AdSense

Monday, April 2, 2018

Cracking HTTP Digest Authentication with Hydra


CRACKING HTTP DIGEST AUTHENTICATION WITH HYDRA

- Layout for this exercise:




- Creating a list for users:




- Creating a list for passwords, 5 characters with the limited charset of "ab":







- Launching Hydra, and passing as parameters the lists of users and passwords:






- A successful password has been found. Checking the credentials, the web resource is available:









- Note: in this exercise a very simple combination of username:password has been used,  because the purpose was just to illustrate the usage of the attacking tools. However, in real world there are available complex lists of combinations of username:password that can be used for performing dictionary and brute force attacks. The Kali command #locate wordlists provides many available wordlists, for instance into the folder /usr/share/wordlists