www.i4info.org

i4info Provides the best hacking Material. Latest hacking tutorials and tools are available here. It is the best place for hackers.

Latest topics

» BitCoin Wallet stealor New
Wed Dec 07, 2016 7:46 pm by Admin

» Muhammad Shahroze Rashid | Marketing Consultant
Wed Dec 07, 2016 1:48 pm by Admin

» Muhammad Shahroze Rashid | Sharp Mind, Sharp Innovations
Wed Dec 07, 2016 1:47 pm by Admin

» How to design an effective job ad
Wed Dec 07, 2016 1:45 pm by Admin

» Teen Patti Gold Hack & 3 Patti Chips Code Extra Bonus 2016
Tue Dec 06, 2016 4:38 am by shoytan er lara

» Content Marketing | Promotional Video
Fri Dec 02, 2016 2:45 pm by Admin

» How to start an Online Business | Complete Guide
Fri Dec 02, 2016 2:30 pm by Admin

» Zeeshan Bhatti
Wed Nov 30, 2016 3:18 pm by Admin

» USAA letter for scam page
Tue Nov 29, 2016 4:20 am by Hardyjsh1966

December 2016

MonTueWedThuFriSatSun
   1234
567891011
12131415161718
19202122232425
262728293031 

Calendar Calendar

Affiliates


free forum

Forumotion on Facebook Forumotion on Twitter Forumotion on YouTubeForumotion on Google+

Visitors Counter


Flag Counter

About Author

Muhammad Shahroze Rashid
i4info
Web Developer
Web Developer & Designer,Researcher and Technical writer. An Information Security Consultant and System Auditor, a keen Security researcher.
samanabad
lahore, Punjab
54000
Pakistan
[email protected]
03064904829
DOB: 05/25/1992
Muhammad Shahroze Rashid
Muhammad Shahroze Rashid is a Web Developer and Designer, Android Developer, InfoGrapher, IT consultant and Researcher
Reviewed by Google
Google
Date published: 01/19/2016
9 / 10 stars
Muhammad Shahroze Rashid
Muhammad Shahroze Rashid Web Developer & Designer,Researcher and Technical writer. An Information Security Consultant and System Audito
samanabad
lahore
Punjab
54000
Pakistan

How To Bruteforce HTTP Logins With Hydra

Share

Admin
Admin

Posts : 455
Reputation : 5
Join date : 2014-12-10
Age : 24
Location : Pakistan

How To Bruteforce HTTP Logins With Hydra

Post by Admin on Fri Mar 06, 2015 4:44 pm

Bruteforcing HTTP Admin Panels with Hydra!



Today I will be showing you, how to utilize Hydra to bruteforce HTTP POST logins.
I may add pictures in the future.
NOTE: I can't add pictures at the moment, because the site is down! for now..

I think it should be easy to parse and understand the commands we will use

Let's take a random website (I've chosen one)
It's a 'Habbo Hotel' fansite, Some kind of Flash game online which generates incredible amounts of traffic - however this is a fan site for it - which will be our target.



[You must be registered and logged in to see this link.]


First thing you need to do is find the Admin panel.
You can either guess it /admin.php /login.php etc

Or you can use DirBuster - a Java application.
I used DirBuster and found the Admin login to be:[You must be registered and logged in to see this link.]


As we can see, this Login form appears to be custom coded, it utilizes a lot of Javascript, but this won't stop up from entering!

Now before we prepare for the attack, we need to do some Recon.
If we head to the main page:


[You must be registered and logged in to see this link.]


We find out it's owned by 2 admins.
Devy123
And:
Mikemarks

These could lead to potential logins instead of 'admin'
So I created a file called 'HKUsers' and inserted these logins:
Quote:admin
administrator
Devy123
Mikemarks
Now we just need a password list, I chose one from my Wordlist folder '10k most common passwords'

We will loop each password with each username, so 4 x 10 is 40.
so if we have 10,000, it will try 40,000 logins.

Hydra is fast and it should only take about 1 hour to try all 40,000 (Provided there is no security) which there isn't on this site - because I already tried it!

Ok so let's move onto Hydra.
If you're using Windows, you can download Hydra from the THC website, it's a source file so you will need Cygwin to compile it into an exe binary.

On Linux we just do:


sudo apt-get install hydra


And on RPM we use 'Yum'

Now here comes the part where we inspect the data so we know which values to target.
I recommend 'Firebug' in FF and Developer tools in Chrome.

Once Firebug or Dev tools is open, click 'Search element' and click the login box.

Login = username

Do the same for the password box and the submit button.
We also need to know whether this form uses GET or POST.

Looking through the source code we can see it uses POST in the <form> area.
(Most websites use POST)

So gather this information and we have:

Login = username
Pass = password
login = submit
form-type = post


Let's now throw this into Hydra, we will use this command.
Quote:hydra -L HKUsers -P 10k\ most\ common.txt This link is hidden from you. If you want to see it you have to [You must be registered and logged in to see this link.] on this board. http-post-form "/portal/index.php:username=^USER^&password=^PASS^&submit=1 :Error"
Let's break this down.

Hydra is the application.
-L = the list of logins - as previously mentioned, I stored all logins into HKusers.

-P = This is the path to the password file = because I'm already in the Wordlist folder, there no need to specify a full path, but if we was to, it would be /home/conch/Desktop/Pentesting/Wordlists/'10k most common.txt'

Next is the URL: This link is hidden from you. If you want to see it you have to [You must be registered and logged in to see this link.] on this board.

We then specify it as a http-post-form.

Next is the path to the Admin login: /portal/index.php
We then add a colon and use the values mentioned above.

Remember, Login = username
so it would be :username=^USER^

^USER^ is recognised by hydra as 'Use this value as all logins'

Now remember the value for pass?
pass value = password.

So, &password=^PASS^

finally, we need to tell hydra what value the login button is, and the output it shows when it fails to login.

In this case, if we logged in incorrectly, it shows: 'Error'

&submit=1:Error"

And that's it, run the command and it will go through all 40,000 login checks.
Sadly (as far as I know) there's no extra verbosity output.

But if it finds a valid login, it will spit it out.

And that - in a nutshell, is cracking HTTP Web/Admin panels using Hydra

    Current date/time is Fri Dec 09, 2016 12:32 pm