Using Hydra to dictionary-attack web-based login forms

Using Hydra to dictionary-attack web-based login forms

 

Hydra is a online password cracking tool which can be used to dictionary-attack various services by trying lists of user-names and passwords until a successful login is found. It is multi-threaded, and can be very fast, trying username/password combinations at a rate of thousands per minute.

Hydra can be used to attack many different services including IMAP, SMB, HTTP, VNC, MS-SQL MySQL, SMTP, SSH, and many more.

(Hydra is to online-cracking of passwords, what John The Ripper is to offline-cracking of password hashes)

Often, web-based login forms authenticate using the HTTP POST method, but judging from several blogs I have read on this subject, it sounds like some people have great difficulty in getting Hydra to work effectively in this situation.

I have had a great deal of success with hydra, so here I describe how to get Hydra working with web-based form logins.

This attack is not limited to websites, and I would argue that it is more suited for gaining login access to software products that have a web UI, for example in penetration tests.

This tool should not be used to attack websites or services where you do not have permission to do so. Use this for legitimate testing purposes only.


Some differences between online and off-line password cracking

There are significant differences between online and off-line password cracking.

With off-line cracking, you have the hashes on your system, they are static, and you can try dictionary, hybrid, and brute force attacks to you hearts content. You have as long as you want, and you can try many billions of attempts in a short space of time.

The attack success is purely dependent on password strength, verses processor-power and time (and few user-chosen passwords will be strong enough to last).

With online password attacks there are more issues to consider, such as; network bandwidth, account lockouts, tar-pitting, changing passwords, detection in logs and IDS.

Online attacks are more suited to relatively small and focused dictionary attacks rather than exhaustive brute-force.


A simple Hydra SSH example

Here is a simple example of running a Hydra attack against an SSH server.

hydra 192.168.1.26 ssh2 -s 22 -P pass.txt -L users.txt -e ns -t 10

This will attack the system 192.1.68.1.26, on port 22 with the SSH protocol, 10 threads at a time, and try all the combinations of usernames and passwords supplied in the files user.txt and pass.txt (+ empty passwords and passwords the same as the username)

This can take a while, so it is best to only use usernames you know exist, and a relatively small list of passwords (many thousands rather than many millions). This attack generally works very well for simple dictionary passwords.


Web-based login forms prerequisites

For web-based forms, you have to know much more information about the form you are attacking before you start the attack. Every web-based form is slightly different, different URLs and parameters, and different responses for success or failure.

You need to know:

• The hostname/IP and URL
• Whether it is a HTTPS or HTTP service
• Whether the form supports GET or POST (or both)
• The parameters of the request
• The difference in response between success and failure
• Whether any session cookies are required to be set or maintained
• What lockout features and thresholds are enabled (if any)

Not knowing or understanding the above information can be a big cause of failure.

For the parameters of the request, you can intercept and examine a normal login attempt with a web proxy (such as owasp-zap, webscarab or burpsuite) or use a browser plugin (such as tamperdata) or just look at the HTML form.


An example attack

The Web Security Dojo VM has various vulnerable applications that you can use to test these techniques. So looking at an example the w3af testing framework has a test login at the following location

http://192.168.1.69/w3af/bruteforce/form_login/

The important parts of the HTML form are:

<form name="input" action="dataReceptor.php" method="post">
Username:
<input type="text" name="user">


Password:
<input type="password" name="pass">

If we put in one wrong username and password combination we get:

Bad login, stop bruteforcing me!Bad u/p combination for user: a

So, now we have the information we need to attack this login form, we can use this info to construct a Hydra brute-force attack as follows:

hydra 192.168.1.69 http-form-post "/w3af/bruteforce/form_login/dataReceptor.php:user=^USER^&pass=^PASS^:Bad login" -L users.txt -P pass.txt -t 10 -w 30 -o hydra-http-post-attack.txt


If we break this up

Host = 192.168.1.69
Method = http-form-post
URL = /w3af/bruteforce/form_login/dataReceptor.php
Form parameters = user=^USER^&pass=^PASS^
Failure response = Bad login
Users file = users.txt
Password file = pass.txt
Threads = -t 10
Wait for timeout = -w 30
Output file = -o hydra-http-post-attack.txt

Hydra basically iterates through all the username/password combinations, until it gets a response that does not contain the text "Bad login". When we run this attack we get:

Hydra v6.5 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2011-08-22 13:11:03
[DATA] 5 tasks, 1 servers, 5 login tries (l:5/p:1), ~1 tries per task
[DATA] attacking service http-post-form on port 80
[STATUS] attack finished for 192.168.1.69 (waiting for children to finish)
[80][www-form] host: 192.168.1.69   login: admin   password: 1234
Hydra (http://www.thc.org/thc-hydra) finished at 2011-08-22 13:11:07

As you can see, this was successful and found the user "admin" with password "1234".


