Attacking basic authentication with THC Hydra

THC Hydra is a long-time favorite online password cracking tool among hackers and penetration testers.

Online cracking means that login attempts to the service are actually made. This may generate a lot of traffic and raise alerts on the server when security and monitoring tools are in place. For this reason, you should be especially careful when attempting an online brute force or dictionary attack over an application or server, and tune the parameters so that you have the best possible speed without overwhelming the server, raising alerts, or locking out user accounts.

A good approach for conducting online attacks when there is monitoring in place or an account lockout after a certain number of failed attempts is to start with three or four passwords per user, or an amount less than the lockout threshold. Take the most obvious or common passwords (for example, password, admin, or 12345678), and if no results are obtained, go back to the reconnaissance stage to get a better set of passwords and try again after several minutes or a couple of hours.

THC Hydra has the ability to connect to a wide range of services, such as FTP, SSH, Telnet, and RDP. We will use it to do a dictionary attack on an HTTP server that uses basic authentication.

First, you need to know the URL that actually processes the login credentials. Pop up your Kali machine, open Burp Suite, and configure the browser to use it as a proxy. You will use the vulnerable virtual machine and the WebGoat application. When you try to access WebGoat, you get a dialog asking for login information. If you submit any random name and password, you get the same dialog again:

Even when an attempt wasn't successful, the request is already registered in Burp. Next, look for one that has the Authorization: Basic header in it:

Now you know that the URL processing the login is http://10.7.7.5/WebGoat/attack. This is enough information to run Hydra, but first you need to have a list of possible usernames and another one for passwords. In a real-world scenario, possible usernames and passwords will depend on the organization, the application, and the knowledge you have about its users. For this test, you can use the following list of probable users for an application called WebGoat, and designate it to be a target of security testing:

admin 
webgoat 
administrator 
user 
test 
testuser

As for passwords, you can try some of the most common ones and add variations of the application's name:

123456 
password 
Password1 
admin 
webgoat 
WebGoat 
qwerty 
123123 
12345678 
owasp

Save the usernames' list as users.txt and the passwords' list as passwords.txt. First, run hydra without any parameters to look at the help and execution information:

You can see that it requires the -L option to add a user list file, -P to add a password list file, and the protocol, server, port, and optional information in this form: protocol://server:port/optional. Run the following command:

hydra -L users.txt -P passwords.txt http-get://10.7.7.5:8080/WebGoat/attack

You'll find that the combination of the webgoat user and the webgoat password is accepted by the server.

A useful option when using Hydra is -e with the n, s, or r modifiers that can process login inputs, sending an empty password (n), username as password (s), reverse the username and use it as password (r), and -u, which loops users first. This means that it tries all users with a single password and then moves on to the next password. This may prevent you from being locked out by some defensive mechanisms.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.18.220.243