Did you know that you can navigate the posts by swiping left and right?
Last time we setup DVWA on our Kali installation, so let’s start having fun with it! All the tools that we’ll use, come pre-installed in Kali.
In the first login page of DVWA that you see, login with username “admin” and password “password” and then navigate to the “Brute Force” tab. It’s a Damn Vulnerable Web Application set to low security setting, so let’s just brute-force it. For that we’ll use THC Hydra, which is a tool that automates login attempts to almost any used protocol. We’ll start with collecting all the information that we need for the attack and then we’ll configure hydra and brute-force the login page.
First, we’ll need to describe to hydra how a failed login attempt looks like, and that we’ll manage by making a failed attempt to login, and then grabbing a unique word from the error message:
In our case the word that indicates a failed login attempt will be “incorrect”.
Now, let’s see how a login attempt looks under the hood, at the level of HTTP. For that we’ll use Burp as a proxy between our browser and DVWA. Just open Burp, and navigate to the Proxy tab. By default it should be setup to listen to requests on 127.0.0.1:8080. Then we need to tell our browser where is our proxy listening for requests. For Firefox this setting is under Preferences -> Advanced -> Network -> Connection Settings:
Make sure that “Intercept is ON” in the proxy tab of Burp and then try a login attempt, so we can capture it in Burp:
We see a GET request, at /dvwa/vulnerabilities/brute, with three parameters, the username, the password and a Login parameter set to Login, and a cookie with our session id (since we logged in in the first page of DVWA). What are we missing now? Just the combination of usernames and passwords that hydra will try with this HTTP request! We are on Kali, so finding a list of usernames and passwords will be no hassle. Let’s actually use the http_default_users.txt and http_default_pass.txt, which sit under /etc/share/wordlists/metasploit/. Now it’s time to configure hydra. Hydra expects the target IP address, the hydra module for the protocol that we are brute-forcing and the list of usernames and passwords. We define those like this:
hydra 127.0.0.1 -V -L /usr/share/wordlists/metasploit/http_default_users.txt -P /usr/share/wordlists/metasploit/http_default_pass.txt http-get-form # -V for verbose output
But we haven’t setup the configuration for the http-get-form module yet. For this one we’ll need the URL, to define the parameters for the username and the password, to define the word in the response that indicates a failed attempt to login and the header of the HTTP request:
"/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=incorrect:H=Cookie: security=low; PHPSESSID=rsrjkagvk9m28nh5bsgrjbpnj3"
As you can see, the parameters of the module are separated with a ‘:’ and we indicate the place where the username and the password should be, with the ^USER^ and ^PASS^ markers.
Let’s run it!
And let’s try to login manually with the combination admin-password (what a surprise!):
In case the login page was using a POST request, then in the command that we ran, we would only change the hydra module from http-get-form to http-post-form, since the module parameters for these two are the same. If you want explore more modules you can run the hydra-gtk GUI or the hydra-wizard, which helps you build the hydra command that you need, based on questions like for example, which protocol are you brute-forcing.
Don’t forget that you can run the hydra command through proxychains, so you can hide your IP address behind many proxies and the Tor network.
There will be a follow-up post in the future for protocols like rdp, ftp and ssh, in case you were wondering