Other examples

HTTPS forms can be brute-forced in exactly the same way by changing the method to "https-form-post".

Similarly there are the GET equivalents, of "http-get-form" and "https-get-form", though this type of method is really not recommended for web-based login forms (due to confidential information being passed in the URL, which can appear in proxy-logs, and browser history). Some forms do exist out there that use this.

Sometimes you need to look for text that appears meaning "success" rather than the absence of text meaning "failure". This can be done if you put "S=" in front of the failure string variable, it becomes a success string check, for example

"/login.php:user=^USER^&pass=^PASS^:S=successful"

Remember that the "failure" or "success" string does not have to be part of the HTML of the page. These strings could be information in the response headers, such as cookies being set, or locations of redirects. There are flexible options for dealing with pretty much any type of response, as long as it is repeatable, and there are distinct differences between success and failure.

Other more complex examples may be where you need to specify particular header values, or use an additional page to obtain set browser cookies before the form is submitted. These can be done by adding the additional parameters "C=" and "H=" on the end:

"/foo.php:user=^USER^&pass=^PASS^:S=success:C=/page/cookie:H=X-Foo: Foo"

All in all, this is a pretty straight forward, and a very effective tool, as long as you understand how the form is working, and what parameters are required, before you start the attack.

Posted by Ben at 13:34

 

 

 

32 comments:

1. 
   Anonymous23 August 2011 12:31

   nice article, thx !

   Reply
2. 
   John S.4 September 2011 19:52

   Really an excellent article!
   Do you know where i can get more information on how to set cookies in Hydra? I've searched the Hydra documentation, and found nothing that would help...
   I'm using the DVWA VM for the tests.
   Thank you.

   Reply
3. 
   Ben7 September 2011 17:17

   Hi John,
   Yeah, that can be a bit fiddly, but basically you need to set a 'H=Cookie: SESSIONID=j39rf30dj30' or whatever - you might need to play around a bit to get that working.
   Regards
   Ben

   Reply
   Replies

    

    
4. 
   Jonathan Drafton25 January 2012 19:17

   Hey, I am working on a similar issue and have been trying to figure out how to pass the cookie as well.
   
   The Hydra documentation has the example:
   "/login:user=^USER&pass=^PASS:failed:H=Authorization: Basic dT1w:H=X-Foo: Bar"
   
   And other than the known typos in the documentation (^USER should be ^USER^ and same for pass) if I try to replicate it I get:
   
   ERROR: Wrong syntax of optional argument: Basic dT1w
   
   I have been doing some research, trying to figure this out without any success. It appears to not be documented anywhere, so are there any other ideas you might have?
   
   Some things I have tried and their results:
   
   hydra -l admin -p admin 192.168.130.142 http-get-form "/dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie=security=low; PHPSESSID=mgo7mhnlmtoa7cijjfspdd4i14"
   
   Results: no error but didn't crack the password (which i know is admin:admin)
   
   :H=PHPSESSID=mgo7mhnlmtoa7cijjfspdd4i14"
   
   Results: no error but didn't crack the password.
   
   :H='Set-Cookie:security=low; PHPSESSID=mgo7mhnlmtoa7cijjfspdd4i14'"
   
   Results: ERROR: Wrong syntax of optional argument: security=low; PHPSESSID=mgo7mhnlmtoa7cijjfspdd4i14'
   
   :C=/dvwa/index.php" (using the C optional argument instead, to fetch the cookie)
   
   Results: Error: Child with pid 17899 terminating, can not connect
   
   :C=/dvwa/login.php"
   
   Results: Error: Child with pid 17902 terminating, can not connect
   
   :C=security=low; PHPSESSID=mgo7mhnlmtoa7cijjfspdd4i14"
   
   Results: Error: Child with pid 17907 terminating, can not connect
   
   :H=Cookie=PHPSESSID=mgo7mhnlmtoa7cijjfspdd4i14"
   
   Results: no errors but does not crack the password
   
   :H=PHPSESSID=mgo7mhnlmtoa7cijjfspdd4i14"
   
   Results: no errors but does not crack the password
   
   The most interesting results I obtained, was a combination:
   
   :C=/dvwa/index.php:H=PHPSESSID=mgo7mhnlmtoa7cijjfspdd4i14"
   
   Results: ERROR: Wrong syntax of parameter H, must look like 'H=X-My-Header: MyValue', no http:// : H=PHPSESSID=mgo7mhnlmtoa7cijjfspdd4i14
   
   :C=/dvwa/index.php:H=Cookie: PHPSESSID=mgo7mhnlmtoa7cijffspdd4i14"
   
   Results: Error: Child with pid 18063 terminating, can not connect
   
   :H=PHPSESSID: mgo7mhnlmtoa7cijjfspdd4i14"
   
   Results: ERROR: Wrong syntax of optional argument: mgo7mhnlmtoa7cijjfspdd4i14
   
   This lead me to trying the exact examples given:
   
   :H=Authorization: Basic dT1w:H=X-Foo: Bar"
   
   Results: ERROR: Wrong syntax of optional argument: Basic dT1w

5.  

