Skip to main content

Brute Force Attack (Owaspbwa Lab, Hydra Tool)

Linux, Networking & Security are the domains of my interest.

A brute force attack uses trial-and-error to guess login info, encryption key, or find a hidden web page.

A brute force attack uses trial-and-error to guess login info, encryption key, or find a hidden web page.

Introduction to Brute Force Attacks

A brute force attack uses trial-and-error to guess login info, encryption key, or find a hidden web page. Hackers work through all possible combinations hoping to guess correctly.

Tools like BruteX, Gobuster, Dirsearch, Callow, and Hydra are used to perform these actions without putting in much manual effort.

OWASPBWA

(Vulnerable Machine Link and setup video in the bonus resources)

1. Cluster Bomb Brute force

Navigate to: OWASP Bricks →Bricks →Login Pages

brute-force-attacks-owaspbwa-lab-hydratool
brute-force-attacks-owaspbwa-lab-hydratool

When we input the wrong username & password it returns the “Wrong user name or password.” string.

brute-force-attacks-owaspbwa-lab-hydratool

Now turn on the intercept, type a random username & password, and send that request to Intruder.

brute-force-attacks-owaspbwa-lab-hydratool

Under the attack type, change it to Cluster Bomb since we will target two payloads at a time.

  • For the username list: /usr/share/wordlists/metasploit/http_default_users.txt
brute-force-attacks-owaspbwa-lab-hydratool
brute-force-attacks-owaspbwa-lab-hydratool
  • For the password list: /usr/share/wordlists/metasploit/http_default_pass.txt
brute-force-attacks-owaspbwa-lab-hydratool
brute-force-attacks-owaspbwa-lab-hydratool

If we start the attack we can see that the length tab is mostly all different then how can we determine the correct username & password?

brute-force-attacks-owaspbwa-lab-hydratool

If there is a problem then there exists a solution

What we can do here is we can filter down the responses to the ones which don’t give this error message.

brute-force-attacks-owaspbwa-lab-hydratool

Navigate to: Intruder → Options → Grep-Match

brute-force-attacks-owaspbwa-lab-hydratool

Clear the list and enter the expression “Wrong user name or password.” & then run the attack.

brute-force-attacks-owaspbwa-lab-hydratool

Except for ‘admin: admin’ everything else got flagged so probably we got the correct username & password.

brute-force-attacks-owaspbwa-lab-hydratool

Let’s give it a try.

brute-force-attacks-owaspbwa-lab-hydratool

Hoorah !!! I logged in as an admin.

2. Hydra Bwapp Form Bruteforce

Now we will use an advanced tool called “Hydra” that is made specifically for brute force.

Navigate to: bWAPP

brute-force-attacks-owaspbwa-lab-hydratool
brute-force-attacks-owaspbwa-lab-hydratool
brute-force-attacks-owaspbwa-lab-hydratool

Meaning of different parameters in the above command

  • 192.168.29.74 →IP address of the target
  • HTTP-form-post →the type of brute force we want to perform based on how the credentials are being processed by the webpage. From the below diagram, we can see that it was a POST request.
    (HTTP-get-form if they were processed with GET request)
brute-force-attacks-owaspbwa-lab-hydratool
  • “ ” part →3 different things
  1. Path to the page we want to brute force
  2. Name from the username field, Name from the password field (can be seen in above ss) & the button itself.
  3. String or the message that we get when we specify the incorrect username&password.

-L param →for the file containing usernames
-P param →for the file containing passwords

brute-force-attacks-owaspbwa-lab-hydratool

(Within a few seconds & it’s done)

The valid credentials are
Login: bee
Password: bug

3. Hydra Post Request Form Brute force

This time we will go with the DVWA page

brute-force-attacks-owaspbwa-lab-hydratool
brute-force-attacks-owaspbwa-lab-hydratool
brute-force-attacks-owaspbwa-lab-hydratool

4. Hydra SSH Attack

• Hydra is not just useful for brute-forcing webpages
• It can also be used to brute-force different services like SSH, FTP, etc.

Example.

Let’s first scan for the open ports using Nmap & -F parameter (which will scan most known ports)

brute-force-attacks-owaspbwa-lab-hydratool

Let’s try to target the ssh port with a hydra brute force attack.

brute-force-attacks-owaspbwa-lab-hydratool

Since we were getting the “Warning” we just reduced the no. of parallel tasks to 4 (By default it was 16).

Since we have the credentials to log in let’s try to ssh into the machine.

Problem

ssh root@192.168.29.74 was not working & was giving the following output.

brute-force-attacks-owaspbwa-lab-hydratool

Solution

brute-force-attacks-owaspbwa-lab-hydratool

ssh done !!!

Resources

  1. BurpSuite Setup
  2. OWASPBWA vulnerable machine
  3. OWASPBWA VM setup video

1. 30+ Standard Linux Commands for Beginner or Intermediate Users

2. Bug Bounty Hunting With Burp Suite (Intercept, Repeater & Intruder)

3. Broken Access Control (Tryhackme and Owaspbwa)

4. Html Injection (Tryhackme & Owaspbwa)

5. Command Injection (Tryhackme & Owaspbwa)

6. Website Enumeration and Information Gathering [Part 1]

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2022 Ashutosh Singh Patel