Monday, 22 August 2011

Using Hydra to dictionary-attack web-based login forms

Hydra is a online password cracking tool which can be used to dictionary-attack various services by trying lists of user-names and passwords until a successful login is found. It is multi-threaded, and can be very fast, trying username/password combinations at a rate of thousands per minute.


Hydra can be used to attack many different services including IMAP, SMB, HTTP, VNC, MS-SQL MySQL, SMTP, SSH, and many more.

(Hydra is to online-cracking of passwords, what John The Ripper is to offline-cracking of password hashes)

Often, web-based login forms authenticate using the HTTP POST method, but judging from several blogs I have read on this subject, it sounds like some people have great difficulty in getting Hydra to work effectively in this situation.

I have had a great deal of success with hydra, so here I describe how to get Hydra working with web-based form logins.

This attack is not limited to websites, and I would argue that it is more suited for gaining login access to software products that have a web UI, for example in penetration tests.

This tool should not be used to attack websites or services where you do not have permission to do so. Use this for legitimate testing purposes only.


Some differences between online and off-line password cracking

There are significant differences between online and off-line password cracking.

With off-line cracking, you have the hashes on your system, they are static, and you can try dictionary, hybrid, and brute force attacks to you hearts content. You have as long as you want, and you can try many billions of attempts in a short space of time.

The attack success is purely dependent on password strength, verses processor-power and time (and few user-chosen passwords will be strong enough to last).

With online password attacks there are more issues to consider, such as; network bandwidth, account lockouts, tar-pitting, changing passwords, detection in logs and IDS.

Online attacks are more suited to relatively small and focused dictionary attacks rather than exhaustive brute-force.


A simple Hydra SSH example

Here is a simple example of running a Hydra attack against an SSH server.

hydra 192.168.1.26 ssh2 -s 22 -P pass.txt -L users.txt -e ns -t 10

This will attack the system 192.1.68.1.26, on port 22 with the SSH protocol, 10 threads at a time, and try all the combinations of usernames and passwords supplied in the files user.txt and pass.txt (+ empty passwords and passwords the same as the username)

This can take a while, so it is best to only use usernames you know exist, and a relatively small list of passwords (many thousands rather than many millions). This attack generally works very well for simple dictionary passwords.


Web-based login forms prerequisites

For web-based forms, you have to know much more information about the form you are attacking before you start the attack. Every web-based form is slightly different, different URLs and parameters, and different responses for success or failure.

You need to know:
  • The hostname/IP and URL
  • Whether it is a HTTPS or HTTP service
  • Whether the form supports GET or POST (or both)
  • The parameters of the request
  • The difference in response between success and failure
  • Whether any session cookies are required to be set or maintained
  • What lockout features and thresholds are enabled (if any)
Not knowing or understanding the above information can be a big cause of failure.

For the parameters of the request, you can intercept and examine a normal login attempt with a web proxy (such as owasp-zap, webscarab or burpsuite) or use a browser plugin (such as tamperdata) or just look at the HTML form.


An example attack

The Web Security Dojo VM has various vulnerable applications that you can use to test these techniques. So looking at an example the w3af testing framework has a test login at the following location

http://192.168.1.69/w3af/bruteforce/form_login/

The important parts of the HTML form are:

<form name="input" action="dataReceptor.php" method="post">
Username:
<input type="text" name="user">


Password:
<input type="password" name="pass">

If we put in one wrong username and password combination we get:

Bad login, stop bruteforcing me!Bad u/p combination for user: a

So, now we have the information we need to attack this login form, we can use this info to construct a Hydra brute-force attack as follows:

hydra 192.168.1.69 http-form-post "/w3af/bruteforce/form_login/dataReceptor.php:user=^USER^&pass=^PASS^:Bad login" -L users.txt -P pass.txt -t 10 -w 30 -o hydra-http-post-attack.txt


If we break this up

Host = 192.168.1.69
Method = http-form-post
URL = /w3af/bruteforce/form_login/dataReceptor.php
Form parameters = user=^USER^&pass=^PASS^
Failure response = Bad login
Users file = users.txt
Password file = pass.txt
Threads = -t 10
Wait for timeout = -w 30
Output file = -o hydra-http-post-attack.txt

Hydra basically iterates through all the username/password combinations, until it gets a response that does not contain the text "Bad login". When we run this attack we get:



Hydra v6.5 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2011-08-22 13:11:03
[DATA] 5 tasks, 1 servers, 5 login tries (l:5/p:1), ~1 tries per task
[DATA] attacking service http-post-form on port 80
[STATUS] attack finished for 192.168.1.69 (waiting for children to finish)
[80][www-form] host: 192.168.1.69   login: admin   password: 1234
Hydra (http://www.thc.org/thc-hydra) finished at 2011-08-22 13:11:07

As you can see, this was successful and found the user "admin" with password "1234".


