1 - Brute Force (low/med/high) - Damn Vulnerable Web Application (DVWA)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we'll be going through the Brute Force challenges on dvwa so we'll start off by changing the security level to low we're going to work through one at a time submit that let's go back to Brute Force now the login box here already has the username and password entered which we if you followed the last video the first video where we set up dvwa we needed to use this these credentials admin and password to log in anyway so we already know those credentials are correct um if I hit log in here you'll see that yeah we've got into the admin area so um there wasn't much exploit in there let's um let's assume that we don't know what the password is and that we're trying to crack the password for admin so let's enter an incorrect password Here you see we get username password incorrect um we'll not update that and if we go into burp suite and have a look at the HTP history we have um if we want to just make sure that all we're see in here is a dvwa we can go to Target and we'll say that we want to add this to our scope and then we can go and in our proxy we can say we only want to see items here that are in scope and that will uh filter that and similarly we have this intercept option whereby like if we intercept the login here it'll intercept our request if we only want to intercept for the items that are in scope we can go ahead and go into the options here and then just take the option to say only intercept if in scope and let's go back to our HTTP history here so um what we're going to do is use burp Suite first of all to try and Brute Force the the password so you can see here we have our login it's a get request and it takes in the username the password and then this login parameter as well so let's um send this to the iner we go to Intruder and then check out the positions so there's a couple of different attack types we're going to be focusing on the sniper attack which is just good it would go through each um variable that we have set here and then Loop through the different lists so you see here we have payload set one um which would work for the admin field in this case obviously all we're looking to do is root Force password so clear that and then select the password and then add those and now it's just going to go through the password and there's a variety of different types of payloads we can use here so we could use numbers we might be iterating say we found a file called one. jpeg we might want to iterate from 1 to 1,000. JPEG and see which ones exist or similar for like a user ID or something like that uh obviously in this case we're going to be doing passwords so let's go and load our password list um I'm just going to use this one with the top 100 cuz we know the password is password it's going to find that pretty quickly it's the fourth password here um and let's go let's go ahead and start the attack you see it comes up with a warning just to say that the attacks will be throttled uh if you don't have the the full version and there'll be some features missing and you see it starts off quite quick um but it slows down quickly as well as soon as it's got to like 10 requests there it's got quite quite slow um and we'll go back in a second and see how slow it actually gets but um our fourth password here you can see that the length is different so quite often we'll filter by length here to try and identify which passwords were correct or maybe we'd look at the status code something else we can do is we can actually set this to GP for certain strings so let's um notice how slow this is going now so 31 there we go 32 so quite slow let's stop the attack and go and check out this grap option we go into options and let's clear all these at the moment it's not flagging anything let's just clear those and if we put in a incorrect password oh let me turn off my intercept turn off the insert just let those go through and let's um we could grab this string and then we could say let's add that simple string or you can do reject here as well we're excluding the HTTP headers because we only want to look in the content um also you could extract here as well so we're going to be trying to match this but but you might have a situation where say we were to log in here and then it comes up with a token and you might need to grab that token off the page and then submit it in your next request or submit it somewhere else something like that so we can use um the extract option to actually extract some data and then if we wanted to we could actually go further and set up um quite complex macros to to run like a little script on each attempt so uh hopefully we'll be able to incorporate that in sub challenges in during the series but let's test out this um GP match option now so if we go back to our Target and start attack okay and you'll see now that we have a this username okay it's actually not let me um it's actually not found that I guess there was something not too sure what was missing there let me um simplify it a little bit and we'll say add incorrect although I'm quite I'm quite intrigued that that didn't work I think there was a space at the start of that let me remove those two and let's try to run that again yeah okay we had a space at the start of that which shouldn't really impact it you know I would well I suppose um if we specifically wanted the space to be there