Monday, 22 August 2011

Using Hydra to dictionary-attack web-based login forms

Hydra is a online password cracking tool which can be used to dictionary-attack various services by trying lists of user-names and passwords until a successful login is found. It is multi-threaded, and can be very fast, trying username/password combinations at a rate of thousands per minute.


Hydra can be used to attack many different services including IMAP, SMB, HTTP, VNC, MS-SQL MySQL, SMTP, SSH, and many more.

(Hydra is to online-cracking of passwords, what John The Ripper is to offline-cracking of password hashes)

Often, web-based login forms authenticate using the HTTP POST method, but judging from several blogs I have read on this subject, it sounds like some people have great difficulty in getting Hydra to work effectively in this situation.

I have had a great deal of success with hydra, so here I describe how to get Hydra working with web-based form logins.

This attack is not limited to websites, and I would argue that it is more suited for gaining login access to software products that have a web UI, for example in penetration tests.

This tool should not be used to attack websites or services where you do not have permission to do so. Use this for legitimate testing purposes only.


Some differences between online and off-line password cracking

There are significant differences between online and off-line password cracking.

With off-line cracking, you have the hashes on your system, they are static, and you can try dictionary, hybrid, and brute force attacks to you hearts content. You have as long as you want, and you can try many billions of attempts in a short space of time.

The attack success is purely dependent on password strength, verses processor-power and time (and few user-chosen passwords will be strong enough to last).

With online password attacks there are more issues to consider, such as; network bandwidth, account lockouts, tar-pitting, changing passwords, detection in logs and IDS.

Online attacks are more suited to relatively small and focused dictionary attacks rather than exhaustive brute-force.


A simple Hydra SSH example

Here is a simple example of running a Hydra attack against an SSH server.

hydra 192.168.1.26 ssh2 -s 22 -P pass.txt -L users.txt -e ns -t 10

This will attack the system 192.1.68.1.26, on port 22 with the SSH protocol, 10 threads at a time, and try all the combinations of usernames and passwords supplied in the files user.txt and pass.txt (+ empty passwords and passwords the same as the username)

This can take a while, so it is best to only use usernames you know exist, and a relatively small list of passwords (many thousands rather than many millions). This attack generally works very well for simple dictionary passwords.


Web-based login forms prerequisites

For web-based forms, you have to know much more information about the form you are attacking before you start the attack. Every web-based form is slightly different, different URLs and parameters, and different responses for success or failure.

You need to know:
  • The hostname/IP and URL
  • Whether it is a HTTPS or HTTP service
  • Whether the form supports GET or POST (or both)
  • The parameters of the request
  • The difference in response between success and failure
  • Whether any session cookies are required to be set or maintained
  • What lockout features and thresholds are enabled (if any)
Not knowing or understanding the above information can be a big cause of failure.

For the parameters of the request, you can intercept and examine a normal login attempt with a web proxy (such as owasp-zap, webscarab or burpsuite) or use a browser plugin (such as tamperdata) or just look at the HTML form.


An example attack

The Web Security Dojo VM has various vulnerable applications that you can use to test these techniques. So looking at an example the w3af testing framework has a test login at the following location

http://192.168.1.69/w3af/bruteforce/form_login/

The important parts of the HTML form are:

<form name="input" action="dataReceptor.php" method="post">
Username:
<input type="text" name="user">


Password:
<input type="password" name="pass">

If we put in one wrong username and password combination we get:

Bad login, stop bruteforcing me!Bad u/p combination for user: a

So, now we have the information we need to attack this login form, we can use this info to construct a Hydra brute-force attack as follows:

hydra 192.168.1.69 http-form-post "/w3af/bruteforce/form_login/dataReceptor.php:user=^USER^&pass=^PASS^:Bad login" -L users.txt -P pass.txt -t 10 -w 30 -o hydra-http-post-attack.txt


If we break this up

Host = 192.168.1.69
Method = http-form-post
URL = /w3af/bruteforce/form_login/dataReceptor.php
Form parameters = user=^USER^&pass=^PASS^
Failure response = Bad login
Users file = users.txt
Password file = pass.txt
Threads = -t 10
Wait for timeout = -w 30
Output file = -o hydra-http-post-attack.txt

Hydra basically iterates through all the username/password combinations, until it gets a response that does not contain the text "Bad login". When we run this attack we get:



Hydra v6.5 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2011-08-22 13:11:03
[DATA] 5 tasks, 1 servers, 5 login tries (l:5/p:1), ~1 tries per task
[DATA] attacking service http-post-form on port 80
[STATUS] attack finished for 192.168.1.69 (waiting for children to finish)
[80][www-form] host: 192.168.1.69   login: admin   password: 1234
Hydra (http://www.thc.org/thc-hydra) finished at 2011-08-22 13:11:07

As you can see, this was successful and found the user "admin" with password "1234".