Other examples

HTTPS forms can be brute-forced in exactly the same way by changing the method to "https-form-post".

Similarly there are the GET equivalents, of "http-get-form" and "https-get-form", though this type of method is really not recommended for web-based login forms (due to confidential information being passed in the URL, which can appear in proxy-logs, and browser history). Some forms do exist out there that use this.

Sometimes you need to look for text that appears meaning "success" rather than the absence of text meaning "failure". This can be done if you put "S=" in front of the failure string variable, it becomes a success string check, for example

"/login.php:user=^USER^&pass=^PASS^:S=successful"

Remember that the "failure" or "success" string does not have to be part of the HTML of the page. These strings could be information in the response headers, such as cookies being set, or locations of redirects. There are flexible options for dealing with pretty much any type of response, as long as it is repeatable, and there are distinct differences between success and failure.

Other more complex examples may be where you need to specify particular header values, or use an additional page to obtain set browser cookies before the form is submitted. These can be done by adding the additional parameters "C=" and "H=" on the end:

"/foo.php:user=^USER^&pass=^PASS^:S=success:C=/page/cookie:H=X-Foo: Foo"

All in all, this is a pretty straight forward, and a very effective tool, as long as you understand how the form is working, and what parameters are required, before you start the attack.

36 comments:

  1. hey, I want to hack srbac-rs.com/administrator...can you give me a script for that...I keep getting unknown service error... username name is usrname and password name is pass..thanks

    ReplyDelete
    Replies
    1. go read a fucking book you mongloid

      Delete
    2. where the fuck is password list fuck ur this tut

      Delete
  2. thack you for your information.

    ReplyDelete
  3. thanx a lot man...

    ReplyDelete
  4. fucking skiddies dont need to have these capabilities

    ReplyDelete
    Replies
    1. I'm sure that you're not a skiddie yourself, rihght ;)

      I am guessing it's similar with those closet gays who keep calling everyone else gay to hide their true self.

      It's not as if someone reads as article on how to do something they're automatically a skiddie. You have to read up on things somewhere, it's not as if you're automatically a pro who knows every feature of a program right off the bat.

      Keep it at!

      Delete
    2. your approach is called "security through obscurity" and guess what... in the long run, it doesn't work. i've looked this up because i'm looking for a way to figure out reliable criteria for a secure password because i don't fucking trust the "6 characters and at least one number" thing. if tools like hydra and this tutorial were kept away from the general public, the only people who would find out how to use them would be criminals (they have the strongest motivation to crack passwords, and they will use illegal methods of acquiring information on how to do it too), and normal people, webmasters and admins will have no method to figure out how to defend themselves.
      saying that this information shouldn't be available is like saying that warning people of common burglar tactics should be illegal because the information could be used by actual burglars. guess what? the burglars already know!

      Delete
    3. Shut up you fucking tool.

      Delete
  5. very nice Post , But can tell me if my Source page show like it :

    <input class="form_input ltr" id="user" type="text"

    how can i do it ? its not name="user" and hydra dont put my username and password

    ReplyDelete
    Replies
    1. surely in your case is sent for AJAX

      Delete
  6. Hmm i always seem to get false positives what ever success or fail string I enter.

    ReplyDelete
  7. can any1 telll me how to hack gmail?

    ReplyDelete
    Replies
    1. fucking skid .

      Delete
    2. use hydra-gtk smtp.gmail.com i dont remember what port but its easy

      Delete
  8. I have read so many article of this site in which some of them were very
    interesting and inspiring.This article has good title with good description.i am very happy that i found this site. I have bookmarkedthis site to visit again and find out the new post.I just want to say,is a wonderful article. "custom article writing"

    ReplyDelete
  9. When there is no Username input there,only password field is there,how u configure in hydra

    ReplyDelete
  10. if the the field submit not have a name, what can i do? its safe?
    Please reply me, i study for prevent attacks

    ReplyDelete
  11. can you make clip for https-post-form with set cookie?

    ReplyDelete
  12. i am trying to brute force dvwa level medium, but it doesn't fuction, has someone already brute force dvwa with hydra? if so, thank you for helping me..

