How to HACK Website Login Pages | Brute Forcing with Hydra

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

most websites have login pages and in this video i'm going to show you how to hack them so why target login pages well behind every login page is access to confidential information or even administrator level access this is gold dust for hackers and as penetration testers or bug bounty hunters it's extremely valuable for us as well so how do we actually go about hacking a login page well there are two main types of attack that we can use here brute forcing and dictionary attacks a brute force attack is where you try every possible password that exists for example we might start a then a a then aaa then aab and so on and so forth until the correct password is found now in theory this will eventually find the correct password no matter what it is however the time it can take can vary greatly for example if you're finding a 5 character password with only lowercase letters this could take seconds a 16 character password with numbers uppercase and special characters however could take millions of years now i don't know about you but i don't have the patience to wait millions of years this is why we use the second type of attack called a dictionary attack a dictionary attack is actually a type of brute force but instead of trying every single possible combination of letters numbers and symbols we use pre-built lists of possible passwords you see us humans are not as smart as we think we are we tend to use passwords that are easy to type easy to remember and even reuse the same password over and over again and as clever as you think you're being unless your password is truly unique it's likely to have been used many times before so we can use lists of passwords containing words phrases and known passwords from past data breaches and there is a good chance that we will find a match luckily we don't need to type these passwords ourselves there are plenty of tools that can do this for us and probably the most popular is one called hydra hydra is a free tool used to hack logins and is what we're going to be using today so now let's move on to the hacking we're going to need a hacking machine such as kali linux or paraos and we're also going to need a test website with a login page for us to hack now you can set this up yourself with virtual machines and installing web servers but luckily our sponsor for today's video has us covered hack the box academy provides real hands-on training with browser-based hacking environments nothing to download or install and ready to go in minutes they have tons of great training available including this one called login brute forcing this module is part of their certified bug bounty hunter training this training path will take you from almost zero to hacking into websites in no time at all so i'm going to be using the hackthebox academy environment to show you how this all works if you want to follow along use the link below in the description to sign up so here is our attacker's machine and here is the website login that we're going to hack as you can see it's a pretty standard username and password page now we have our target let's see how we can use hydra to find some credentials now our attacking machine is running parrot os from hack the box academy and it has hydra pre-installed if you're running kali linux you should also have it if you're using anything else you may need to install it using apt or download it from the official github so let's look at the command format there are a few bits of information here so let's break this down hydra is a really powerful tool with many different options this is the general format of the command that we need for this attack hydra specifies the tool dash l login or dash l file is the section that we tell hydra what to put into the username field we can use a lowercase l and specify a user account manually or we can use an uppercase l and use a list of usernames dash p pass or dash p file is the section very similar to the last one but it tells hydra what to put into the password field using a lowercase p tells us to specify the password and the uppercase p will use a password list dash u this will try every username for each password if we have a small username list and a large password list this could dramatically reduce the time it takes to find the correct password f is pretty simple it tells hydra to stop trying to find passwords once the first match is found we then need to add the ip address or the domain name of the target website dash s to specify the port number of the target website and the module section tells hydra which modules to use now a module is a service to attack some module examples are http remote desktop protocol ssh and many many more this last part depends on the module you select this example shows typical options for http attack which is what we're going to be doing today okay so now we have the basis of our command let's start writing this out so first i'm going to open a terminal i'll make this a little bit bigger so we can see move this over here and we're first going to start with sudo because we want to run with elevated permissions then we type hydra and now we need to choose either a specific username to try to attack or a list of possible usernames now a lot of the time you won't know anything about the target nor do we have any known usernames a good guess is there will be something like admin administrator or something along those lines so we could try our luck choosing the username ourselves but we may be better off using a list of common usernames there are lots of word lists available with common usernames a great place for this is seclists which has a ton of great word lists it's already pre-installed in our hack the box academy machine but you can download it from their github so to tell hydra we want to use a list of usernames we use the command dash capital l and then the location of our word list in our example we'll use the word list located in opt useful set lists usernames and it's called top username shortlist this word list contains some of the most common usernames next we need to tell hydra which passwords to try again there are tons of password lists out there one popular list is the roku password list from a massive data breach back in 2009 this contains over 14 million passwords ranging from very simple to more complex passwords to use this list we need to type dash capital p and then the location of our list which for me is opt useful set lists passwords leak databases and then dot rockyou. now if you're not using hack the box academy then your list may be somewhere else or you may need to download it then we type dash u to tell hydra to try every username from our small user list for each password this is rather than 14 million passwords for each username now we use the dash f to tell hydra to stop looking once a match has been found now if you're trying to find as many credentials as possible then you may not want to add this bit now we need to add our target ip address or domain name and the port number in our example our ip address is here and we'll copy that