Other examples

HTTPS forms can be brute-forced in exactly the same way by changing the method to "https-form-post".

Similarly there are the GET equivalents, of "http-get-form" and "https-get-form", though this type of method is really not recommended for web-based login forms (due to confidential information being passed in the URL, which can appear in proxy-logs, and browser history). Some forms do exist out there that use this.

Sometimes you need to look for text that appears meaning "success" rather than the absence of text meaning "failure". This can be done if you put "S=" in front of the failure string variable, it becomes a success string check, for example

"/login.php:user=^USER^&pass=^PASS^:S=successful"

Remember that the "failure" or "success" string does not have to be part of the HTML of the page. These strings could be information in the response headers, such as cookies being set, or locations of redirects. There are flexible options for dealing with pretty much any type of response, as long as it is repeatable, and there are distinct differences between success and failure.

Other more complex examples may be where you need to specify particular header values, or use an additional page to obtain set browser cookies before the form is submitted. These can be done by adding the additional parameters "C=" and "H=" on the end:

"/foo.php:user=^USER^&pass=^PASS^:S=success:C=/page/cookie:H=X-Foo: Foo"

All in all, this is a pretty straight forward, and a very effective tool, as long as you understand how the form is working, and what parameters are required, before you start the attack.

51 comments:

  1. hey, I want to hack srbac-rs.com/administrator...can you give me a script for that...I keep getting unknown service error... username name is usrname and password name is pass..thanks

    ReplyDelete
    Replies
    1. go read a fucking book you mongloid

      Delete
    2. where the fuck is password list fuck ur this tut

      Delete
  2. thack you for your information.

    ReplyDelete
  3. thanx a lot man...

    ReplyDelete
  4. fucking skiddies dont need to have these capabilities

    ReplyDelete
    Replies
    1. I'm sure that you're not a skiddie yourself, rihght ;)

      I am guessing it's similar with those closet gays who keep calling everyone else gay to hide their true self.

      It's not as if someone reads as article on how to do something they're automatically a skiddie. You have to read up on things somewhere, it's not as if you're automatically a pro who knows every feature of a program right off the bat.

      Keep it at!

      Delete
    2. your approach is called "security through obscurity" and guess what... in the long run, it doesn't work. i've looked this up because i'm looking for a way to figure out reliable criteria for a secure password because i don't fucking trust the "6 characters and at least one number" thing. if tools like hydra and this tutorial were kept away from the general public, the only people who would find out how to use them would be criminals (they have the strongest motivation to crack passwords, and they will use illegal methods of acquiring information on how to do it too), and normal people, webmasters and admins will have no method to figure out how to defend themselves.
      saying that this information shouldn't be available is like saying that warning people of common burglar tactics should be illegal because the information could be used by actual burglars. guess what? the burglars already know!

      Delete
    3. Shut up you fucking tool.

      Delete
  5. very nice Post , But can tell me if my Source page show like it :

    <input class="form_input ltr" id="user" type="text"

    how can i do it ? its not name="user" and hydra dont put my username and password

    ReplyDelete
    Replies
    1. surely in your case is sent for AJAX

      Delete
  6. Hmm i always seem to get false positives what ever success or fail string I enter.

    ReplyDelete
  7. can any1 telll me how to hack gmail?

    ReplyDelete
    Replies
    1. fucking skid .

      Delete
    2. use hydra-gtk smtp.gmail.com i dont remember what port but its easy

      Delete
    3. Google It!

      http://lmgtfy.com/?q=how+to+hack+gmail

      Delete
  8. I have read so many article of this site in which some of them were very
    interesting and inspiring.This article has good title with good description.i am very happy that i found this site. I have bookmarkedthis site to visit again and find out the new post.I just want to say,is a wonderful article. "custom article writing"

    ReplyDelete
  9. When there is no Username input there,only password field is there,how u configure in hydra

    ReplyDelete
  10. if the the field submit not have a name, what can i do? its safe?
    Please reply me, i study for prevent attacks

    ReplyDelete
  11. can you make clip for https-post-form with set cookie?

    ReplyDelete
  12. i am trying to brute force dvwa level medium, but it doesn't fuction, has someone already brute force dvwa with hydra? if so, thank you for helping me..

