i4info Provides the best hacking Material. Latest hacking tutorials and tools are available here. It is the best place for hackers.

Latest topics

» BitCoin Wallet stealor New
Sun Feb 19, 2017 7:52 pm by jammieban

» The Omega Organisation is looking for members
Sun Feb 19, 2017 5:50 pm by TheOmegaOrg

» Hack any Facebook Account for Free
Thu Feb 16, 2017 2:25 pm by Admin

» Teen Patti Gold Hack & 3 Patti Chips Code Extra Bonus 2016
Sun Feb 12, 2017 12:13 pm by Shan Soomro 51

» Hallmarks of Scientific Research
Fri Feb 10, 2017 4:04 pm by Nomi gee

» Hotspot Shield Elite VPN [Latest]
Sun Jan 29, 2017 11:52 am by Admin

» CCleaner Professional Plus [Latest]
Sun Jan 29, 2017 9:32 am by harry756

» SQL Dumper v.8.0
Fri Jan 13, 2017 10:18 pm by imsopickled

» Infographic Resume/CV Pack
Fri Jan 06, 2017 2:55 pm by Admin

February 2017


Calendar Calendar


free forum

Forumotion on Facebook Forumotion on Twitter Forumotion on YouTubeForumotion on Google+

Visitors Counter

Flag Counter

How To Bruteforce HTTP Logins With Hydra



Posts : 472
Reputation : 7
Join date : 2014-12-10
Age : 24
Location : Pakistan

How To Bruteforce HTTP Logins With Hydra

Post by Admin on Fri Mar 06, 2015 4:44 pm

Bruteforcing HTTP Admin Panels with Hydra!

Today I will be showing you, how to utilize Hydra to bruteforce HTTP POST logins.
I may add pictures in the future.
NOTE: I can't add pictures at the moment, because the site is down! for now..

I think it should be easy to parse and understand the commands we will use

Let's take a random website (I've chosen one)
It's a 'Habbo Hotel' fansite, Some kind of Flash game online which generates incredible amounts of traffic - however this is a fan site for it - which will be our target.

[You must be registered and logged in to see this link.]

First thing you need to do is find the Admin panel.
You can either guess it /admin.php /login.php etc

Or you can use DirBuster - a Java application.
I used DirBuster and found the Admin login to be:[You must be registered and logged in to see this link.]

As we can see, this Login form appears to be custom coded, it utilizes a lot of Javascript, but this won't stop up from entering!

Now before we prepare for the attack, we need to do some Recon.
If we head to the main page:

[You must be registered and logged in to see this link.]

We find out it's owned by 2 admins.

These could lead to potential logins instead of 'admin'
So I created a file called 'HKUsers' and inserted these logins:
Now we just need a password list, I chose one from my Wordlist folder '10k most common passwords'

We will loop each password with each username, so 4 x 10 is 40.
so if we have 10,000, it will try 40,000 logins.

Hydra is fast and it should only take about 1 hour to try all 40,000 (Provided there is no security) which there isn't on this site - because I already tried it!

Ok so let's move onto Hydra.
If you're using Windows, you can download Hydra from the THC website, it's a source file so you will need Cygwin to compile it into an exe binary.

On Linux we just do:

sudo apt-get install hydra

And on RPM we use 'Yum'

Now here comes the part where we inspect the data so we know which values to target.
I recommend 'Firebug' in FF and Developer tools in Chrome.

Once Firebug or Dev tools is open, click 'Search element' and click the login box.

Login = username

Do the same for the password box and the submit button.
We also need to know whether this form uses GET or POST.

Looking through the source code we can see it uses POST in the <form> area.
(Most websites use POST)

So gather this information and we have:

Login = username
Pass = password
login = submit
form-type = post

Let's now throw this into Hydra, we will use this command.
Quote:hydra -L HKUsers -P 10k\ most\ common.txt This link is hidden from you. If you want to see it you have to [You must be registered and logged in to see this link.] on this board. http-post-form "/portal/index.php:username=^USER^&password=^PASS^&submit=1 :Error"
Let's break this down.

Hydra is the application.
-L = the list of logins - as previously mentioned, I stored all logins into HKusers.

-P = This is the path to the password file = because I'm already in the Wordlist folder, there no need to specify a full path, but if we was to, it would be /home/conch/Desktop/Pentesting/Wordlists/'10k most common.txt'

Next is the URL: This link is hidden from you. If you want to see it you have to [You must be registered and logged in to see this link.] on this board.

We then specify it as a http-post-form.

Next is the path to the Admin login: /portal/index.php
We then add a colon and use the values mentioned above.

Remember, Login = username
so it would be :username=^USER^

^USER^ is recognised by hydra as 'Use this value as all logins'

Now remember the value for pass?
pass value = password.

So, &password=^PASS^

finally, we need to tell hydra what value the login button is, and the output it shows when it fails to login.

In this case, if we logged in incorrectly, it shows: 'Error'


And that's it, run the command and it will go through all 40,000 login checks.
Sadly (as far as I know) there's no extra verbosity output.

But if it finds a valid login, it will spit it out.

And that - in a nutshell, is cracking HTTP Web/Admin panels using Hydra

    Current date/time is Thu Feb 23, 2017 9:49 pm