I guess it should so you can see that it's got this box now and it'll just say if this username SL password incorrect comes up on the page then tick this and then we can easily see which one it didn't come up with we could also do the successful one so we know that the successful one will say welcome so we could have just um let's close that stop the attack let's go back to our options let's clear these and let's add welcome and then let's start the attack again and you'll see there that the welcome has only come up with the password option so let's exit that we have our admin password we log in we can see that it's come up with an image here so we can actually if we have a look at this image we'll see that it's come up with some with the full directory so if we take out the image name and here we actually have the list of images if we weren't able to access this another thing that we could have done is to do a Brute Force where we Loop through trying to request this URL and passing in different usernames in in front of the JPEG and then whichever ones come back we know would be successful usernames but luckily in this case we're able to just go and get a list of the usernames you can see I've checked them out already so let's um let's make a copy of those usernames I'm going to do subal users. txt and we have uh admin we have elit we have Gordon B we have Pablo and we have Smithy and let's save save this and see if we can get um a hold of all of the passwords go back to the uh login page and the first tool we want to look at here is Hydra so let's do man Hydra you see it's very fast Network log on cracker which supports many different Services we have the syntax here a list of the protocols are supported so we could be doing like pop pop three could be doing SSH could be doing SMTP SMB um and then obviously our FTP our HTTP which we going to be dealing with here and in this case we have HTTP or https and we have the get or the um get form we know that this is a get request from uh let's close these down let's go back to our proxy HTP history we can see here this is a get request um what else do we have here we can pass in our username using lowercase l or a a username a list of usernames in a file using capital L and then same with password lowercase p for a password capital P for a password file or we can Brute Force we can generate passwords if we don't have a password list to work from we can pass in a file containing a a containing usernames and passwords separated by colon or we can specify um what it's separated by and we can add time in as well so if there's some throttling that we need to avoid we can we can deal with that so that's cool let's um check out Hydro Dash uh H as well just to see what other options we have here and get a couple of examples for us we have a user list and we have a password list we're going to be using the capitals so let's do Hydra DL capital for users. txt and then- P capital and we'll give it a password list I'm going to do probable top 10575 and then we would give it the domain or the IP so we're going to give it our Local Host IP and then it's a HTP get request and then in here what we would do is pass in the parameters so we pass in first of all the directory path so we have the URL we have our directory path we then use a colon and pass in our parameters so the parameters are here grab these parameters and we want to replace whatever we want to Brute Force here so we replace admin with this user variable and if even if this was a lowercase L and this the username is admin we'd still have to spec we still have to use both of the variabl Ables here um same with the password let's do pass and then finally the colon here we can we can add in a error message so you could put in that full incorrect error message I'm just going to put in incorrect because it will grap that out and then we can use DV if we want to do verbose now you can see there it's gone 16 passwords tried 16 passwords it hasn't um it should really bring this up in green to say that it's identified as a password um the issue may be that it's unable to actually access this page because we had to log in to dvwa to get here so if we hit F12 we can grab our cookies from the storage tab or you can get these from burp Suite as well in here so I'm going to grab them in here and we can set headers in Hydra by using uh Capital H so if we add another colon in here and say h equals and then we paste in our cookie value and let's try that again okay you see here it's given the options use I so um it has a it created a restore file here because we canceled halfway through our last scan so I'm going to use - I just to skip that and you can see that it's attempting that again and doesn't appear to be having any look let's try and change the HTTP get to http get- form okay not looking good either let's um let's try to take out the security low cookie but leaving the session ID no let's try to take out the session ID but leaving the security low and no look for us again so let's just assume we were just trying the admin here I don't think this should make any difference but if we do just lowercase DL and then pass in username admin and we don't get anything either should be running through a lot quicker than this as a as a note my cookie looks like it's in okay there let's do it again with the PHP session ID is that incorrectly looks fine let's refresh and make sure yep it all looks fine [Music] so that's not working um just bear with me a second okay so I actually tested that with all of the um all of the header values basically everything that's in here um and still no look I've also tried with the full um failed login error string didn't help I've tried Local Host instead of 127 shouldn't really make any difference at all tried HTTP get HTP post form which again it's not a post form so um that shouldn't be the case but we don't um we don't get any look there at all let's try and take out all of these headers okay this is so it found some valid passwords there that's with a that's with it set to post form with no with no cookies and no headers specified let's set it to get okay it's the same with get but you'll notice there it's bringing back a lot of passwords and obviously passwords which which it can only be one password so if we try to log in here with admin and that password we get incorrect let me update the you see the problem is that we don't have a we don't have a PHP session value specified there so it's likely that it's not even making it to this page to see what the the the error the error string is here okay interesting so it did whenever I changed that from incorrect it did um did identify that differently I suppose yeah okay let's put Andor okay just while that's working like that let's try and do our H again and say h equals pass in this cookie no okay um maybe it's something to do with the string then bear with me okay I a little playing around research I'm still not able to get that um working um what's interesting is I can't actually find any any solutions at all which work let's um dvwa 1.9 let's check this one out so either there's something going on with my system or there's something going on with dvwa maybe due to the fact that I don't have this running on maybe it's because it's running on Local Host but yeah I don't really understand why that would be the case because we're passing it the directory address let's go down to what's this command for Hydra there command for Hydra let's take a copy of this sub command and let's add our values and see what we get 1 12701 do admin sure we can use rocku I have that in the same location as well we'll leave all this the same the only thing we want to change then is the PHP session ID so I'm going to grab the PHP session [Music] ID refresh this to make sure it hasn't changed it hasn't I'm going to paste in our session ID grab a copy of that oh one another thing we need to do is the quotes um aren't in the right font um character type so where's the other quote here okay paste that in okay it's got the restore file I forgot about let's do- v and- i and exactly the same let's see what they got whenever they pasted in that command end result so the result they got was to say that all of the passwords were valid all 16 passwords are valid which obviously isn't obviously isn't right um 16 yeah there's only one password for admin you type security low C instead of low let's have a look security low well if I was change that to low C and then add the dash v and- i okay no still didn't give me any it didn't give me 16 valid passwords in that case um okay so let's see if anybody else okay got milk should be a valid valid one here let's see if they use Hydra they might not Hydra okay so they do use Hydra here okay copy and paste okay um let's take a copy of that then and Hydra DL we're going to do users. txt SE list passwords we'll do probable top 15 75. txt I'm not too sure exactly what these flags are so this will be interesting to see whether this fixes it 127.0.0.1 and then our PHP session ID let's paste that in oh okay they're looking for a success message instead of a failure message that's interesting okay and let's grab our session ID we also want to change this to lowercase and this should be good to go let's try this out clear this out of the way let's do Dash V and dash I password is not found okay probable um see what it actually is here probable oh oh I don't have it in user share that's why okay so SEC list passwords probable top five 75 try that okay it doesn't look like it's do much at all okay what I'm going to do is I'm going to try this success message then because it's interesting that they have used success rather than rather than the failure message let's go back and change this so you can do f equals for failure but or you can do s equals for success but typically we just leave it you don't if you don't use any it'll just assume that it's the the fail failure once again I forgot to do- i and- v no still no look there at all so yeah I guess either something to do with my setup or something to do with DBW means that Hydra isn't working for us somebody else is attempting to do the same 16 passwords that don't [Music] work yeah oh there's a bug with a current version try to install Hydra again from here okay um although it sounds like okay so yeah I've got no idea what's going on with Hydra there um some people are saying update it but it sounds like maybe some of the people aren't really understanding the problem here as well um I haven't been able to find a single command through any um blogs um YouTube videos or anything that actually works with Hydra and dvwa um note that I've used Hydra throughout various capture flag competitions throughout my oscp um hack the Box machines and things like that there doesn't I've never found any problems with Hydra um so there's a good chance that it's to