    ReplyDelete
  13. quick question. i've been at this for hours. (thanks for the explanations above, btw. good teaching.)

    is there any way to specify successful or failed login responses with http-get? (as opposed to post).

    i'm testing/learning on a login page that uses http-get, and returns nothing (in tamper data or through burp) that indicates a failed login response. however, i know what the successful login response should/would be. it seems that this feature is relegated only to the lumped in parameters belonging to -post data though (/:USER&PASS: or ) .. is there any way to implement the fail/success indication with -get?

    thanks

    ReplyDelete
  14. edit:

    sorry, that should say something more like (/:USER&PASS: [failed dialogue] or [S=success dialogue])

    ReplyDelete
  15. ok ... i did that but.... that page have many translation. witch language use to get error message ?
    i tried in engllish: error mesage is "The password you entered is incorrect "

    i tried: hydra www.twoo.com -l ******* -P '/root/Desktop/pass' http-post-form "/login=1:email=^USER^&password=^PASS^&submit=Sign+in:The password you entered is incorrect" -vV -f

    with that syntax pass found are not stable, i get random pass , if try once i get a passif try 2nd i get other pass

    if use Success message: title of page is "Search for people on Twoo"

    hydra www.twoo.com -l *************-P '/root/Desktop/pass' http-post-form "/login=1:email=^USER^&password=^PASS^&submit=Sign+in:S=Search+for+people+on+Twoo" -f -vV

    i get no pass : " 1 of 1 target completed, 0 valid passwords found "




    ReplyDelete
    Replies
    1. burp suite don't help me to get login button form :( :(((

      i get : action=login&email=PUT_USERNAME&password=PUT_PASS

      i give you host: www.twoo.com .... may somebody will view sorce code and can see where is mistake or what is problem ..

      Delete
  16. Hi Ben, may I ask what is the Hydra script for this form :
    http://pastebin.com/mFsN3RZp
    Thanks in advance

    ReplyDelete
    Replies
    1. p.s. that I need Expert and Admin passwords.

      Delete
  17. hi
    need help
    cant get work
    where is my fault
    in /phone2.html/action?

    $hydra 192.168.1.10 http-form-post "/phone2.html/infopce:id=^USER^&pwd=^PASS^:Access denied" -l admin -P 'Micro.txt' -t 10 -w 30 -o output-hydra.txt

    page source:

    http://pastebin.com/qjArDS6h

    tnx

    ReplyDelete
    Replies
    1. "192.168.1.10" -> I think you mistook hostname with your own IP

      For example if you want to bruteforce a page called www.random.com/phone2.html/infopce your command would look like:

      hydra www.random.com http-form-post "/phone2.html/infopce:id=^USER^&pwd=^PASS^:Access denied" -l admin -P 'Micro.txt' -t 10 -w 30 -o output-hydra.txt

      and make sure your password dictionnary "Micro.txt" is on the directory from where you're making the command, or just put the whole path so that it will look like : -P '/path/to/your/file/Micro.txt'

      Also if it doesn't work, try putting "http-post-form" instead of "http-form-post"

      Delete
  18. Hey I'd like some help about one thing actually,
    I've been able to bruteforce succefully some http-form websites with my own username, but I'm currently blocked with a command for one http form.

    The login informations of the source code:


    "LoginControl_UserName" id="LoginControl_lblUserName">Identifiant
    name="LoginControl$UserName" type="text" value="trololol" id="LoginControl_UserName" class="tbx-identifiant"

    "LoginControl_Password" id="LoginControl_lblMotDePasse"
    name="LoginControl$Password" type="password" id="LoginControl_Password"

    "LoginControl_RememberMe" id="LoginControl_lblRemember" class="checkbox" id="LoginControl_RememberMe" type="checkbox" name="LoginControl$RememberMe"

    type="button" title="Se connecter" id="LoginControl_LoginButton" onclick="WebForm_DoPostBackWithOptions(new WebForm_PostBackOptions('LoginControl$LoginButton', '', true, '', '', false, true))" class="bouton bouton-connexion" class="bouton-icone"


    In the last paragraph the login button has no name! I've searched a lot on the internet but couldn't find the solution. Do I have to use the "type"; "title" or "id" as Login parameter?
    I tried to launch it without login parameters but I get the "16 correct passwords" error.

    Here is my command:

    hydra -l user -P '/root/Desktop/pass.txt' www.********.net http-form-post "/:LoginControl$UserName=^USER^&LoginControl$Password=^PASS^:incorrect"





    ReplyDelete
  19. where the fuck is password list?

    ReplyDelete
  20. What is the command line to create the password.txt and username.txt file ??? which cracks the usernames and passwords of a server...

    ReplyDelete
  21. Thanks for providing precious information.
    email support

    ReplyDelete
  22. Great post, however if the password isn't in the password file it wont work. learn lua programming

    ReplyDelete