Password Brute-Forcing Web Logins

00:00

password, brute forcing web applications

00:04

are learning objectives are to understand the different tools in Cali the brute force web logins.

00:09

Hydro's might go to tool because I think it's really, really fast compared to burp suite.

00:14

Perhaps we can be very very slow and if you have a community edition um it's slow. I mean you can see the output. I think you can see it a whole lot better than you can hydra.

00:24

But if I'm in a hurry

00:27

I want to use hydra. It can be a little tricky to get the syntax down and I'm gonna show you to do that.

00:33

So you'll have to you can grab the the request and the response in Burp suite. So here's the request. You see it's a post request and you see the posted data at the bottom here.

00:47

So I'll grab all that.

00:50

And what you do is if you take a look at this hydro string,

00:54

I know the user's cyber, erI

00:56

I'm using Rock, you

00:58

the iP address of the host

01:00

and it's gonna be an HD team http form post. So it's a post request.

01:06

And then I grabbed that string that I did from. Burp suite and put it in here. But you'll notice for log, I have the carrots between user and the carrots between past upper case and then at the end I have s for success equals location. So when it's a successful log in

01:22

it will have locations somewhere in the response and that's what Hydra is looking for and you can see it worked. I got log in cyber every password Quartey

01:34

So burp suite, like I said, burp suite is slower than hydra but you have a whole lot more visibility in the response length and what it is, you know, is a 200 responses at 30 to redirect.

01:49

So burps. But I think it gives you a whole lot more granular data,

01:53

but if you're using the Community edition and you're forcing 1000 passwords that's going to take you a really long time

01:57

and time is of the essence. No A C. P.

02:01

So here's burp suite, you're gonna grab the request.

02:06

Usually I grab it um in repeater, you send it to intruder clear the positions, then highlight, test, click add

02:17

and then I put my password list in there

02:21

and you start the attack. You can see this is another sniper attack

02:25

And you see Quartey we got a 30 to redirect and the length is different compared to everything else uh in this intruder

02:35

attack.

02:38

Cool. Or Sewell it's great. So if you want to get a more targeted password list, this is the tool for you. If it says something on the website that gives you clues that you know this person likes a certain

02:53

thing, then you can use cool to scrape that web page

02:58

and maybe that's part of the login name.

03:02

Always check for default passwords as well. You can save a whole lot of time

03:07

if you just research with the default password is for that service or that uh content management system or whatever you may find.

03:15

And it could be that easy. So you may not even have to waste your time trying to brute force the login.

03:23

So with that let's go to a demo.

03:28

Alright, so I'm on this web page. I see this person really loves turtles

03:34

and I see these are a few of their favorite turtles. I don't know what this means, but it could be a clue that that might be part of their password.

03:44

So how do I figure out? I see it's a Wordpress site which is great. Right? I go to recent posts. I see there's one that says hello world by user author user.

03:54

So I can enumerate there. There's a user name user

04:00

um in this Wordpress site without even having to use WP scan. So what do I do now? I'm gonna go into log in and we can confirm this manually if there's someone named user. So I can just put anything with user

04:13

and I see error. The password you entered for the user name is incorrect. What if I just type anything

04:20

and see if there's a different response

04:23

says unknown user name. So this is great. It's a very verbose error message. Good for us. Bad for them.

04:30

So what I want to do is I want to use

04:33

Cool because I want to scrape that

04:36

that turtle page

04:40

and see if the password might be in there.

04:45

So I'm going to use. Cool.

04:47

My depth is one. My minimum word length is five. I'm gonna write to something called turtle dot txt

04:55

from the output of this tool. And here's the turtle page and we'll let this run. Let's cat this.

05:03

So we have a whole bunch of different words here.

05:06

We can cat we can see how many

05:09

How long it is. There's 71 words.

05:12

If you want to brute force this with burp suite. This might take a while. So that's why I really like hydra.

05:19

How do I use hydro? So I'll do user here.

05:24

I'll type whatever password I'm gonna go to

05:27

inspect

05:29

network

05:30

log in and I'll see the post request.

05:33

So I'm gonna grab

05:36

the request.

05:39

Their quest pale. Oh I'm gonna grab this whole string here

05:43

and this is what I'm gonna use to help me with my hydro payload.

05:47

So if I get hydra,

05:51

I am going to

05:54

paste oops, paste it

05:59

here.

06:00

You'll see hydro l I know there's a user named user. My password list. Is that custom one from Cool Turtle dot txt the I. P. Address of our Wordpress site. It's a post request. I pasted this whole long string here. You'll notice I put the character the carrots over user in the carrots over password.

06:18

Everything else is the same as

06:23

the request payload here, right? Everything else is the same.

06:27

And I have F for failure. So f we know if we enter user and it says error,

06:33

right? We saw that when we entered user errors right? There is a failure. We'll see error.

06:41

So that's why I have that at the end. So let's give this a try.

06:47

So we do see that the user did in fact make one of his favorite turtles, his password or her password. Let's let's log in and see if it works.

07:02

So we do see in fact that that was the correct password.

07:10

We could do that in burp suite as well.

07:11

So Burp

07:14

community edition.

07:15

Turn intercept on.

07:25

We don't need that. Make sure proxy is

07:28

we can leave proxy on. This should only be one request

07:38

forward

07:39

forward

07:42

user

07:47

test

07:51

log in.

07:54

All right. I'm going to send this to intruder.

07:59

I'm gonna go to positions. I'm gonna clear this all out. I already know what my user is. I'm gonna add password. We're using sniper

08:07

and my payload. I'm just going to load that turtle dot txt file.

08:13

So here it is. Turtle.

08:16

And I'm just gonna let this run

08:18

Like I said, it's a lot more granular. I see 200. I see what the length is.

08:24

I hope the correct password is not the 71st in the list,

08:31

but you can sort by length and status

08:37

and you'll just see how long this takes compared to Hydro, which

08:41

you know that took a few seconds.

08:48

How are we doing here?

08:52

I'm gonna have to pause it because it's taken so long. I'll be right back.

08:58

So luckily I didn't have to wait for all 71. But you see here that this is granular in that I see status is different for this payload with a 30 to redirect

09:11

and a length. Uh that is different than the other

09:15

payloads. So

09:16

from here I can sort and see that

09:20

this is my password.

09:22

So I just want to show you the difference between hydra and Burp suite and and the good and bad of both.

09:28

Again, this is a little tricky to get the syntax right, but when you get it right, you can see it's a whole lot faster than Burp Suite, but Burp Suite you get a whole lot more data to look at.