do with the uh dvwa let's actually check dvwa GitHub um apologies if this a bit drawn out I'll leave um the time stamps in the description so you can just skip to me actually solving this if you if if you don't want to see any live troubleshooting let's check the issues there's no open issues um let's search all of issues okay I don't see okay let's um Hydra Hydra Brute Force M playable to um isn't that Local Host okay yes they put in the okay they're trying to brute force that login page I actually had a look at that as well and still had the same issues no idea on Hydra I use burp Intruder okay that's fine for anybody who can afford the um the the premium version okay how you do a burp okay very helpful comments okay so the author basically just says use burp um interesting very interesting all right well um I'm I'm just G to move on here what we'll do is we'll try to use W fuz which is another good tool for um brute forcing whether that's brute forceing passwords or directories um and things like that so let's check that out so we check man W fuz here see that it's web application brute forer and we pass in W fuz options and then DZ payload parameters and URL we can go through and have a look at all the various syntax we can send post data here with- d-b for cookie which probably going to need we can send headers there as well and then we can show and hide responses based on the length of the response the Response Code or some rejects in the content so for example whenever we did uh this brute force in in burps we we we were filtering by the or sorting by the response length to find out whether it was successful so we we could do something similar here or we could search and find um hide responses that contain Rex to say uh incorrect password for example uh let's quit this let's do w-h just so we've got this up on screen as well and we can see here as well that we can send multiple parameters using the first parameter will be fuzz in capitals and then it'll be fuzz capitals with um the number of the parameter in the in between the Zeds so let's give an example of that um here if we w f and we can do- C to give it a colored output you can see here output with colors we'll do we're not going to hide or show words or lengths or anything yet because we don't know exactly what the length will be although we could check in burp Suite but let's uh put in our payload if we were just doing a if we were just doing the password in fact let's just do the password to begin with um let's set the word list to SEC lists and passwords probable top 1575 and then we can give it the URL so let's go up here and give it a full URL paste that in and then we want to fuz the password so let's set this to cap fuzz try to run that you see it's running through so we were getting um response code 302 so we actually weren't able to even access the login let's try and specify our cookie value so the cookie value was we could use the dashh for header but we can also I believe use dasb let me get that back up so we use dashb for cookie repeat option for various cookies okay let's um try and run it again let's do we'll put this in before the URL because the URL should be the last thing there and we'll say dasb and PHP let's set both of them so security equals low and PHP session ID equals let's grab our session [Music] ID I'll try that out I'm not too sure if this is the correct syntax okay so we got uh Response Code 200 now so success successful responses um let's go up to the top where our actual password attempt was okay so the password attempt was here and you can see there that the number of chars is different so we have 4280 here um or 2 48 words instead of so we could filter by any of these values or we could filter by the actual content let's filter by the words so we'll say we'll grab that and we can say we can do the dash HW hide words or we should be able to do then Dash show words and paste that in let's try that no okay let's uh have a look at the syntax again W f-h and s w okay that looks right to me [Music] oh I see what I did there I missed the dash dash so this is dash dash not a single Dash so it doesn't need the quotes it just needs um just needs us to put in the syntax correctly let's try that now and there you can see that it's only showing the ones that come back with the 248 words is the response let's actually see out of interest if we can say hide words and we'll try and hide ones oh sorry uh the Rex h s we can hide show show or hide so we're going to HS and we'll hide any responses that have incorrect in them and then this works for us just as well as the so it's interesting this is working fine Hydra isn't working at all um with basically the same the same setup here I'll be very interested um if anybody can can can let me know what where I was going wrong or or what the actual issue was if there was a problem with Hydra if there's a problem with um dvwa I'd just be interested to know because I wasted quite a bit of time on it and if you're still watching this you probably waste a bit of time watching me do it as well but there we go that's done let's um let's also try to Brute Force then the other users that we have in the users. txt so instead of passing this as a word list we pass this as dasz and then we pass in the file and then Dash hopefully this works and pass pass dasz users and then dasz with our passwords and then the first parameter that we want to fuz is this user username