Wednesday, April 4, 2018

Bruteforce (III): attacking a WEB server with HYDRA


- Layout for this exercise:

- Enumerating the victim, the attacker Kali checks that the port 80 is open at the victim machine:

- Connecting to the DVWA Vulnerability: Brute Force page:

- Configuring a proxy server at the attacker machine:

- Launching Burp:

- Now, clicking Login at the DVWA web page, even not entering any username or password:

- Burp intercepts the connection trial:

- There are two important pieces of information data:

i) method GET is used  for the login script:

ii) an ID session cookie is generated by the Web server:

- Now, launching an Hydra command (including the intercepted information by Burp) the result of the attack is successful:

- The wordlist used in the attack is provided by Kali, and it is composed of 182 lines, including the right password "password":