-->

Online Password Cracking with THC-Hydra and BurpSuite


According to Kali, THC-Hydra Tool is a parallelized login cracker that supports a large number of protocols to attack. It is very fast and flexible, and adding new modules is easy.

It Vehicle It allows researchers and security consultants to demonstrate how easy it will be to gain unauthorized access to a system remotely.

THC-Hydra Tool will operate in 4 modes:

  • A username and a password
  • User list and a password
  • A list of username and password
  • User list and Password list

Hydra Has Various Options:

  • Target – settings of various target options
  • Passwords – Specify password options and word lists
  • Tuning – Specify how fast the Hydra has to run. Other timing options are also available.
  • Specific – Domain, https proxy etc. For testing on specific targets.
  • Start – Shows Start / Stop and output.

    Step 1: Turn on THC-Hydra

    So let’s get started. Fire Kali and open THC-Hydra from: Applications -> Kali Linux -> Password Attacks -> Online Attacks -> hydra.

    Step 2: Get Web Form Parameters

    To be able to hack web form usernames and passwords, we need to determine the parameters of the web form login page and how the form responds to incorrect / unsuccessful entries. The basic parameters we need to define are:

  • IP Address of the website

  • URL

  • form type

  • domain containing username

  • the field containing the password

  • error message

We can identify each of these using a proxy such as Tamper Data or Burp Suite.

Step 3: Using Burp Suite

While we can use any proxy to do the job, including Tamper Data, we will be using Burp Suite in this post. You can open the Burp Suite by going to: Applications -> Kali Linux -> Web Applications -> Web Application Proxies -> burpsuite. When you do this, you should see the opening screen as below.

Next, we will try to crack the password on the Damn Vulnerable Web Application (DVWA). You can run it from the metasploitable operating system (available in Rapid7) and then link to the login page as here.

We need to enable Proxy and Intercept in Burp Suite as below. Make sure you click on the Proxy tab at the top and then on Stop on the second tab row. Make sure the “intersection is open”.

Finally, we need to configure our IceWeasel (or Firefox or Mozilla) web browser to use a proxy. We can go Edit -> Preferences -> Advanced -> Network -> Settings To open the Connection Settings as seen below. Here, configure IceWeasel to use port 127.0.0.1 as a proxy by typing 127.0.0.1 in the HTTP Proxy field, 8080 in the Port field and deleting the information in the No Proxy for field below. Also, select the “Use this proxy server for all protocols” button.

Step 4: Get Wrong Login Response

Now let’s try to login with my username OTW and password OTW. When I do this, BurpSuite grabs the request and shows us the key fields we need for the THC-Hydra web form cracking.

After collecting this information, I press the “Next” button on the far left and submit the request from Burp Suite. DVWA displays “Login failed” message. Now I have all the information I need to configure THC-Hydra to crack this web application!

Getting the error message is key to getting THC-Hydra working on web forms. In this case, it is a text-based message, but not always. It can sometimes be a cookie, but the critical part is figuring out how the application transmitted a failed login. This way we can tell THC-Hydra to keep trying different passwords; but we were able to when this message did not appear.

Step 5: Put the Parameters in Your THC Hydra Command

Now that we have the parameters, we can put them in the THC-Hydra command. The syntax looks like this:

kali> hydra -L -p <şifre listesi>

So, according to the information we gathered from Burp Suite, our command should look like this:

kali> hydra -L -P 192.168.1.101 http-post-form “/dvwa/login.php:username= ^ USER ^ & password = 🖤PASS🖤 & Login = Login: Login failed”

A few points to be aware of. First, use an uppercase letter “L” if you are using a username list and a lowercase “l” if you are trying to break a username you provided there. In this case, I’ll just use the lowercase “l” as I’ll try to crack the “admin” password.

After the address of the login form (/dvwa/login.php), the next field is the name of the domain that takes the username. In our case this is the “username”, but in some forms it can be something different like “login”.

Now, let’s create a command that will break this web form entry.

Step 6: Choose a Word List

Now we have to choose a word list. As with any dictionary attack, the word list is key. You can use a custom made with Crunch or CeWL, but Kali has lots of word lists. Type this to see all:

kali> find word list

Also, there are numerous online sites with word lists of up to 100 GB! Choose wisely, my hacker candidates. In this case, I’ll use a built-in word list of less than 1000 words at:

/usr/share/dirb/wordlists/short.txt

Step 7: Create the Command

Now, let’s create our order with all these elements as seen below.

kali> hydra -l admin -P /usr/share/dirb/wordlists/small.txt 192.168.1.101 http-post-form “/dvwa/login.php:username=🖤USER Login failed” -V

Where:

  • -l specifies a single username (use -L for username list)

  • -P indicates to use the password list below

  • http-post-form specifies the type of form

  • / dvwa / login-php is the home page URL

  • username is the form field where the username is entered

  • ^ USER ^ Tells Hydra to use the username or list in the domain

  • Password is the form field where the password is entered (it can be password, password, etc.)

  • ^ PASS ^ Tells Hydra to use the password list provided

  • Login shows Hydra login failed message

  • Login failed, login error message returned by form

  • -V is for detailed printout showing each attempt

Step 8: Let It Fly!

Let it fly now! As we are using the -V switch, THC-Hydra will show us every attempt.

After a few minutes, Hydra returns with the password of our web application. Successful!

Final thoughts

Although THC-Hydra is an effective and excellent tool for online password cracking, it requires some practice when used in web forms. The key to successfully using web forms is determining how the form responds differently to a failed login versus a successful login. In the example above, we identified the failed login message, but we could identify the successful message and use it instead. To use the successful message, we replace the failed login message with “S = successful message” as below:

kali> hydra -l admin -P /usr/share/dirb/wordlists/small.txt 192.168.1.101 http-post-form “/dvwa/login.php:username=🖤USER” -V

Also, some web servers will notice many quick failed attempts when logging in and locking you up. In this case, you will want to use the standby function in THC-Hydra. This will add a delay between attempts to avoid triggering the lockout. You can use this function with the -w switch, so we revise our command by typing it to wait 10 seconds between attempts:

kali> hydra -l admin -P /usr/share/dirb/wordlists/small.txt 192.168.1.101 http-post-form “/dvwa/login.php:username=🖤USER Login failed” -w 10 -V

I recommend that you practice before using THC-Hydra “in the wild” in forms where you know the username and password.

DOWNLOAD

Read More Articles: