Monday, April 2, 2018

Cracking HTTP Digest Authentication with Hydra


- Layout for this exercise:

- Creating a list for users:

- Creating a list for passwords, 5 characters with the limited charset of "ab":

- Launching Hydra, and passing as parameters the lists of users and passwords:

- A successful password has been found. Checking the credentials, the web resource is available:

- Note: in this exercise a very simple combination of username:password has been used,  because the purpose was just to illustrate the usage of the attacking tools. However, in real world there are available complex lists of combinations of username:password that can be used for performing dictionary and brute force attacks. The Kali command #locate wordlists provides many available wordlists, for instance into the folder /usr/share/wordlists