DVWA Tutorial #2 - Brute Force Attack & Kali on windows
Previous post
So the first attack I wanted to try was the brute force method. I’m sure everyone knows what a brute force attack is. For those that don’t here is a quick definition from Wikipedia:
In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.
Brute Force
The DVWA Brute Force page looks like this:
Our goal for today is to try out a brute force method using Hydra on Kali Linux.
Now in my last blog, I failed to realise that you needed Kali Linux to do most of the attacks I planned to do. Thankfully, there is a thing called Windows subsystem for Linux (WSL) in windows 10, so all I had to do was to run a few simple commands found here, and then kali was installed~.
The next step was to first install Hydra for Kali Linux. This was done by running
sudo apt-get install hydra-gtk
in the Kali linux terminal, and hydra should’ve been installed.
Typing hydra -h then resulted in this:
Now to use Hydra, we need a couple of things, namely
Target server. In my case, it is localhost
URL path. This is the Relative path to the vulnerable form.
Username. -l [username] We know this to be admin, although we can try
Password dictionary. -P [wordlist_file]. This will be our list of passwords (called wordlist) that Hydra will try. Apparantly Kali has wordlists stored in /usr/share/wordlists/. But for me this was not the case, instead I found some here. A good wordlist to use is rockyou.txt.
Cookies. This is how the web application authenticates a valid session. We can find what cookies are used by opening your browser’s web console (F12 for chrome) and entering document.cookie:
failure message. This lets Hydra know if a message fails. We can check by putting in a wrong username and password into the DVWA form, which gets us “Username and/or password incorrect”
