Thursday, August 4, 2011

Using Fireforce to brute-force web login forms

This will give you an idea on how to brute force http forms with THC-Hydra This is a continuation from How to brute force your router so if you havn\'t read it check it out !!! Watch the video for a live example.
IMPORTANT: This is for educational purposes only, dont go around attacking sites, thats how you get into trouble

In this example I will be brute forcing an admin account on this site which has been setup just for this (the user has already been deleted).
The url I will be using in this example is which is the path to the Joomla admin login page.
Video best viewed in full screen mode (icon between timer and volume)

A couple of things that need to be identified:
  • Postback page
  • Post Parameters
  • Failed attempt unique text

Post back page
This is normally the same page as the login but not always so. So just view the source code of the page and find the form with a method="post". The action value is the page which the values will be "posted" to.

This is the section from the administrator login page for Joomla:
As you can see the page to post to is "index.php"

Post Parameters

These can be found by viewing the source code of the login page. All tags within the form will be posted.

The post name will be the "name" attribute of the tag. The value will be the "value" attribute if it has one defined.

Alternativly you can use firefox with the Tamper Data extension which works great.

Failed attempt unique text

This is text that is found on the webpage when a login attempt fails. This text must be exclusive to a failed login attempt.

Putting it all together:

The site:

The post back page:


The postback values are:

usrname=(user input)

pass=(user input)


which have been extracted from the page source:

Now if we try to login into the admin page we get a javascript popup which says "Incorrect Username, Password ......"

"Incorrect Username" sounds like text that would not show up, had it been a successful login so we will use this.

Let's combine it all into hydra:

hydra -l {username} -P {password list path} -s {port} -f {Site Address} http-post-form

"{Path to postback page}:{USERNAME_NAME}=^USER^&{PASSWORD_NAME}=^PASS^:{failed login text}"

My command looks like:

hydra -l hydra -P password.lst -s 80 -f http-post-form "/administrator/index.php:usrname=^USER^&pass=^PASS^&submit=Login:Incorrect Username"

Command break down:

hydra --> The hydra program
-l --> (lower case "L" not to be confused with a upper case i) single username to target. Use uppercase -L to specify a username list) i have setup the "hydra" account for this demo and has already been deleted
-P --> Provide path to password lis. -p to try a single password ie "passw0rd"
-s --> Port to target default port for http is 80
-f --> Exits the program after the first match is made
{Site Address} I.E Do not include http://
http-post-form --> service to brute force. Hydra README has the command as http-form-post       using that will give you an error
{Path to postback page} everything after the site address must start with "/"
{USERNAME_NAME} --> the name of the username postback variable
^USER^ --> this will be replaced with the username specified by -l or -L username list
^PASS^ --> this will be replaced with the password from the defined list
{Failed login text} --> text that will only be found in a failed login
note* ensure quotes are from after http-post-form " TO END OF COMMAND

You will get an output line with username and password if you are successful.
Watch the video for a live example.
This attack is only as good as your dictionary .
Next how to brute force web forms, make sure to come back and check it out!!

IMPORTANT: This is for educational purposes only, dont go around attacking sites, thats how you get into trouble

No comments:

Post a Comment