so we change this to fuz and then we just because this is a second parameter we need to put a two in between the Zs okay that didn't work let me change this to dasz I think we need to specify that it's a file um file do the same here dasz file try that no okay it didn't find the no such file directory it didn't find the passwords one it might be due to me the syntax that I use that let me do yeah that works okay just because um I need to put in the full path of the passwords file okay so it's going through it's found admin password let try and Elite now oh there we go found Gordon B is ABC one two three Pablo is let me in Smithy is password and there it's found all four it didn't find the elite password uh but there we there we go we've cracked the passwords with W fuz let's go and try and change the difficulty to medium and see if we're still able to use the same techniques to crack the passwords so we'll change the security here to medium submit that let's go back to the Brute Force let's clear our screen so because we've um updated the security level as well we also have to just make sure that we update our cookie so the cookie value is updated to medium on on the website we just need to make sure that we also set the cookie to medium in our W fuz and I've also taken out the the hide the Rex so we will hide or responses that came back with an incorrect string on them we're no longer doing that just because we want to see what happens for the we want to see what the difference is and it's quite evident straight away that the difference is the speed that the The Brute Force is occurring at so if we were to actually go to the site here and try to log in normally we log in and it comes straight back with a response but you can see how long it's actually taken to respond here so quite often whenever this is implemented this kind of throttle in it will be you won't just everybody won't just be throttled from start to finish it'll be more a case of you know after you've attempted three password attempts or 10 password attempts or something you'll be throttled down to a certain to a certain degree and that's likely to keep increasing um as you keep going and perhaps after you know 10 or 20 or whatever attempts you might be your IP might be blocked or your the account that you're trying to log into might be suspend uh suspended for while it's in while it's investigated so you can see anyway it found the password it has the different length there it just took a lot longer to find it so I'm not going to go through finding the passwords for all of the users we've already done that just want to demonstrate the difference uh in changing that to medium so let's go and change it to high go to dvwa security and change to high security level is set to high so again if we hit F12 we'll see that our cookie has now been set to high as well and we'll need to bear that in mind when we try the the next Brute Force so if we go ahead and try and log in here I try again with an incorrect [Music] password and if we check out burp Suite we can see the difference here is we have two login attempts here but they also have this user user token parameter at the end and the parameter changed for each for each uh one so if we were to try to Brute Forces let's send this to the repeater so you'll see that this came back with a response to say username or password was incorrect if we send that to the repeater and then change the password let's say test two send that off follow the redirect and this time we get csrf token is incorrect so if we search csrf it's um we'll get some links about cross site request forgery um and how this token can be used to prevent csrf or C surf attacks we be covering C surf here so I'll not um go into too much detail but essentially in order for us to keep trying new passwords we're going to need to get this token which which um changes each time on each request so if we hit F12 here and have a look for our user token see here we've got the token it's set to Hidden so there's a few ways you could do this you could write a script which essentially loads the page grabs this value and inserts it into as a token whenever a brute forcing um one of the we'll be looking at how to do it in burp Suite but let's see for example what would happen if we let's refresh the page grab the new token and let's go to our W fuz command that we ran previously and update the security to High um and okay we get 302s which is to be expected but if we now set and user token equals and paste that in okay let's see so our first request we got a 200 response from and then all the others after that 302 because we didn't have the valid token so let's go back to let's open up site and let's go to our proxy again let's send a request oops Um send a request send that to the Intruder and in the Intruder okay not that request um login we'll send this request to the intruder make sure it has your username and password and stuff here let's clear all of these we're going to be brute forcing the password obviously let's set it to test so it's not getting the right password straight away and the user token is also what we're going to need to breef force here so let's add that I'm pretty sure I cleared these but okay apparently not let me okay clear those add and then we'll add it to the Token as well the issue here is if we go to payloads we only have one payload set so on each request if we have say 20 passwords there on each