Password Brute-Forcing Web Logins

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:00
password, brute forcing web applications
00:04
are learning objectives are to understand the different tools in Cali the brute force web logins.
00:09
Hydro's might go to tool because I think it's really, really fast compared to burp suite.
00:14
Perhaps we can be very very slow and if you have a community edition um it's slow. I mean you can see the output. I think you can see it a whole lot better than you can hydra.
00:24
But if I'm in a hurry
00:27
I want to use hydra. It can be a little tricky to get the syntax down and I'm gonna show you to do that.
00:33
So you'll have to you can grab the the request and the response in Burp suite. So here's the request. You see it's a post request and you see the posted data at the bottom here.
00:47
So I'll grab all that.
00:50
And what you do is if you take a look at this hydro string,
00:54
I know the user's cyber, erI
00:56
I'm using Rock, you
00:58
the iP address of the host
01:00
and it's gonna be an HD team http form post. So it's a post request.
01:06
And then I grabbed that string that I did from. Burp suite and put it in here. But you'll notice for log, I have the carrots between user and the carrots between past upper case and then at the end I have s for success equals location. So when it's a successful log in
01:22
it will have locations somewhere in the response and that's what Hydra is looking for and you can see it worked. I got log in cyber every password Quartey
01:34
So burp suite, like I said, burp suite is slower than hydra but you have a whole lot more visibility in the response length and what it is, you know, is a 200 responses at 30 to redirect.
01:49
So burps. But I think it gives you a whole lot more granular data,
01:53
but if you're using the Community edition and you're forcing 1000 passwords that's going to take you a really long time
01:57
and time is of the essence. No A C. P.
02:01
So here's burp suite, you're gonna grab the request.
02:06
Usually I grab it um in repeater, you send it to intruder clear the positions, then highlight, test, click add
02:17
and then I put my password list in there
02:21
and you start the attack. You can see this is another sniper attack
02:25
And you see Quartey we got a 30 to redirect and the length is different compared to everything else uh in this intruder
02:35
attack.
02:38
Cool. Or Sewell it's great. So if you want to get a more targeted password list, this is the tool for you. If it says something on the website that gives you clues that you know this person likes a certain
02:53
thing, then you can use cool to scrape that web page
02:58
and maybe that's part of the login name.
03:02
Always check for default passwords as well. You can save a whole lot of time
03:07
if you just research with the default password is for that service or that uh content management system or whatever you may find.
03:15
And it could be that easy. So you may not even have to waste your time trying to brute force the login.
03:23
So with that let's go to a demo.
03:28
Alright, so I'm on this web page. I see this person really loves turtles
03:34
and I see these are a few of their favorite turtles. I don't know what this means, but it could be a clue that that might be part of their password.
03:44
So how do I figure out? I see it's a Wordpress site which is great. Right? I go to recent posts. I see there's one that says hello world by user author user.
03:54
So I can enumerate there. There's a user name user
04:00
um in this Wordpress site without even having to use WP scan. So what do I do now? I'm gonna go into log in and we can confirm this manually if there's someone named user. So I can just put anything with user
04:13
and I see error. The password you entered for the user name is incorrect. What if I just type anything
04:20
and see if there's a different response
04:23
says unknown user name. So this is great. It's a very verbose error message. Good for us. Bad for them.
04:30
So what I want to do is I want to use
04:33
Cool because I want to scrape that
04:36
that turtle page
04:40
and see if the password might be in there.
04:45
So I'm going to use. Cool.
04:47
My depth is one. My minimum word length is five. I'm gonna write to something called turtle dot txt
04:55
from the output of this tool. And here's the turtle page and we'll let this run. Let's cat this.
05:03
So we have a whole bunch of different words here.
05:06
We can cat we can see how many
05:09
How long it is. There's 71 words.
05:12
If you want to brute force this with burp suite. This might take a while. So that's why I really like hydra.
05:19
How do I use hydro? So I'll do user here.
05:24
I'll type whatever password I'm gonna go to
05:27
inspect
05:29
network
05:30
log in and I'll see the post request.
05:33
So I'm gonna grab
05:36
the request.
05:39
Their quest pale. Oh I'm gonna grab this whole string here
05:43
and this is what I'm gonna use to help me with my hydro payload.
05:47
So if I get hydra,
05:51
I am going to
05:54
paste oops, paste it
05:59
here.
06:00
You'll see hydro l I know there's a user named user. My password list. Is that custom one from Cool Turtle dot txt the I. P. Address of our Wordpress site. It's a post request. I pasted this whole long string here. You'll notice I put the character the carrots over user in the carrots over password.
06:18
Everything else is the same as
06:23
the request payload here, right? Everything else is the same.
06:27
And I have F for failure. So f we know if we enter user and it says error,
06:33
right? We saw that when we entered user errors right? There is a failure. We'll see error.
06:41
So that's why I have that at the end. So let's give this a try.
06:47
So we do see that the user did in fact make one of his favorite turtles, his password or her password. Let's let's log in and see if it works.
07:02
So we do see in fact that that was the correct password.
07:10
We could do that in burp suite as well.
07:11
So Burp
07:14
community edition.
07:15
Turn intercept on.
07:25
We don't need that. Make sure proxy is
07:28
we can leave proxy on. This should only be one request
07:38
forward
07:39
forward
07:42
user
07:47
test
07:51
log in.
07:54
All right. I'm going to send this to intruder.
07:59
I'm gonna go to positions. I'm gonna clear this all out. I already know what my user is. I'm gonna add password. We're using sniper
08:07
and my payload. I'm just going to load that turtle dot txt file.
08:13
So here it is. Turtle.
08:16
And I'm just gonna let this run
08:18
Like I said, it's a lot more granular. I see 200. I see what the length is.
08:24
I hope the correct password is not the 71st in the list,
08:31
but you can sort by length and status
08:37
and you'll just see how long this takes compared to Hydro, which
08:41
you know that took a few seconds.
08:48
How are we doing here?
08:52
I'm gonna have to pause it because it's taken so long. I'll be right back.
08:58
So luckily I didn't have to wait for all 71. But you see here that this is granular in that I see status is different for this payload with a 30 to redirect
09:11
and a length. Uh that is different than the other
09:15
payloads. So
09:16
from here I can sort and see that
09:20
this is my password.
09:22
So I just want to show you the difference between hydra and Burp suite and and the good and bad of both.
09:28
Again, this is a little tricky to get the syntax right, but when you get it right, you can see it's a whole lot faster than Burp Suite, but Burp Suite you get a whole lot more data to look at.
09:41
So in summary, we should now understand the different tools in Cali to brute force Web log ins.
Up Next
Offensive Penetration Testing

The Offensive Penetration Testing course opens the doors to those wanting to begin a penetration testing career. This course will prepare learners to begin their pentesting career journey by understanding what tools, techniques, and resources are available for someone starting out in offensive penetration testing.

Instructed By