Hydra is a very powerful and fast password cracking tool which can also perform dictionary attacks against a wide range of protocols such as RDP, SSH, FTP and HTTP. I will walk through how to use Hydra to brute force HTTP POST login forms in three different scenarios.
In our first scenario, we navigate around the web application and we find a login form. We do not know what the username or password is for this login page but we can assume for this scenario that the username is 'admin'. The URL for the login form is as follows.
The first step in attacking this login form is to gather some information about the form and understand better what happens when we submit login details. For this we capture a request with Burpsuite. As shown below we can see that the login form is posting our credentials to '/account/login.aspx', we can also see the full request body that contains our credentials that we entered. We will need to pass this to Hydra so that it can craft correctly formatted POST requests.
Below is the command we will use with Hydra to brute force the login form. I will also provide a breakdown for exactly what each argument is and where we got them from.
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.126.149 http-post-form "/Account/login.aspx:__VIEWSTATE=bKQCsSsCvOZiuZNEDamlTXH8ZLMxPT8%2Bkhd%2BFdqZfFS0JJQqTBlfMktVKgrAORXOreqosAX9oGVWS7NO%2BqGD8lNflXkULUqrwpEjStrAlvnTYriDx2uye5kpaJqapjqoDbDF30FXIIBlJpbonU8%2BdF32BXpMdp4CRKN2Y3PmKcyGISBF&__EVENTVALIDATION=T2rEkO%2FXPP6nBkCrOnKeCOj%2FL6Pp%2FLnaFXesNMM3JyD9Vagmv3ciq2zgC45ywBzOnAWYPLWaoHPDgUS4Dfr6jU8LFAbG6Pcb6ncBIRqKPCkMlItpisA8RNBAt8hffRodwkiDkf5R2DsQAiCKiIKxNLyt%2BBOwwTyAMmiIDfBiP8orqvLq&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in&Login=Login:Login failed" -V
Breaking down the above command we have the following:
-l to supply the username of the account we want to brute force and in this case it is the admin account.
-P to specify a password list and in this case we use the 'rockyou' word list.
We then supply an IP address of the target we are attacking and also specify 'http-post-form' to let hydra know we are attacking an HTTP POST login form.
Im going to break down the next section in smaller chunks:
We first specify the location in which the form is POSTing to for example '/Account/login.aspx'. This was discovered using Burpsuite.
We then use a colon to separate the next argument which is the full request body. We copy and paste the full request body from Burpsuite and we make two modifications. The first one is to replace the username we entered with '^USER^' as this is will use the username we specified with the -l option. We then alter the password value and change it to ^PASS^ so hydra knows to fuzz this value with passwords from our password list.
The last bit of information we need to supply is a condition string for when our attack is unsuccessful. This can be found by entering an incorrect username and password and looking at what error the web application throws at us. In this case the error is "Login failed" so we will supply this as the last argument.
We also use the -f option to stop the attack at the first instance of a successful login and -vV for verbosity.
After a few seconds of letting Hydra run, it stops at the first instance of a successful login and we have the password "1qaz2wsx". We can now use this and log into the web application.
In the second scenario we have come across a Jenkins login page, just like the first example we can assume that the username is also admin and that we do not know the password. As we have walked through the first scenario together, I will not be going in-depth with this example.
The next step is to capture a POST request from the login form in Burpsuite. We can see below that the the login form POSTs our credentials to "/j_acegi_security_check" so this will be used as a parameter in our Hydra command. We also have our full request body which looks a lot less complex compared to our first scenario.
The full Hydra command that will be used against the login form is as follows:
hydra -l admin -P /usr/share/wordlists/rockyou.txt 127.0.0.1 -s 8000 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in&Login=Login:Invalid username or password" -V
After a few minutes, Hydra is successful in finding a correct username and password pair. The password found is "spongebob".
Since we have the correct username and password pair, they can be used to log into the Jenkins console.
In our last scenario we have a SquirrelMail login form and from earlier enumeration we know that the username for the user is milesdyson.
We probe the login form for an incorrect login condition string which we see to be "Unknown user or password incorrect". This will be used in our Hydra command.
After using Hydra to to see where our request is being POSTed to and what the request body is, we construct the below Hydra command.
hydra -l milesdyson -P /home/manny/Desktop/Tryhackme/offensive-pathway/advanced-exploitation/skynet/smb/anonymous/passwords.txt 10.10.157.95 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1&Login=Login:Unknown user or password incorrect" -V
After a few moments, Hydra provides us with the password for the milesdyson user which is cyborg007haloterminator.
Now that we have a correct username and password pair, we can log into the SquirrelMail console as shown below.
We have now walked through three scenarios in which we used Hydra to brute force HTTP POST login forms. This is a fairly straight forward tool to use and can also be used to brute force other protocols such as SSH.
I hope I explained how to use this tool clearly and that you feel confident enough to now use this tool in CTF's or in lab environments. If you have any feedback, I would love to hear it as I want to keep improving.