THC Hydra is a long-time favorite online password cracking tool among hackers and penetration testers.
Online cracking means that login attempts to the service are actually made. This may generate a lot of traffic and raise alerts on the server when security and monitoring tools are in place. For this reason, you should be especially careful when attempting an online brute force or dictionary attack over an application or server, and tune the parameters so that you have the best possible speed without overwhelming the server, raising alerts, or locking out user accounts.
THC Hydra has the ability to connect to a wide range of services, such as FTP, SSH, Telnet, and RDP. We will use it to do a dictionary attack on an HTTP server that uses basic authentication.
First, you need to know the URL that actually processes the login credentials. Pop up your Kali machine, open Burp Suite, and configure the browser to use it as a proxy. You will use the vulnerable virtual machine and the WebGoat application. When you try to access WebGoat, you get a dialog asking for login information. If you submit any random name and password, you get the same dialog again:
Even when an attempt wasn't successful, the request is already registered in Burp. Next, look for one that has the Authorization: Basic header in it:
Now you know that the URL processing the login is http://10.7.7.5/WebGoat/attack. This is enough information to run Hydra, but first you need to have a list of possible usernames and another one for passwords. In a real-world scenario, possible usernames and passwords will depend on the organization, the application, and the knowledge you have about its users. For this test, you can use the following list of probable users for an application called WebGoat, and designate it to be a target of security testing:
admin webgoat administrator user test testuser
As for passwords, you can try some of the most common ones and add variations of the application's name:
123456 password Password1 admin webgoat WebGoat qwerty 123123 12345678 owasp
Save the usernames' list as users.txt and the passwords' list as passwords.txt. First, run hydra without any parameters to look at the help and execution information:
You can see that it requires the -L option to add a user list file, -P to add a password list file, and the protocol, server, port, and optional information in this form: protocol://server:port/optional. Run the following command:
hydra -L users.txt -P passwords.txt http-get://10.7.7.5:8080/WebGoat/attack
You'll find that the combination of the webgoat user and the webgoat password is accepted by the server.