Hydra – WEB APPLICATION ANALYSIS TOOLS

Overview

  • Brute force tool for dictionary attacks
  • Support protocols like HTTP/HTTPs ,SSH, SMTP …
  • It is multi-threaded
  • Support GET/POST requests

How to use it

Open Kali Linux 2, and access Hydra

01.png

For example, to attack login web form , you need to know the control IDs for the post form and what is the behavior when the user or password is invalid

02.png

Next run the following command:

hydra -L /root/Desktop/Dictionary/users.txt -P /root/Desktop/Dictionary/passwords.txt testsite.com http-post-form “/Login.asp:tfUName=^USER^&tfUPass=^PASS:Invalid” -t 10 -w 30 -o /root/Desktop/output-attack.txt

002.png

Note: – t for No. of threads , -w for timeout and -o for result output file

It will try the combination for users and passwords in the dictionary files

Also you can check the output file

03.png

For more examples , check the following URLs:

https://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004)

http://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html

http://blog.pusheax.com/2014/01/dictionary-and-brute-force-attack-using.html

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s