CRACKING HTTP DIGEST AUTHENTICATION WITH HYDRA
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-ibbxLPUJlclJESnBwTMU0z56OgdZifBFl7RXwX8qOnkcePiY7yiXPiiON3lZdPlbUzqXplPC2EADL2phNxw2sloPhVrOV2Etm35iXBDdNHnxrsq87Wr99ffIlu-Zn1Bw3YShsUPh_EpT/s1600/layout.jpg)
- Creating a list for users:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_SNHKpz3lIb4JyVzNNa87HBxEgYtqefMsMXGwvR6vB1IUOt8SAgzLZVedjVnVpaC9ysDUTbBRYXMfDzZxY67IVcmhtFYBNKrAKHFZtlM7FIDPH1Rxk8Ay0_RhWbv_XHiZhUFPm_1QvjlU/s400/screenshot.10.jpg)
- Creating a list for passwords, 5 characters with the limited charset of "ab":
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNciymdkcbKrhgqV6OAkNlUPRvIj2GH_V2Qdp5NLYU1wNOM7yc51EoCW960i65dZo9qQyglEJx3A1PDSTZFNB0M6RFkGh4L5KsPzNeZUiTuoqxt56q5CIlA-kEU1L2i3mOVoOU2kup910a/s1600/screenshot.12.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgK1sKDWtlrtClp17Eqw7evt1rguXw9M6QVOVwvMPtKlaBca4FdDvrSoCm24erHyLreQtjrtqL07G1gZ8hHA162pIOWhJ5CiCfAsqZzg8Z1Xl_-59NYeVZj6k7dy2tNvrHEGW9dRlFqsSXH/s1600/screenshot.11.jpg)
- Launching Hydra, and passing as parameters the lists of users and passwords:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL6kuUjMw8Bf9XllZxGQlBMSKZTSU01ep767X2Pf67oPXADjfr3ozhbbm_hZTf_5Jk3rx_ulGNfn6drNaLp-mO0iAN5h2JEKtU__pTPQyHu8cQpq4Yd9GWHpcKHZW6cyFaZoHggHEwrZ9H/s1600/screenshot.1.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgevKXPU4veAKWVp2K215YaSI-5iuWQQFy-SWIDla_NWccruvua_zfQSo6D_dy_KM-BCY6i7heRMPpOdTkrcqAtSd8-BJkmuyWBRcSay7S4ta3JoVzeAEwJkgE5-NCJ0EnEUQrzTIS3yMKa/s1600/screenshot.2.jpg)
- A successful password has been found. Checking the credentials, the web resource is available:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4sQRWR_LmEl8IIZKFQQGU1M7_-N6wbNJWqccyKgxB9enrbMcCCevBS3CuLkPbWNVTjUyKhch4bd3Au4YskriSwG_maYFz6J_ZcJPbstR5koY76CEzcAvSNDNpx3D9TWvv5j1Xr61Fj1uB/s640/screenshot.13.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNKrl5I94-q8e3xUPhzbSHqqs5NJ6iBmCrha1VsVV9A7Qxuc6NRsp4bi-TY6A9NUa2Vrm4rzfwAZc83nmJjiHsrwglZR1u7H20VB1NvpYXQruCy2rz8z3MvlkMG5JmtCPfhiJb3g1UVBNz/s1600/screenshot.14.jpg)
- Note: in this exercise a very simple combination of username:password has been used, because the purpose was just to illustrate the usage of the attacking tools. However, in real world there are available complex lists of combinations of username:password that can be used for performing dictionary and brute force attacks. The Kali command #locate wordlists provides many available wordlists, for instance into the folder /usr/share/wordlists