Unlike other authentication methods, such as the form-based one, basic authentication is standard in what it sends to the server, how it sends it, and the response it expects from it. This allows attackers and penetration testers to save precious analysis time on which parameters contain the username and password, how are they processed and sent, and how to distinguish a successful response from an unsuccessful one. This is one of the many reasons why basic authentication is not considered a secure mechanism.

When calling Hydra, we used some parameters:

• -L user_list.txt tells Hydra to take the usernames from the user_list.txt file.
• -P top25_passwords.txt tells Hydra to take the prospective passwords from the top25_passwords.txt file.
• -u—Hydra will iterate usernames first, instead of passwords. This means that Hydra will try all usernames with a single password first and then move on to the next password. This is sometimes useful to prevent account blocking.
• -e ns—Hydra will try an empty password (n) and the username as password (s) as well as the list provided.

• http-get indicates that Hydra will be executed against HTTP basic authentication using GET requests.
• The service is followed by :// and the target server (192.168.56.11). After the next /, we put the server's options, in this case the URL where the authentication is requested. The port is not specified and Hydra will try the default one, TCP 80.