AdSense

Wednesday, April 4, 2018

Bruteforce (III): attacking a WEB server with HYDRA


BRUTEFORCE (III): ATTACKING A WEB SERVER WITH HYDRA

- Layout for this exercise:




- Enumerating the victim, the attacker Kali checks that the port 80 is open at the victim machine:





- Connecting to the DVWA Vulnerability: Brute Force page:





- Configuring a proxy server at the attacker machine:





- Launching Burp:





- Now, clicking Login at the DVWA web page, even not entering any username or password:




- Burp intercepts the connection trial:




- There are two important pieces of information data:

i) method GET is used  for the login script:





ii) an ID session cookie is generated by the Web server:




- Now, launching an Hydra command (including the intercepted information by Burp) the result of the attack is successful:







- The wordlist used in the attack is provided by Kali, and it is composed of 182 lines, including the right password "password":