paste it s for the port number and as we can see it's just here copy and we'll paste that as well perfect now this last part will need a bit more explaining this is the module section where we tell hydra what type of logging we're trying to attack so it knows which techniques to use web logins like this are the http post form module so we type http dash post dash form and this will select that module then we need to add some parameters and we'll open that with some quotation marks the first parameter is the url of the login page itself and we can see up here at the top it's login.php so we'll start with login.php then we just need to add a colon to separate the parameters next we need to tell hydra where to input the username and where to input the password to do this we need to find out the names of these fields now there are a few ways to do this but one of the easiest ways is to open a program called burp suite now to do that we go up to applications and i'll go to pen testing most use tools and there it is that burp suite click onto there a couple of prompts will come up just skip past those accept close temporary project is fine for this use the defaults start burp burp suite has tons of great website hacking tools but the main one and the one we're interested in today is the proxy at the top so proxy here using the proxy allows us to inspect all requests that are being sent to the web server before we can use the proxy though we need to add the settings in our browser to do this we'll just go back to firefox select the menu go to preferences then at the top right we'll just type proxy and where it says network settings click settings and manual proxy configuration and we're just going to use http for this and in the address we'll type 127.0.0.1 and the default port number for burp suite is 80 80. click ok and that's that saved what this does is tell our browser to send all of the web requests to our proxy where we can then view and even change them if we wanted to before they're sent to the web server so now we're set up we just need to enter some test credentials and we should be able to see the form input names so what i'm going to do is i'm going to click on to user i'm just going to type test and for the password again i'm going to hit test now when i click login nothing will happen it will kind of hang here nothing happens but if we go over to burp suite you'll see this is the request being sent to the web server at the bottom we can see our test credentials and most importantly we can see the login parameter names so we have username and simply password and we can use these for our hydra command so let's go back to our terminal we'll type in username and the tell hydra that this is where they input the user will go equals up arrow user up arrow then we do the same for the password field by typing and to separate them password equals and this is where to input the pass information perfect now the last bit we need to do is tell hydra when to know when a username and password is correct if you think about it hydra won't know what a successful login looks like right so we need to tell it this is the part that people tend to forget so what we need to do is add another parameter to tell hydra when to stop trying passwords now because we don't know what a successful login looks like meaning we don't know what happens when it logs in we need to use something that we're pretty sure won't be there once we do log in it's pretty reasonable to think that once we log in that this login page won't be there now if you think about it there won't be any need for a login page once you've already logged in right so let's find the name of this login form to do that we'll just press f12 on the keyboard to bring up the developer tools select the inspection tool and we can just move our mouse around until we select that form so select that there and we can read through here we can see the name of the form is called login so we use that to tell hydra hey if you no longer see this login form then that's a pretty good chance that that's a successful login so to do that we move over to our terminal again we do a colon to separate the parameters then we need to do capital f for failure equals and to say what a failure looks like i'll add the name of our form which is open bracket form name equals login we then need to close our module parameters with quotation marks so we now have the username list the password list the ip address the port number and our module options when we press enter hydra will start trying lots of different passwords until a match is found so i'll press enter and of course i get an error and that is because the login page should start with a forward slash so the command should now look like this press enter and hydra will start to try lots of different passwords as we can see very quickly we receive a match the login name is admin and the password is the very secure password of password one now this just shows how quickly we can crack simple passwords now in the real world if this was a little bit more complex this will probably take a little bit more time so we can confirm this works just by going back to our login page typing the username as admin and the password is password1 and not forgetting to turn our proxy server off we can just turn this interception is on button off and that's removed our name so again we'll go admin password one hit the login button as you can see we have successfully logged in and the text you see here is actually some clues for our next hack the box challenge down at the bottom we also have a flag to complete this section so we've just hacked a website login now it's worth noting that most sites we use today like facebook instagram etc will have account lockouts this means that after a few tries you'll be locked out of your account for a set period of time this dramatically reduces the effectiveness of these attacks because you can't try lots and lots of passwords all at once now a great way to make sure that your accounts are protected against these types of attacks is to make sure you enable multi-factor authentication this way even if an attacker does get your login credentials they still need that second factor which is usually a code on your mobile so that is how we can force our way into website login forms using hydra hydra is a great tool and it can even be used to brute force services such as ftp and ssh if you like this video you will really love the module on hack to box academy they cover everything i just did and much much more so go check it out in the description don't forget to give this video a thumbs up leave a comment and subscribe the support from you guys really helps this channel grow thank you for watching [Music] [Applause] [Music]

Info

Channel: CertBros

Views: 414,548

Rating: undefined out of 5

Keywords: ethical hacking, hydra, hacking, brute force attack, login page brute force hydra, login page, hack login page, hydra tutorial, dictionary attack, dictionary attack in kali linux, login, ethical hacking tutorial, ethical hacker

Id: -CMBoJ60K1A

Channel Id: undefined

Length: 18min 20sec (1100 seconds)

Published: Tue Sep 20 2022