Posted by Sillychicken On May - 22 - 2011 19 Comments
This will give you an idea on how to brute force http forms with THC-Hydra
This is a continuation from How to brute force your router so if you haven’t read it check it out !!!

Watch the video for a live example. Video best viewed in full screen mode



IMPORTANT: This is for educational purposes only, dont go around attacking sites, thats how you get into trouble
In this example I will be brute forcing an admin account on this site which has been setup just for this (the user has already been deleted).
The url I will be using in this example is http://www.sillychicken.co.nz/administrator/ which “was” the path to the Joomla admin login page.

Background:
A couple of things that need to be identified:

  • Postback page
  • Post Parameters
  • Failed attempt unique text

 

Post back page

This is normally the same page as the login but not always so. So just view the source code of the page and find the form with a method=”post”. The action value is the page which the values will be “posted” to.

This is the section from the administrator login page for Joomla:

As you can see the page to post to is “index.php”

 

Post Parameters

These can be found by viewing the source code of the login page. All tags within the form will be posted.

The post name will be the “name” attribute of the tag. The value will be the “value” attribute if it has one defined.

Alternativly you can use firefox with the Tamper Data extension which works great.

Failed attempt unique text

This is text that is found on the webpage when a login attempt fails. This text must be exclusive to a failed login attempt.

 

Putting it all together:

The site:

www.sillychicken.co.nz/administrator/

The post back page:

index.php

The postback values are:

usrname=(user input)

pass=(user input)

submit=Login

which have been extracted from the page source:

Now if we try to login into the admin page we get a javascript popup which says “Incorrect Username, Password ……”

“Incorrect Username” sounds like text that would not show up, had it been a successful login so we will use this.

Let’s combine it all into hydra:

hydra -l {username} -P {password list path} -s {port} -f {Site Address} http-post-form

“{Path to postback page}:{USERNAME_NAME}=^USER^&{PASSWORD_NAME}=^PASS^:{failed login text}”


My command looks like:

hydra -l hydra -P password.lst -s 80 -f www.sillychicken.co.nz http-post-form “/administrator/index.php:usrname=^USER^&pass=^PASS^&submit=Login:Incorrect Username”

 

Command break down:
hydra –> The hydra program
-l –> (lower case “L” not to be confused with a upper case i) single username to target. Use uppercase -L to specify a username list) i have setup the “hydra” account for this demo and has already been deleted
-P –> Provide path to password lis. -p to try a single password ie “passw0rd”
-s –> Port to target default port for http is 80
-f –> Exits the program after the first match is made

{Site Address} I.E www.sillychicken.com. Do not include http://
http-post-form –> service to brute force. Hydra README has the command as http-form-post       using that will give you an error
{Path to postback page} everything after the site address must start with “/”
{USERNAME_NAME} –> the name of the username postback variable
^USER^ –> this will be replaced with the username specified by -l or -L username list
^PASS^ –> this will be replaced with the password from the defined list
{Failed login text} –> text that will only be found in a failed login
note* ensure quotes are from after http-post-form ” TO END OF COMMAND

You will get an output line with username and password if you are successful.
Watch the video for a live example.
This attack is only as good as your dictionary .
Next how to brute force web forms, make sure to come back and check it out!!


IMPORTANT: This is for educational purposes only, don’t go around attacking sites, thats how you get into trouble

19 Responses so far.

  1. iDOn says:

    this is not a brute force mode because you are using a list of passwords, it’s called dictionary attack

  2. Rogan says:

    Unfortunately, this does not work on all versions of Joomla, because the Admin logon page includes a random token that gets updated with every request, and there is no mechanism to specify this in Hydra.

    i.e.

    “/administrator/index.php:username=^USER^&passwd=^PASS^&lang=&option=com_login&task=login&cec21c04bff97e66ecc0068f5cb4507d=1:do not match”

    The token “cec21c04bff97e66ecc0068f5cb4507d” needs to change with every request. While hydra can get a new cookie if required, there is no mechanism to tell it to get new form values/parameters on each submission.

    Pity.

  3. Dave says:

    Why is this listed as a “brute force” attack if you need a dictionary file?

    Also, “max25″ above, you neglect to mention that the “uniqpass” password file mentioned on that site is not FREE! That scam site (which is getting plugged in the comments of every single hydra post) is asking for $4 to get a copy of that file. Fuck them.

    • Sillychicken says:

      Link removed, yes it should be renamed I will do an update to make the title reflect the attack.

      • Franccesco says:

        Brute Force is an appropiate title. This is a Dictionary Attack which is a subcategory or method of a Brute Force Attack, so the title is general but appropiate for this situation.

  4. John says:

    You showed an example that uses a php page, ok. As would be the http-post-form on a aspnet page?

    • Sillychicken says:

      Hi John, it makes no difference what the page type is (php,asp,aspx,html) you can follow the above along substituting in whatever page path you like.

  5. rai says:

    for those of you having problems with bruteforcing web forms using hydra, this might help you: http://shout.rockerprog.com/2012/05/bruteforcing-web-forms-using-hydra-on-linux/

  6. sangsu-nam says:

    hi

  7. poli says:

    if the the field submit not have a name, what can i do? its safe?
    Please reply me, i study for prevent attacks

    • sillychicken says:

      Thats fine, just don’t include it

      • poli says:

        Thanks for the answer, but if I don´t include the submit name don´t work, I always get succes password and not is true.
        Example:

        HTML
        —-

        Path to postback page
        ———————
        “/login.php:name=^USER^:password=^PASS^:wrong

        Correct data
        ————
        name: admin
        password: 12345

        Always get succes in this case although the password is false.

        Thank you very much for you time.

  8. poli says:

    (form action=”index.php” method=”post”)
    (input name=”name” type=”text”)
    (input name=”password” type=”password”)
    (input name=”submit” type=”submit” value=”send”)
    (/form)

    • poli says:

      I´m sorry, this
      (form action=”index.php” method=”post”)
      (input name=”name” type=”text”)
      (input name=”password” type=”password”)
      (input type=”submit” value=”send”)
      (/form)

  9. m43k says:

    One question, how I can filter : in a field? example name=”abc:12345″

  10. M. says:

    Hi, your tutorial was very helpful to me, but i still got two questions googling aint helping about.

    Is there a chance to use the hydra if the “{failed login text}” is replied in JavaScript?

    If there is no string in HTML or so, but a response using JS? Seems to be a lot more difficult

    And:

    How can i tell the hydra, that the difference between a successful and a failed login is a cookie? I think i have to use the :c= option instead of “{failed login text}”, but i am not sure how to use it properly.

  11. sniper says:

    PLEASE HELP ME….I GOT A SITE THAT REQUIRE ADMIN PASSWORD WITHOUT USERNAME. WHAT COMMAND CAN I USE TO BRUTE-FORCE IT IN HYDRA OR TELL ME SOME TOOLS

  12. wholesale cheap Giants jerseys for sale from china
    cheap Red Wings jerseys free shipping http://flightlinkaircharters.com/pdf/2012-Time-Table-Fares_old.html