Brute force with Hydra

with No Comments

I will intercept POST using Burb Suite, which by the way is a good utility for testing application security. First, configure the Firefox browser-> Open menu-> Options-> Network proxy options (pic.1); In accordance with the settings Burb -> Proxy -> Options (pic.2)

 

Pic.1

 

 

Pic.2

 

Then we go to the target site in the browser, click on the authentication form and enter the wrong data into the login / password fields, we receive a ‘warning message’ about the incorrect data entered, we need it so that the hydra understands that incorrect data has been entered (pic 3).

 

Pic.3

 

Go to Burb-> Proxy-> HTTP history; looking for POST / index / sub / (pic.4)

 

Pic.4

 

All the necessary data is collected, run the THC-Hydra. In the example, a helper with a brief description of the possibilities (pic.5)

Pic.5

 

After that, we take the information for command prompt from the Burb Request  pic.4:

Pic.6

Where  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE

-p PASS  or -P FILE  try password PASS, or load several passwords from FILE

-f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)

-v / -V / -d  verbose mode / show login+pass for each attempt / debug mode

-s PORT   if the service is on a different default port, define it here

And ‘Cookie’.

 

Also there is the possibility of using Hydra for the login searching. And the -x option for generating a password without a file.

 

Article has carries strictly cognitive character, the author is not responsible for using the methods by other users described in the article.

Leave a Reply