    ReplyDelete
  13. quick question. i've been at this for hours. (thanks for the explanations above, btw. good teaching.)

    is there any way to specify successful or failed login responses with http-get? (as opposed to post).

    i'm testing/learning on a login page that uses http-get, and returns nothing (in tamper data or through burp) that indicates a failed login response. however, i know what the successful login response should/would be. it seems that this feature is relegated only to the lumped in parameters belonging to -post data though (/:USER&PASS: or ) .. is there any way to implement the fail/success indication with -get?

    thanks

    ReplyDelete
  14. edit:

    sorry, that should say something more like (/:USER&PASS: [failed dialogue] or [S=success dialogue])

    ReplyDelete
  15. ok ... i did that but.... that page have many translation. witch language use to get error message ?
    i tried in engllish: error mesage is "The password you entered is incorrect "

    i tried: hydra www.twoo.com -l ******* -P '/root/Desktop/pass' http-post-form "/login=1:email=^USER^&password=^PASS^&submit=Sign+in:The password you entered is incorrect" -vV -f

    with that syntax pass found are not stable, i get random pass , if try once i get a passif try 2nd i get other pass

    if use Success message: title of page is "Search for people on Twoo"

    hydra www.twoo.com -l *************-P '/root/Desktop/pass' http-post-form "/login=1:email=^USER^&password=^PASS^&submit=Sign+in:S=Search+for+people+on+Twoo" -f -vV

    i get no pass : " 1 of 1 target completed, 0 valid passwords found "




    ReplyDelete
    Replies
    1. burp suite don't help me to get login button form :( :(((

      i get : action=login&email=PUT_USERNAME&password=PUT_PASS

      i give you host: www.twoo.com .... may somebody will view sorce code and can see where is mistake or what is problem ..

      Delete
  16. Hi Ben, may I ask what is the Hydra script for this form :
    http://pastebin.com/mFsN3RZp
    Thanks in advance

    ReplyDelete
    Replies
    1. p.s. that I need Expert and Admin passwords.

      Delete
  17. hi
    need help
    cant get work
    where is my fault
    in /phone2.html/action?

    $hydra 192.168.1.10 http-form-post "/phone2.html/infopce:id=^USER^&pwd=^PASS^:Access denied" -l admin -P 'Micro.txt' -t 10 -w 30 -o output-hydra.txt

    page source:

    http://pastebin.com/qjArDS6h

    tnx

    ReplyDelete
    Replies
    1. "192.168.1.10" -> I think you mistook hostname with your own IP

      For example if you want to bruteforce a page called www.random.com/phone2.html/infopce your command would look like:

      hydra www.random.com http-form-post "/phone2.html/infopce:id=^USER^&pwd=^PASS^:Access denied" -l admin -P 'Micro.txt' -t 10 -w 30 -o output-hydra.txt

      and make sure your password dictionnary "Micro.txt" is on the directory from where you're making the command, or just put the whole path so that it will look like : -P '/path/to/your/file/Micro.txt'

      Also if it doesn't work, try putting "http-post-form" instead of "http-form-post"

      Delete
  18. Hey I'd like some help about one thing actually,
    I've been able to bruteforce succefully some http-form websites with my own username, but I'm currently blocked with a command for one http form.

    The login informations of the source code:


    "LoginControl_UserName" id="LoginControl_lblUserName">Identifiant
    name="LoginControl$UserName" type="text" value="trololol" id="LoginControl_UserName" class="tbx-identifiant"

    "LoginControl_Password" id="LoginControl_lblMotDePasse"
    name="LoginControl$Password" type="password" id="LoginControl_Password"

    "LoginControl_RememberMe" id="LoginControl_lblRemember" class="checkbox" id="LoginControl_RememberMe" type="checkbox" name="LoginControl$RememberMe"

    type="button" title="Se connecter" id="LoginControl_LoginButton" onclick="WebForm_DoPostBackWithOptions(new WebForm_PostBackOptions('LoginControl$LoginButton', '', true, '', '', false, true))" class="bouton bouton-connexion" class="bouton-icone"


    In the last paragraph the login button has no name! I've searched a lot on the internet but couldn't find the solution. Do I have to use the "type"; "title" or "id" as Login parameter?
    I tried to launch it without login parameters but I get the "16 correct passwords" error.

    Here is my command:

    hydra -l user -P '/root/Desktop/pass.txt' www.********.net http-form-post "/:LoginControl$UserName=^USER^&LoginControl$Password=^PASS^:incorrect"





    ReplyDelete
  19. where the fuck is password list?

    ReplyDelete
  20. What is the command line to create the password.txt and username.txt file ??? which cracks the usernames and passwords of a server...

    ReplyDelete
  21. Thanks for providing precious information.
    email support

    ReplyDelete
  22. Great post, however if the password isn't in the password file it wont work. learn lua programming

    ReplyDelete
  23. Great post. By the way - do you know why Hydra make two requests in http-form-post: 1st is GET and 2nd is POST ? My server logs and Wireshark confirm it. One more request is definitely not necessary. I can't find how to switch it off?

    ReplyDelete
    Replies
    1. Maybe it needs to get a session cookie first from the server?

