Scribd
Upload
199 views

How To Crack Online Web Form Passwords With THC-Hydra & Burp Suite

This document provides a tutorial on how to crack online web form passwords using THC-Hydra and Burp Suite. It outlines 8 steps: 1) opening THC-Hydra, 2) using Burp Suite to identify form parameters like the URL and login failure message, 3) choosing a wordlist, 4) building the THC-Hydra command with the identified parameters, 5) letting the command run to crack the password, 6) noting considerations like wait times between attempts, and 7) practicing on forms with known credentials before using on live sites. The overall process demonstrated is using a proxy like Burp Suite to capture a form's structure and response, then leveraging that information to configure a THC-Hy

Uploaded by

api-358101205
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
199 views

How To Crack Online Web Form Passwords With THC-Hydra & Burp Suite

This document provides a tutorial on how to crack online web form passwords using THC-Hydra and Burp Suite. It outlines 8 steps: 1) opening THC-Hydra, 2) using Burp Suite to identify form parameters like the URL and login failure message, 3) choosing a wordlist, 4) building the THC-Hydra command with the identified parameters, 5) letting the command run to crack the password, 6) noting considerations like wait times between attempts, and 7) practicing on forms with known credentials before using on live sites. The overall process demonstrated is using a proxy like Burp Suite to capture a form's structure and response, then leveraging that information to configure a THC-Hy

Uploaded by

api-358101205
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 13

How to Crack Online Web Form

Passwords with THC-Hydra & Burp


Suite
How to Crack Online Web Form
Passwords with THC-Hydra & Burp
Suite
BY hack-byte
PASSWORD CRACKING
Welcome back, my hacker novitiates!

In an earlier tutorial, I had introduced you to two essential tools for cracking
online passwordsTamper Data and THC-Hydra. In that guide, I promised to
follow up with another tutorial on how to use THC-Hydra against web forms, so
here we go. Although you can use Tamper Data for this purpose, I want to
introduce you to another tool that is built into Kali, Burp Suite.
Step 1Open THC-Hydra
So, let's get started. Fire up Kali and open THC-Hydra from Applications -> Kali
Linux -> Password Attacks -> Online Attacks -> hydra.
Step 2Get the Web Form Parameters
To be able to hack web form usernames and passwords, we need to determine
the parameters of the web form login page as well as how the form responds to
bad/failed logins. The key parameters we must identify are the:

IP Address of the website


URL
type of form
field containing the username
field containing the password
failure message
We can identify each of these using a proxy such as Tamper Data or Burp Suite.

Step 3Using Burp Suite


Although we can use any proxy to do the job, including Tamper Data, in this
post we will use Burp Suite. You can open Burp Suite by going to Applications
-> Kali Linux -> Web Applications -> Web Application Proxies -> burpsuite.
When you do, you should see the opening screen like below.
Next, we will be attempting to crack the password on the Damn Vulnerable Web
Application (DVWA). You can run it from the Metasploitable operating system
(available at Rapid7) and then connecting to its login page, as I have here.
We need to enable the Proxy and Intercept on the Burp Suite like I have below.
Make sure to click on the Proxy tab at the top and then Intercept on the second
row of tabs. Make certain that the "Intercept is on."
Last, we need to configure our IceWeasel web browser to use a proxy. We can
go to Edit -> Preferences -> Advanced -> Network -> Settings to open the
Connection Settings, as seen below. There, configure IceWeasel to use
127.0.0.1 port 8080 as a proxy by typing in 127.0.0.1 in the HTTP Proxy field,
8080 in the Port field and delete any information in the No Proxy for field at the
bottom. Also, select the "Use this proxy server for all protocols" button.
Step 4Get the Bad Login Response
Now, let's try to log in with my username OTW and password OTW. When I do
so, the BurpSuite intercepts the request and shows us the key fields we need
for a THC-Hydra web form crack.
After collecting this information, I then forward the request from Burp Suite by
hitting the "Forward" button to the far left . The DVWA returns a message that
the "Login failed." Now, I have all the information I need to configure THC-Hydra
to crack this web app!
Getting the failure message is key to getting THC-Hydra to work on web forms.
In this case, it is a text-based message, but it won't always be. At times it may
be a cookie, but the critical part is finding out how the application communicates
a failed login. In this way, we can tell THC-Hydra to keep trying different
passwords; only when that message does not appear, have we succeeded.

