How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite

Turn on THC-Hydra

So, let's get started. Fire Up Kali and open THC-Hydra from Applications -> Kali Linux -> Password Attacks -> Online Attacks -> hydra.

Get the Web Form Parameters

To be able to hack web form usernames and passwords, we need to determine the parameters of the web form login page as well as how the form responds to bad/failed logins. The key parameters we must identify are the:

Don't Miss: How to send Anonymous SMS to any Number

  • IP Address of the website
  • URL
  • type of form
  • field containing the username
  • field containing the password
  • failure message

We may be able to detect any proxy usage such as Tamper Data or Burp Suite.

Using the Burp Suite

While we may use any proxy to perform this function, including Tamper Data, in this post we will use the Burp Suite. You can open Burp Suite by going to Applications -> Kali Linux -> Web Applications -> Web Application Proxies -> burpsuite. When you do, you should see the unlock screen below.

Next, we will be trying to crack the password on the Damn Vulnerable Web Application (DVWA). You can use it from the Metasploitable operating system (available on Rapid7) and connect to its login page, as I have it here.

Lastly, we need to configure our IceWeasel web browser to use proxy. We can go to Edit -> Preferences -> Advanced -> Network -> Unlock Settings Connection Settings, as shown below. There, configure IceWeasel to use the port 8080 as proxy by typing in in the HTTP Proxy field, 8080 in the Port field and delete any information in the No Proxy field below. Also, select the "Use this proxy server for all protocols".

therefore, BurpSuite captures the application and shows us the key fields we need in the cracking of the THC-Hydra web form.

After gathering this information, I then forwarded the request from Burp Suite by tapping the "Forward" button on the left. DVWA returns the message that "login failed." Now, I have all the information I need to stop THC-Hydra cracking this web app!

Getting the message of failure is key to making THC-Hydra work on web forms. In this case, it is a text message, but it will not always be. Sometimes it can be a cookie, but the critical part is finding out how the app connects to a failed login. In this way, we can tell THC-Hydra to keep trying different passwords; only when that message does not appear, where we have succeeded.

Don't Miss: Hack anything with Pendrive

Set the Parameters to your THC Hydra Command

Now, since we have the parameters, we can add them to the THC-Hydra command. The syntax looks like this:

kali> hydra -L <username> -p <password list> <IP address> <parameter form> <login failed>

Therefore, based on the information we received from Burp Suite, our order should look like this:

kali> hydra -L <wordlist> -P <password list> http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed"

A few things to keep in mind. First, you use the capital letter "L" when you use the username list and the short letter "l" when you try to crack the one username you provide there. In this case, I will be using the lower case word "l" as I will be trying to crack the "administrator" password only.

After the login form (/dvwa/login.php), the next field is the name of the field that takes the username. In our case, it's "username," but in some cases it may be different, such as "login."

Now, let's compile a command that will break the web form entry.

Choose a list of words

Now, we need to select a list of words. As with any dictionary attack, the glossary is key. You can use the custom made by Crunch or CeWL, but Kali has a lot of word lists built-in. To see them all, just type:

kali> locate wordlist

In addition, there are many online sites with names that can be up to 100 GB! Choose wisely, my novitiate hacker. For this, I will use a built-in list of words with less than 1,000 words in:


Create a Command

Now, let's build an order for all these things, as shown below.

kali> hydra -l admin -P /usr/share/dirb/wordlists/small.txt http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login: Login failed "-V

Let Him Go!

Now, let's go! Since we used the V-switch, THC-Hydra will show us every effort.

After a few minutes, Hydra comes back with the password for our web application. Success!

Final Thoughts

Although THC-Hydra is an effective and excellent tool for cracking online passwords, if you use it on web forms, it takes a little practice. The key to using it successfully on web forms determines how the form responds differently to failed login compared to successful login. In the example above, we pointed out a failed login, but we could have found a successful message and used it instead. In order to use an effective message, we will replace the failed login message with a "S = successful message" such as:

Don't Miss: How to Remove Write Protection in SD Card, Pendrive, Hard disk

kali> hydra -l admin -P / usr / share / dirb / wordlists / small.txt http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&S=successful message "-V

Also, some web servers will detect many instant failed attempts to log in and lock you. In this case, you will want to use the waiting function in THC-Hydra. This will increase the wait between attempts to unlock the lock. You can use this switch switch function, so we are reviewing our command for 10 seconds between attempts to type it:

kali> hydra -l admin -P /usr/share/dirb/wordlists/small.txt http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login: Login failed "-w 10 -V

I recommend that you become accustomed to using THC-Hydra in forms where you know the username and password before using it in the "field."

Keep coming back, my criminal comedians, as we continue to expand your repertoire of hacker tricks and techniques!

Post a Comment