Brute Forcing Web-Based Authentication With THC-Hydra

Brief Introduction

We will be using  the UNIX distribution of THC-Hydra and I'll go through some of its main features and different attack methods.

How to install:

First you’ll need Backtrack or Kali ( this tutorial is done in backtrack) , of course. You can either run it in virtualization on a virtual machine like VMware or Virtualbox. I will not cover how to boot Backtrack, there have already been lots of tutorials on the net.

Now I suppose most of you know how to run it but nevertheless I included a guide for the installation process under Backtrack 5R2 (or any unix based system as a whole).

Open up a terminal and type:

wget http://freeworld.thc.org/releases/hydra-6.3-src.tar.gz

Once dowloaded: Extract it : 

tar -xvf hydra-6.3-src.tar.gz

Now Configure and Install

./configure && make && install

make install 

HOW TO USE: 

Note: If you are attacking FTP service then first make sure to run an nmap scan for any open FTP ports (by default it should be 21)

Now in order to brute-force a specific login form you need to define the username (if you don't know it include a file containing some), the wordlists directory, the service attacking and form method and the page itself.

Specifying those parameters the attack would look like:

./hydra -l admin -P /root/Words.txt site.com http-post-form "/login.php&username=^USER^&password=^PASS^"

The -l switch defines the username and the capital -L - a list of usernames for the brute-force attack (if you don't know the login).

The -p switch defines the password and the capital -P - the directory for the wordlists ( the -P is used almost always)


If we're attacking a web form over http and the method is post then we use "http-post-form" if the service is FTP simply use "ftp".

Another thing you should be aware of is that the variables username and password are not always the same. They different depending on the code.

hey could be usr,pwd etc - it's not necessarily for them to be as in most cases "username" & "password". Just view the source and make sure what their names are.

Now there are a lot more options of Hydra. I'll explain some of them below no matter that they are included in the MAN page of hydra

-vV - The verbose mode. This mode shows you every login attempt hydra tries.
-s - We specify the port on which we're running our attack.
-x - For brute-force parameters generation. We define our charset and minimum & maximum length of it.
-R - Restores a previously aborted session of an attack.
-e ns - Checks for blank or no password fields.

So an example of an advanced attack would look like:

./hydra -L /root/usernames.txt -P /root/HugeDB.txt -e ns -vV -s 80 site.com http-post-form "/login.php&username=^USER^&password=^PASS^