   Reply
6. 
   Anonymous16 October 2011 17:59

   How to do it when form requests only password?

   Reply
7. 
   Anonymous16 October 2011 18:02

   like this code:
   
   form action="/login" method="post"
   input type="hidden" name="url" value="^U"
   font face="Trebuchet MS,Arial"Please reenter the password:/font input type="password" name="user"
   input type="submit" value="Authenticate"
   /form

   Reply
8. 
   Ben23 October 2011 15:17

   Anonymous,
   Just leave out "user=^USER^&" or whatever...
   Ben

   Reply
9. 
   mtmal27 October 2011 19:08

   Hey great article. But when i set the bad login message, hydra doenst reconize. The site do not show a window with the message, just a red phrase under the login bar. So, Hyydra cant reconize this red message. Any suggestions?

   Reply
10. 
    Ben3 November 2011 21:22

    mtmal,
    Sure it can. What is HTML for red?
    
    ;o)
    
    Ben

    Reply
11. 
    Andrea28 November 2011 20:22

    I am trying to login on honeywell access control netAXS through https.I know user is admin but I can remember the password.if I reset the panel I will erase all csv files and I have to imput manually.Any sugestion guys?
    Thanks!

    Reply
12. 
    Andrea28 November 2011 21:01

    so the question is can I use hydra to get this password?
    thanks!

    Reply
13. 
    Ben29 November 2011 07:55

    Andrea,
    Sure, of course you can. Follow the guide above.
    Ben

    Reply
14. 
    Anonymous28 December 2011 03:49

    i want 2 crack dvwa login page
    it is the url :http://127.0.0.1/dvwa/vulnerabilities/brute/
    
    how 2 crack it ? and how many user name and passwords i have 2 insert in user name password text files... becoz i know the user name password , but i want 2 learn how hydra will crack it

    Reply
15. 
    Anonymous31 December 2011 03:09

    plz reply

    Reply
16. 
    Ben8 January 2012 08:30

    Anonymous,
    Right, well; you have all the clues you need above. Go through the bullet points carefully.
    
    Hacking is all about research and experimentation, you need patience and dedication (if you don't want to do that then just go back to the TV).
    
    All the clues are listed above. Work through the bullet points, collect all the information, and do some troubleshooting.
    Ben

    Reply
    Replies

     

     
17. 
    Anonymous12 January 2012 09:54

    i used this command.... can u tell me what i done wrong ?
    command was "hydra 127.0.0.1 http-form-get "/dvwa/vulnerabilities/brute.php:user=^USER^&pass=^PASS^:incorrect" -L users.txt -P pass.txt -t 10 -w 30 -o hydra-http-get-attack.txt

18.  

    Reply
19. 
    Anonymous9 February 2012 03:29

    How do i find "Bad login" on site i want to brute force. Hydra response me that 10/10 password are valid. Please help

    Reply
20. 
    Ben11 February 2012 22:12

    Anonymous,
    Well, everything you need to know is on this page, but I can't tell you how to tie your shoelaces because I don't know what kind of shoes you have.
    Ben

    Reply
21. 
    Anonymous12 February 2012 01:04

    Hi Ben. Thanks for an amzing article. It helped me a lot. I wonder if you can answer one question for me; How can I deal with a form who's action parameter points to another URL instead of a page?
    
    Here is what I mean:- The form is on http://www.somepage.com/en/login
    The form HTML is as follows:-
    form name="Login" id="Login" action="https://www.somepage.com/post" method="post" onsubmit="return false;"
    
    Because I notice in your example the FORM ACTION points to another page on the same URL.
    
    Your help is much appreciated.

    Reply
22. 
    Ben13 February 2012 09:25

    Anonymous,
    If there is a difference in the response (which there is) you basically just need Hydra to spot that response.
    
    I.e. what is the difference in the raw data of the response, and work with that.
    
    (You can use Hydra in verbose mode, or wireshark or burp or whatever to look for the difference in detail)
    Ben

    Reply
23. 
    Ben13 February 2012 09:33

    Ben,
    BTW - if anyone is using this to article to try to attack websites without permission, they are way too dumb (probably too dumb to make it work anyway).
    