request is going to send password one here it's going to send password one here so we need to change the attack type and in this case we'll be using the Pitchfork attack um so let's go to payloads now we'll see that we have a payload set to so our first payload set is going to be the same as last time we have SIMPLE list we load in our passwords let's do dark web top 100 and and then our second list is going to be we're going to use this Rec recursive GP and you'll see here the payload this payload type lets you extract each payload from the response of the previous request in the attack it's useful in some situations where you need to work recursively to extract useful data to deliver and exploit and it tells us we can ex we can extract GP items in the options tab so if you remember we checked out this earlier the GP match and in fact let's do this again let's SCP match and let's say incorrect because we want to know if the password is correct or not but we also have this which I'd mentioned about the GP extract where we could say let's add one here and there's a few different ways we can do this we can use Rex stuff down here what I'm going to do is I'm going to go and find the token right here I'm going to change this to start of that offset and it's a fixed length it's going to be 32 each time um you can use refetch uh refetch response to grab a new token if that that one's already been used in fact oh um oops okay um that wasn't ideal let me go back to uh let me go back to our proxy and set this again apologies I'm not too sure how to get that back clear these set this to test and we're going to add that we're going to add here going to set this to Pitchfork we're going to set our first payload to the dark web top 100 we're going to set our second payload to recursive grip and then we're going to go into our options tab we're going to set the match to look for Incorrect and then we're going to set our extra I'm not going to mess this one up we'll find our csrf token I'm going to set it at offset and 32 bytes each time and then we're just going to go okay and now what we also want to do is uh set our redirections so we always want to follow redirections you'll note that whenever we went into the repeater to check that out we have to follow the redirection so we're going to do the same here as well and with those in place let's go and start the attack and you'll see here that we're testing our payloads payload one is our password payload two is the response and you can see that we've got incorrect passwords apart from this one here where we sent the correct password and you can have a look at the requests here so let's have a look for example here the request we sent the 4 F token and if you check the response the response gave us a uh um 21c token and you'll see in the next request then that 21c token has been used and Etc so that will keep um that'll Loop through in that in that format so I'll not go through finding all the passwords we've actually already already found them this is just to demonstrate how we could carry on brute forcing even with this csrf token in place okay so let's close some of these windows down that's the low medium and high Brute Force done if we go to dvwa security and set that to impossible impossible should set this make this secure against all vulnerabilities so let's submit that and let's go back to our brute force and let's see if we can go ahead and I'll go ahead and I'll I'll just do the same thing actually let's do test admin don't update let's go to our proxy ah okay uh using password is incorrect alternative this account has been locked because of too many failed attempts if this is the case please try again in 15 minutes okay so it gave us one password attempt and because we got it wrong we're now locked out for 15 minutes so yeah brute force is not going to be easy there we could set up a Brute Force to just try one password attempt every 15 minutes but obviously that's going to take a long time um if we were to view the source here we can view the source um this is The Impossible we can go to compare all levels and we can actually compare the low medium and uh high and impossible source code so if if you're looking not only to find out how these exploits work and to test them out yourself but also how you can secure your your web applications to prevent these from happening it's worthwhile checking out comparing these codes and seeing um what's the the best way to do things okay I hope you've enjoyed this video the next one will be on command injection uh any questions or comments leave them below if anybody knows how to get Hydra working with this brute force and tell me what I was doing wrong or what's gone wrong somewhere um I'm I'm interested to know thanks

Info

Channel: CryptoCat

Views: 86,756

Rating: undefined out of 5

Keywords: DVWA, damn vulnerable web application, pwn, burp, burp suite, foxyproxy, bug bounty, ctf, exploit, capture the flag, hacking, pen-testing, web security, brute force, command injection, file inclusion, file upload, insecure captcha, sql injection, weak session ids, xss, csp bypass, javascript, infosec, owasp, secure coding, debugging, static analysis, dynamic analysis, tutorial, walkthrough, cyber-security, CTF, websec, appsec, ethical hacking, OSWE, OSCP, offsec, learn, computer security, mentor, web

Id: SWzxoK6DAE4

Channel Id: undefined

Length: 46min 17sec (2777 seconds)

Published: Sat Feb 27 2021