Use Hydra Against DVWA high Security Brute Force

Posted by Suraj Singh on January 09, 2019 · 6 mins read
Hello readers,

Have You Ever Tried Hydra? Against Any Practice Lab Web Application. If Not, Then Here I am going to share my Experience. i hope you will enjoy it.

As We All Can Feel, Thc Hydra is Very Good in its work but the problem with hydra is, It's Little Hard To Use. That's why many new bie don't like to use it. well, I'm not saying that its a lie. but today, let's try to use it.

Perform HTTP Get Form Brute Force Attach Using Hydra

Just Follow My Steps One By One.

Step one:

Quickly Setup Your DVWA Setup and Then, Open Your Browser And Attach Your Browser Proxy With Burp Suite. Well (I know, Many of You Guys Want To Try Like My Style, If Yes, Then Challenge Yourself Hard Way, And Open Wireshark Or Browser Developer Tab-> Network Tools Or TcpDump Tool And Many More Other Ways Are Also Available ) Actually, We Just Need To Capture Login Request Format So, That We Can Use Hydra According To Request Requirement.
I don't want to make this post more length because I had already wrote HTTP-POST-FORM attack for Login Page.

 Check Here

Step Two:

After Successfully Login Page Cracking, Now We are now at Index Page, From Here Open Brute Force Tab And Again We Have To Collect Request Sample Of Browser GET request of This Form, Attach Your Burp Suite/ Or Wireshark Or Browser Developer Tool / Tcpdump.
So, Currently My System Showing This Request Format.

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=grtb3vgd1dqthlksoiaathlio2; security=low
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

So, Then I Sent Again Request After Little Bit Of Eraser To Check Server Response Against This Loosely Structure Request. Note: (This Cookie Value is Very Important Because This is the proof of Our Previous Successful Login. So, Handle it Carefully)

GET /vulnerabilities/brute/ HTTP/1.0
Cookie: PHPSESSID=grtb3vgd1dqthlksoiaathlio2; security=low
Upgrade-Insecure-Requests: 1
And Server Response As Usual. So, From Here. We Got Green Signal. Now We Just Need These Two Extra Header To Add In our Hydra Brute force Requests.

Step Three:

Here Important Point To Keep Remember, Hydra Perform Brute Force Attack Completely Like Any Browser Trying To Login. In Simple Words, It will first open Index Page Then, It Will Perform Web scraping To Extract Useful Form Field, And During Previous Function, Its Completely Store Session Details And Cookie. Then Hydra Update Your Provided Field To Try To Login And Then, Also Check Your Provided String To Ensure that Try is Fail Of Pass You Can Check Hydra Step By Step Procedure Using -d parameter.
1. Create Blank File,
        touch args
2. Open it
     nano args
3. Paste All Your Commands Here.
$ cat args 
hydra -l admin -P ../file/passwords -d http-get-form "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie\: PHPSESSID=grtb3vgd1dqthlksoiaathlio2; security=high;" -d

Example Explaination:

Command Description
-l LOGIN or -L FILElogin with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE Domain Or IP
http-get-form Attacking Module
Page To Attack (GET Request)
^USER^&Username Pattern
password=^PASS^&Password pattern
Login=LoginOther Data
"F=" or "S="{successful if "S=" \/ Fail if "F="}=Search in Response
(h Or H)=My-Hdr foo to send a user defined HTTP header with each request


F= and S= Only Works if Provided String Only Occurs One Time. So, Use It Carefully.
Use Find Function Into Source Code To Match Any Word.
Use hydra -d for Debug -V for Print output, -o for output

 From here, I hope now Your Hydra Had Started To Crack Password of DVWA Page.

Other Useful Tricks

Debugging Request And Response.
 hydra http-form-post '/login.php:username=^USER^&password=^PASS^&Login=Login:F=src="dvwa/images/RandomStorm.png"' -l admin -p passwords -d | less
Open Web Page In Browser, Simple Type in Terminal
firefox webpageurlhere.html
Get Website Cookie
Open Webpage In Firefox, Press Shift+F9
It Will Open, Storage manager, Then From Cookie Store. Copy Cookies And Paste It.

Hydra Proxy With BurpSuite.
You Can Also connect Hydra With Burp Suite Like This:
Use Command:
And Boom! Now, Use Burpsuite As A Proxy Of hydra.