Burp Suite and Hydra vs DVWA

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey and welcome back to the channel my name is Gary I'm a cyber security professional by day in this lesson we're going to cover brute forcing login panels using Hydra and burp Suite before you should even try to Brute Force some login panels it's best practice to have a list of usernames and a list of passwords to test otherwise you're just shooting in the dark now I've talked about generating password lists in a previous video so I'll put a link to that below but as for generating usernames you just find those online let's say you're being paid as a penetration test or to come and do a job at Google you can just go to google.com and try and find email addresses maybe on their blog or on their contact pages to see if there's any structures or you could use a tool like hunter.io it's really cool sign up for free link to that's below put in the company name and it just gives you the structure of what that company's email address system is like most companies are first name. lastname at company.com or whatever it is so let's assume we've got two things now a list of passwords and list of usernames let's go here we are inside Dam vulnerable web app and there's a username and a password box you can see at the bottom it says hint the default username is admin with a password of password it's pretty unlikely that you're going to go to another website and find something as dumb as this but this is just to get you started if you don't know what to do so I've put these in text files on my desktop so if I just type LS you can see we've got passwords txt which contains Please Subscribe password so three different passwords we also have users. txt which has Please Subscribe and admin as the usernames now if we were to go back to the dam vulnerable web app and we type Please Subscribe you can see here we get this login failed text appears obviously if we log and it's successful you won't see this text and this is important I want you to keep this in mind for when it comes to building the query that we're going to run within Hydra so let me just show you Hydra Hydra this is Hydra version 9.3 by vaner and you get this hilarious thing please do not use in military or Secret Service organizations or for illegal purposes this is non-binding these some things ignore laws and ethics anyway funny it's always been there I love it you can see here this is the usage of Hydra there's quite a lot to it but here's the main options that we're going to be dealing with if you type Hydra DH you get help and at the bottom there's some examples of it here there is no HTTP attack here at the bottom this is just FTP IMAP pop three FTP again and then SSH so there's a little bit more to doing the HTTP stuff and that's why we're going to cover it here so to make all this work we're going to use burp we haven't covered burp so far on the channel what it is is a proxy and a proxy sits in between you and the destination so normally when I'm browsing the dam vulnerable web app it's just me in my browser clicking around here whenever I turn on this burp Suite thing and activate something in my browser called foxy proxy I'll cover that in a moment all of my traffic won't go directly to this web server here it'll go into burp Suite first where we can look at it and interact with it and change it and even repeat it we can send the web server multiple requests in a few seconds without having to mess around too much in the browser and in fact burp Suite has a browser built into it these days so you don't really need this browser but we're going to do it just to explain the basics so remember there's you then the proxy and then ultimately the damn vulnerable web application let's look at setting up foxy proxy this is the little browser extension that is going to make it much easier to manage our relationship between Firefox and burp Suite because you can come in here to settings and do a search for proxy and then manually configure all this stuff directly in Firefox or any browser but it's a bit of a pain and it's just not that easy to use so come into this menu click add-ons on themes and do a search for foxy proxy standard and install that once it's installed you will get this little thing here I've got it turned on I just turn it off by clicking this super easy you click options I've added a proxy at 127.0.0.1 which is my local machine we're just doing this locally and that's the way this works and port 8080 there's a reason why we use 8080 here and that's because burp Suite is configured by default to run on port 8080 if you click proxy options you can see here default setup port 8080 you could change these but make sure you change both burpsuite and Foxy proxy I've just put Dam vulnerable web app on one side and burpsuite on the other side and I've made the font bigger so you can read it more easily let me just show you how this all works so let's turn the proxy intercept on and we'll go to Firefox and turn it on in there too so now whatever we do here in this web browser doesn't actually go to the web server it goes to burp suep first and then onto the web server once we click this forward button so let me just try and log in with test test I'll click log in you can see nothing really happens on the right hand side you can see the little dots moving because the request is being sort of suspended in midair by burp suite and that's exactly what we want now you can see it's a post request to this URL gives you the host information the user agent you can get all this stuff online go and look at the HTTP protocol hypertex transfer protocol Milla has a whole bunch of really good documentation for this and this is really good stuff if you're going to be a web application pentester or a Bug Hunter good stuff to go and learn you got cookie information here too and this bottom bit is the bit that we really want so username equals test password equals test login equals login if any of these are missing it won't work so let's click forward and I want you to pay attention to underneath this login button on this right hand page just about here Watch What Happens so we've got the response back from the server and it says login failed so that's because the password and the username weren't correct within the dam vulnerable web app which is great now we can use this string in our query so let's just look at the HTTP history for a second we'll just open this post request here and this is the bit that we really want so let me just open up my little mous pad text editor here and I'll make the font a little bit bigger for you there we go so this is the syntax Hydra capital l to provide the list of users capital P to provide the list of passwords then the IP address then the module that you want to use there's FTP modules SSH modules you have to choose the module that's right for the thing that you're trying to attack because then everything after it is sort of relevant to that module so this is an HTTP post form that's what we're attacking here and everything after this goes in speech marks these little double quote things and I see an extra space just there so we put in the URL that we're attacking and then a colum and then we give it username equals user and password equals pass and login equals login that is from burp Suite if you look down in the bottom left you can see I've replaced the word test and test with user and pass with the little pointy things I think they're called carrots it's weird little carrots on each side what'll happen is Hydra will go into the user's text file it'll take the first user and the first password and it'll populate those here it'll replace them here Hydra knows what to do with those bits of text and then there's another colon and this bit at the end is our failed login string so something about these Pages needs to be unique that tells it that this is a failed login attempt versus a successful one and we know that it said login failed because we could see it here so you just type any string that's unique to a failed login attempt and it will rule those out when Hydra does the attack if it doesn't see this it assumes that it's a correct login so that's how that works let's just take this string we'll copy it go in here and paste to the clipboard so when we run this we get this result maximum nine tasks per one server overall nine tasks that's because I had Three L's and three PS three usernames and three passwords in my little text files in the desktop which is a unique combination of nine different possibilities hence why there's nine login tasks attacking the post form here like this and as you can see this one worked one of one successfully completed one valid password found so there you have it that is how you set up burp suite and Foxy proxy you intercept some web traffic you generate your word lists and your password lists and feed it all into the system and ultimately brute force your way into a login panel using Hydra there's a whole lot more that Hydra can do and there's a whole bunch of tools that are very similar to Hydra in fact you can do some of this stuff just inside of burp Suite itself so if that sounds like fun I suggest you go and do some research stay safe

Info

Channel: Gary Ruddell

Views: 18,116

Rating: undefined out of 5

Keywords: cyber, cyber-security, hacking, learning, productivity, password cracking, hydra, cewl, crunch, CUPP, mentalist, burpsuite, burp, suite, hidra

Id: pMizqP5rb1A

Channel Id: undefined

Length: 11min 24sec (684 seconds)

Published: Sat Jan 07 2023