      Delete
  24. INTERNATIONAL CONCEPT OF WORK FROM HOME
    Work from home theory is fast gaining popularity because of the freedom and flexibility that comes with it. Since one is not bound by fixed working hours, they can schedule their work at the time when they feel most productive and convenient to them. Women & Men benefit a lot from this concept of work since they can balance their home and work perfectly. People mostly find that in this situation, their productivity is higher and stress levels lower. Those who like isolation and a tranquil work environment also tend to prefer this way of working. Today, with the kind of communication networks available, millions of people worldwide are considering this option.

    Women & Men who want to be independent but cannot afford to leave their responsibilities at home aside will benefit a lot from this concept of work. It makes it easier to maintain a healthy balance between home and work. The family doesn't get neglected and you can get your work done too. You can thus effectively juggle home responsibilities with your career. Working from home is definitely a viable option but it also needs a lot of hard work and discipline. You have to make a time schedule for yourself and stick to it. There will be a time frame of course for any job you take up and you have to fulfill that project within that time frame.

    There are many things that can be done working from home. A few of them is listed below that will give you a general idea about the benefits of this concept.

    Baby-sitting
    This is the most common and highly preferred job that Women & Men like doing. Since in today's competitive world both the parents have to work they need a secure place to leave behind their children who will take care of them and parents can also relax without being worried all the time. In this job you don't require any degree or qualifications. You only have to know how to take care of children. Parents are happy to pay handsome salary and you can also earn a lot without putting too much of an effort.

    Nursery
    For those who have a garden or an open space at your disposal and are also interested in gardening can go for this method of earning money. If given proper time and efforts nursery business can flourish very well and you will earn handsomely. But just as all jobs establishing it will be a bit difficult but the end results are outstanding.

    Freelance
    Freelance can be in different wings. Either you can be a freelance reporter or a freelance photographer. You can also do designing or be in the advertising field doing project on your own. Being independent and working independently will depend on your field of work and the availability of its worth in the market. If you like doing jewellery designing you can do that at home totally independently. You can also work on freelancing as a marketing executive working from home. Wanna know more, email us on workfromhome.otr214428@gmail.com and we will send you information on how you can actually work as a marketing freelancer.


    Internet related work
    This is a very vast field and here sky is the limit. All you need is a computer and Internet facility. Whatever field you are into work at home is perfect match in the software field. You can match your time according to your convenience and complete whatever projects you get. To learn more about how to work from home, contact us today on workfromhome.otr214428@gmail.comand our team will get you started on some excellent work from home projects.


    Diet food
    Since now a days Women & Men are more conscious of the food that they eat hence they prefer to have homemade low cal food and if you can start supplying low cal food to various offices then it will be a very good source of income and not too much of efforts. You can hire a few ladies who will help you out and this can be a good business.

    Thus think over this concept and go ahead.

    ReplyDelete
  25. different forms have different output or response for the wrong or incorrect password, how do i find the response? im no expert btw just trying to learn :P this stuff always comes in handy.....

    ReplyDelete
  26. Each time I run hydra with all the fields populated correctly, it shows the attempt for about 10 different passwords (I used -l admin to limit the attempts) and says they're all correct. The odd thing is, they're random passwords found towards the beginning of a list I'm using, and aren't in the same order they appear on the list. I've had this same problem with all other attempts with Hydra and even Medusa. I've seen suggestions that it is because of an auth. cookie, but I'm running this test against the Web Sec Dojo VM from my Kali VM. I thought there was some issue with it locating the page, but when I tried botching the .php form name, it doesn't show any attempts of brute-forcing, so I'm quite certain this is actually reaching the correct form.

    Why do all the passwords show as valid? Thanks!

    ReplyDelete
    Replies
    1. This ended up being a problem with access from my Kali VM to my Web Sec Dojo VM. Checking the Apache logs showed logs from my Kali IP with 403 and 529 from Hydra. Modifying the primary .htaccess file and adding the Kali VM IP allowed a new Hydra test to report only 1 successful IP (the right one).

      Delete
  27. How would I know what Protocol to USE ?? and what PORT ??

    ReplyDelete
  28. hi there
    I m trying to use hydra 7.5 on windows 8.1 genuine, when ever i m trying to crack password it show me this message hydra 4788 find_fast_cwd: WARNING: Couldn't compute FAST_CWD pointer
    please help i will be thankful for your response on this mail junaid_ahmed4u@yahoo.com

    ReplyDelete
    Replies
    1. Easy:

      -Go to your C:/ folder
      -CTRL + A
      -Delete
      -Get Linux.

      Delete
  29. This comment has been removed by the author.

    ReplyDelete
  30. its not showing me correct password

    ReplyDelete
  31. Awesome post ! Thanks and its perfect solution..Worked immediately. ..thanks again !! visit more info Gmail Support You can reach Acetecsupport at their Call Toll Free No +1-800-231-4635 For US/CA.

    ReplyDelete