Shulou(Shulou.com)06/02 Report--

In this issue, the editor will bring you about how to use THC-Hydra to crack the login password of the website. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Step 1: open THC-Hydra

Step 2: get the Web form parameters

The IP address of the website

Web site

Table Typ

Field containing user name

Fields that contain passwords

Failure message

If you haven't got it yet, move on to the next step

Step 3: use Burp Suite to get parameters

We need to enable the proxy on Burp Suite, and finally, we need to configure the IceWeasel Web browser to use the proxy. We can go to Edit-> preferences-> Advanced-> Network-> Settings to open connection Settings, as shown below. From there, configure IceWeasel to use 127.0.0.1 port 8080 as the proxy by typing 127.0.0.1 in the HTTP Proxy field, 8080 in the Port field, and removing any information in the No Proxy for field at the bottom. In addition, select the use this proxy server for all protocols button.

Step 4: get login parameters

Now, let's try to log in with my username OTW and password OTW. When I do this, BurpSuite intercepts the request and shows us the key fields needed to crack the THC-Hydra Web form.

Step 5: put the parameters into your THC Hydra command

Now, with the parameters, we can put them into the THC-Hydra command. The syntax is as follows:

Kali > hydra-L-p

Therefore, based on the information we collected from Burp Suite, our command should look like this:

Kali > hydra-L-P

192.168.1.101 http-post-form "/ dvwa/login.php:username= ^ user ^ & password= ^ pass ^ & Login=Login: login failed"

There are a few things to pay attention to. First, if you want to use a list of user names, use the uppercase letter "L"; if you want to crack a user name provided there, use the lowercase letter "l". In this case, I will use the lowercase "l" because I will only try to crack the "admin" password.

Step 6: select a cracked word list

Now, we need to choose a vocabulary list. As with any dictionary attack, the vocabulary is the key. You can use custom words made by Crunch of CeWL, but Kali has many built-in word lists. To see a list of all words, simply type:

Kali > locate wordlist

In addition, there are many online sites with a vocabulary list of up to 100 GB! Choose wisely and my hackers will innovate. In this case, I will use a built-in word list of less than 1000 words in the following locations:

/ usr/share/dirb/wordlists/short.txt

Step 7: build command

Kali > hydra-l administrator-P / usr/share/dirb/wordlists/small.txt 192.168.1.101 http-post-form "/ dvwa/login.php:username= ^ user ^ & password= ^ pass ^ & Login= login: login failed"-V

Step 8: let her fly!

Now, let her fly! Because we used the-V switch, THC-Hydra will show us all the attempts.

After a few minutes, Hydra will return the password of our Web application. Success!

The key to successfully using it in an Web form is to determine how the form responds differently to failed and successful logins. In the above example, we identified the failed login message, but we can identify the successful message and use it. To use the success message, we replace the failed login message with "S = successful message", for example:

Kali > hydra-l administrator-P / usr/share/dirb/wordlists/small.txt 192.168.1.101 http-post-form "/ dvwa/login.php:username= ^ user ^ & password= ^ pass ^ & S = success message"-V

And

In addition, some Web servers will notice many rapidly failed login attempts and lock you down. In this case, you will need to use the wait feature in THC-Hydra. This adds a wait time between attempts to avoid triggering the lock. You can use this feature through the-w switch, so we modified the command to wait 10 seconds between attempts by writing the following command:

Kali > hydra-l administrator-P / usr/share/dirb/wordlists/small.txt 192.168.1.101 http-post-form "/ dvwa/login.php:username= ^ user ^ & password= ^ pass ^ & Login= login: login failed"-w 10-V

The above is the editor for you to share how to use THC-Hydra to crack the login password of the website, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.