Tools like BruteX, Gobuster, Dirsearch, Callow, and Hydra are used to perform these actions without putting in much manual effort.
OWASPBWA
(Vulnerable Machine Link and setup video in the bonus resources)
1. Cluster Bomb Brute force
Navigate to: OWASP Bricks →Bricks →Login Pages When we input the wrong username & password it returns the “Wrong user name or password.” string. Now turn on the intercept, type a random username & password, and send that request to Intruder. Under the attack type, change it to Cluster Bomb since we will target two payloads at a time.
For the username list: /usr/share/wordlists/metasploit/http_default_users.txt
For the password list: /usr/share/wordlists/metasploit/http_default_pass.txt
If we start the attack we can see that the length tab is mostly all different then how can we determine the correct username & password? What we can do here is we can filter down the responses to the ones which don’t give this error message. Navigate to: Intruder → Options → Grep-Match Clear the list and enter the expression “Wrong user name or password.” & then run the attack. Except for ‘admin: admin’ everything else got flagged so probably we got the correct username & password. Let’s give it a try. Hoorah !!! I logged in as an admin.
2. Hydra Bwapp Form Bruteforce
Now we will use an advanced tool called “Hydra” that is made specifically for brute force. Navigate to: bWAPP
Meaning of different parameters in the above command
192.168.29.74 →IP address of the target HTTP-form-post →the type of brute force we want to perform based on how the credentials are being processed by the webpage. From the below diagram, we can see that it was a POST request. (HTTP-get-form if they were processed with GET request)
“ ” part →3 different things
-L param →for the file containing usernames-P param →for the file containing passwords (Within a few seconds & it’s done) The valid credentials are Login: beePassword: bug
3. Hydra Post Request Form Brute force
This time we will go with the DVWA page
4. Hydra SSH Attack
• Hydra is not just useful for brute-forcing webpages• It can also be used to brute-force different services like SSH, FTP, etc. Example. Let’s first scan for the open ports using Nmap & -F parameter (which will scan most known ports) Let’s try to target the ssh port with a hydra brute force attack. Since we were getting the “Warning” we just reduced the no. of parallel tasks to 4 (By default it was 16). Since we have the credentials to log in let’s try to ssh into the machine.
Problem
ssh root@192.168.29.74 was not working & was giving the following output.
Solution
ssh done !!!
Resources
- 30+ Standard Linux Commands for Beginner or Intermediate Users
- Bug Bounty Hunting With Burp Suite (Intercept, Repeater & Intruder)
- Broken Access Control (Tryhackme and Owaspbwa)
- Html Injection (Tryhackme & Owaspbwa)
- Command Injection (Tryhackme & Owaspbwa)
- Website Enumeration and Information Gathering [Part 1] This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters. © 2022 Ashutosh Singh Patel