    Your ISP knows every request you make, and attacks like this will "stick out like a sore thumb" when they hand your logs over to the police ;o)
    
    Take care, be good, and remember that if you want to learn something - you will have to do some study.
    
    Regards
    Ben

    Reply
24. 
    Anonymous1 March 2012 05:27

    Everytime I use hydra without -l or -L I get:
    Error: I need atleast the -l, -L, or -C option to know login
    
    My wifi guest account is setup not to accept a username?
    
    http-post-form /guestnetwork.cgi:pass=^PASS^:S=successful
    
    ??

    Reply
25. 
    Anonymous10 March 2012 10:10

    Jonathan
    Hey, I am working on a similar issue
    
    root@bt:~# hydra -s 80 -l admin -P Desktop/login.txt localhost http-get-form "/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username"
    Hydra v6.2 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.
    Hydra (http://www.thc.org/thc-hydra) starting at 2012-03-10 11:58:04
    [DATA] 5 tasks, 1 servers, 5 login tries (l:1/p:5), ~1 tries per task
    [DATA] attacking service http-get-form on port 80
    [STATUS] attack finished for localhost (waiting for children to finish)
    [80][www-form] host: 127.0.0.1 login: admin password: root
    [80][www-form] host: 127.0.0.1 login: admin password: pass
    [80][www-form] host: 127.0.0.1 login: admin password: password
    [80][www-form] host: 127.0.0.1 login: admin password: admin
    [80][www-form] host: 127.0.0.1 login: admin password: user
    Hydra (http://www.thc.org/thc-hydra) finished at 2012-03-10 11:58:05

    Reply
26. 
    Anonymous19 March 2012 11:15

    i dont even get an error... hydra just restars even when trying your exact example

    Reply
27. 
    Anonymous24 March 2012 20:15

    Hi everyone,
    I have insert a right password in pass.txt but I think that hyra doesn't found that password, infact I have the similar output of "Anonymous Mar 10, 2012 02:10 AM" (hydra doesn't show me the password)
    
    I use hydra 6.5 on ubuntu and I'll want found my password on wordpress (last version) site.
    
    Could you help me, please?
    
    Thank you very much!!

    Reply
28. 
    Ben25 March 2012 14:44

    Guys,
    You need to tell Hydra the difference between success and failure. Otherwise it will never work (it's not magic you know).
    
    My best advice to you all, is open wireshark and LOOK at what is happening.
    (then you will have a much better understanding of what is going on, which is essential if you want to progress with this sort of thing).
    
    Regards
    Ben

    Reply
29. 
    Anonymous17 May 2012 10:43

    root@bt:~# hydra -L /root/user.txt -P /root/pass.txt 192.168.xxx.xxx http-get-form "/dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low; PHPSESSID=xxxxxxxxxxxxxxxxxxxxxxxxxxxx" <- your session ID here

    Reply
30. 
    Miss K17 May 2012 14:51

    ok so basically, this is what I write: hydra -L users.txt -P words.txt -t 10 -v 1
    92.168.xx.xxx https-post-form "/YYYYY/ZZZZZZ/Login.aspx:UserNa
    me=^USER^&Password=^PASS^:bad login!!!:S=SUCCESS!!!!" but it just doesnt give me "bad login!!!" nor "SUCCESS!!!!". It just give me the html code of the webpage I'm trying to attack, followed by the numerous username and password combination tryouts. I'm sure I used the right username in the users.txt file and the right password in the words.txt file. What's wrong with my request? Please note that the "xx.xxx" are real numbers and the ip adress is valid, and that the Ys and the Zs are also real names and that the web page is valid.

    Reply
    Replies

     

     
31. 
    bouinux21 May 2012 14:33

    Apparently there is a problem with the with http-form-get feature, because when I am in debug mode I can explicitly see the message return by the server and see when the log show a good authentication, but actually hydra do not show me that the login is correct...
    I can give you debug files ...

32. 
    Ben25 June 2012 20:01

    The feature works fine.
    What you need to do, is read and follow the methodology I described.
    
    You need to tell Hydra what "success" is.
    
    So, what is the difference in response (HTML and header) between success and failure?
    
    Then use that.

33.  

    Reply
34. 
    Anonymous22 June 2012 13:11

    i don't want to add user.txt & password.txt for combinations within hydra as i don't know username and password , then how to use hydra..........

    Reply
35. 
    Ben25 June 2012 20:03

    Hydra is mainly used for performing a dictionary attack.
    
    If that is not what you want to do, you are probably in the wrong place, and using the wrong tool.

    Reply