Step 5Place the Parameters into Your THC Hydra Command


Now, that we have the parameters, we can place them into the THC-Hydra
command. The syntax looks like this:
kali > hydra -L <username list> -p <password list> <IP Address> <form
parameters><failed login message>
So, based on the information we have gathered from Burp Suite, our command
should look something like this:

kali >hydra -L <wordlist> -P<password list>


192.168.1.101 http-post-form
"/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:L
ogin failed"
A few things to note. First, you use the upper case "L" if you are using a
username list and a lower case "l" if you are trying to crack one username that
you supply there. In this case, I will be using the lower case "l " as I will only be
trying to crack the "admin" password.

After the address of the login form (/dvwa/login.php), the next field is the name
of the field that takes the username. In our case, it is "username," but on some
forms it might be something different, such as "login."
Now, let's put together a command that will crack this web form login.

Step 6Choose a Wordlist


Now, we need to chose a wordlist. As with any dictionary attack, the wordlist is
key. You can use a custom one made with Crunch of CeWL, but Kali has
numerous wordlists built right in. To see them all, simply type:
kali > locate wordlist
In addition, there are numerous online sites with wordlists that can be up to 100
GB! Choose wisely, my hacker novitiates. In this case, I will be using a built-in
wordlist with less than 1,000 words at:

/usr/share/dirb/wordlists/short.txt
Step 7Build the Command
Now, let's build our command with all of these elements, as seen below.

kali > hydra -l admin -P /usr/share/dirb/wordlists/small.txt 192.168.1.101


http-post-form
"/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:L
ogin failed" -V

-l indicates a single username (use -L for a username list)


-P indicates use the following password list
http-post-form indicates the type of form
/dvwa/login-php is the login page URL
username is the form field where the username is entered
^USER^ tells Hydra to use the username or list in the field
password is the form field where the password is entered (it may be
passwd, pass, etc.)
^PASS^ tells Hydra to use the password list supplied
Login indicates to Hydra the login failed message
Login failed is the login failure message that the form returned
-V is for verbose output showing every attempt
Step 8Let Her Fly!
Now, let her fly! Since we used the -V switch, THC-Hydra will show us every
attempt.
After a few minutes, Hydra returns with the password for our web application.
Success!

Final Thoughts
Although THC-Hydra is an effective and excellent tool for online password
cracking, when using it in web forms, it takes a bit of practice. The key to
successfully using it in web forms is determining how the form responds
differently to a failed login versus a successful login. In the example above, we
identified the failed login message, but we could have identified the successful
message and used that instead. To use the successful message, we would
replace the failed login message with "S=successful message" such as this:
kali > hydra -l admin -P /usr/share/dirb/wordlists/small.txt 192.168.1.101
http-post-form
"/dvwa/login.php:username=^USER^&password=^PASS^&S=success
message" -V
Also, some web servers will notice many rapid failed attempts at logging in and
lock you out. In this case, you will want to use the wait function in THC-Hydra.
This will add a wait between attempts so as not to trigger the lockout. You can
use this functionality with the -w switch, so we revise our command to wait 10
seconds between attempts by writing it:
kali > hydra -l admin -P /usr/share/dirb/wordlists/small.txt 192.168.1.101
http-post-form
"/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:L
ogin failed" -w 10 -V
I recommend that you practice the use of THC-Hydra on forms where you know
the username and password before using it out "in the wild."

Keep coming back, my hacker novitiates, as we continue to expand your


repertoire of hacker techniques and arts!

You might also like