from. Burp suite and put it in here. But you'll notice for log, I have the carrots between user and the carrots between past upper case and then at the end I have s for success equals location. So when it's a successful log in
01:22
it will have locations somewhere in the response and that's what Hydra is looking for and you can see it worked. I got log in cyber every password Quartey
01:34
So burp suite, like I said, burp suite is slower than hydra but you have a whole lot more visibility in the response length and what it is, you know, is a 200 responses at 30 to redirect.
01:49
So burps. But I think it gives you a whole lot more granular data,
01:53
but if you're using the Community edition and you're forcing 1000 passwords that's going to take you a really long time
01:57
and time is of the essence. No A C. P.
02:01
So here's burp suite, you're gonna grab the request.
02:06
Usually I grab it um in repeater, you send it to intruder clear the positions, then highlight, test, click add
02:17
and then I put my password list in there
02:21
and you start the attack. You can see this is another sniper attack
02:25
And you see Quartey we got a 30 to redirect and the length is different compared to everything else uh in this intruder
02:35
attack.
02:38
Cool. Or Sewell it's great. So if you want to get a more targeted password list, this is the tool for you. If it says something on the website that gives you clues that you know this person likes a certain
02:53
thing, then you can use cool to scrape that web page
02:58
and maybe that's part of the login name.
03:02
Always check for default passwords as well. You can save a whole lot of time
03:07
if you just research with the default password is for that service or that uh content management system or whatever you may find.
03:15
And it could be that easy. So you may not even have to waste your time trying to brute force the login.
03:23
So with that let's go to a demo.
03:28
Alright, so I'm on this web page. I see this person really loves turtles
03:34
and I see these are a few of their favorite turtles. I don't know what this means, but it could be a clue that that might be part of their password.
03:44
So how do I figure out? I see it's a Wordpress site which is great. Right? I go to recent posts. I see there's one that says hello world by user author user.
03:54
So I can enumerate there. There's a user name user
04:00
um in this Wordpress site without even having to use WP scan. So what do I do now? I'm gonna go into log in and we can confirm this manually if there's someone named user. So I can just put anything with user
04:13
and I see error. The password you entered for the user name is incorrect. What if I just type anything
04:20
and see if there's a different response
04:23
says unknown user name. So this is great. It's a very verbose error message. Good for us. Bad for them.
04:30
So what I want to do is I want to use
04:33
Cool because I want to scrape that
04:36
that turtle page
04:40
and see if the password might be in there.
04:45
So I'm going to use. Cool.
04:47
My depth is one. My minimum word length is five. I'm gonna write to something called turtle dot txt
04:55
from the output of this tool. And here's the turtle page and we'll let this run. Let's cat this.
05:03
So we have a whole bunch of different words here.
05:06
We can cat we can see how many
05:09
How long it is. There's 71 words.
05:12
If you want to brute force this with burp suite. This might take a while. So that's why I really like hydra.
05:19
How do I use hydro? So I'll do user here.
05:24
I'll type whatever password I'm gonna go to
05:27
inspect
05:29
network
05:30
log in and I'll see the post request.
05:33
So I'm gonna grab
05:36
the request.
05:39
Their quest pale. Oh I'm gonna grab this whole string here
05:43
and this is what I'm gonna use to help me with my hydro payload.
05:47
So if I get hydra,
05:51
I am going to
05:54
paste oops, paste it
05:59
here.
06:00
You'll see hydro l I know there's a user named user. My password list. Is that custom one from Cool Turtle dot txt the I. P. Address of our Wordpress site. It's a post request. I pasted this whole long string here. You'll notice I put the character the carrots over user in the carrots over password.
06:18
Everything else is the same as
06:23
the request payload here, right? Everything else is the same.
06:27
And I have F for failure. So f we know if we enter user and it says error,
06:33
right? We saw that when we entered user errors right? There is a failure. We'll see error.
06:41
So that's why I have that at the end. So let's give this a try.
06:47
So we do see that the user did in fact make one of his favorite turtles, his password or her password. Let's let's log in and see if it works.
07:02
So we do see in fact that that was the correct password.
07:10
We could do that in burp suite as well.
07:11
So Burp
07:14
community edition.
07:15
Turn intercept on.
07:25
We don't need that. Make sure proxy is
07:28
we can leave proxy on. This should only be one request
07:38
forward
07:39
forward
07:42
user
07:47
test
07:51
log in.
07:54
All right. I'm going to send this to intruder.
07:59
I'm gonna go to positions. I'm gonna clear this all out. I already know what my user is. I'm gonna add password. We're using sniper
08:07
and my payload. I'm just going to load that turtle dot txt file.
08:13
So here it is. Turtle.
08:16
And I'm just gonna let this run
08:18
Like I said, it's a lot more granular. I see 200. I see what the length is.
08:24
I hope the correct password is not the 71st in the list,
08:31
but you can sort by length and status
08:37
and you'll just see how long this takes compared to Hydro, which
08:41
you know that took a few seconds.
08:48
How are we doing here?
08:52
I'm gonna have to pause it because it's taken so long. I'll be right back.
08:58
So luckily I didn't have to wait for all 71. But you see here that this is granular in that I see status is different for this payload with a 30 to redirect
09:11
and a length. Uh that is different than the other
09:15
payloads. So
09:16
from here I can sort and see that
09:20
this is my password.
09:22
So I just want to show you the difference between hydra and Burp suite and and the good and bad of both.
09:28
Again, this is a little tricky to get the syntax right, but when you get it right, you can see it's a whole lot faster than Burp Suite, but Burp Suite you get a whole lot more data to look at.
09:41
So in summary, we should now understand the different tools in Cali to brute force Web log ins.
Up Next