sillychicke n.co .

nz

http://www.sillychicken.co .nz/2011/05/ho w-to -brute-fo rce-http-fo rms-in-windo ws/

How to brute force http forms in windows

T his will give you an idea on how to brute f orce http f orms with T HC-Hydra T his is a continuation f rom How to brute f orce your router so if you havent read it check it out !!! Watch the video f or a live example. Video best viewed in full screen mode

IMPORTANT: This is for educational purposes only, dont go around attacking sites, thats how you get into trouble In this example I will be brute f orcing an admin account on this site which has been setup just f or this (the user has already been deleted). T he url I will be using in this example is http://www.sillychicken.co.nz/administrator/ which was the path to the Joomla admin login page. Background: A couple of things that need to be identif ied: Postback page Post Parameters Failed attempt unique text

Post back page T his is normally the same page as the login but not always so. So just view the source code of the page and f ind the f orm with a method=post. T he action value is the page which the values will be posted to. T his is the section f rom the administrator login page f or Joomla: As you can see the page to post to is index.php

Post Parameters T hese can be f ound by viewing the source code of the login page. All tags within the f orm will be posted. T he post name will be the name attribute of the tag. T he value will be the value attribute if it has one def ined. Alternativly you can use f iref ox with the Tamper Data extension which works great. Failed attempt unique text T his is text that is f ound on the webpage when a login attempt fails. T his text must be exclusive to a f ailed login attempt.

Putting it all together: T he site: www.sillychicken.co.nz/administrator/ T he post back page: index.php T he postback values are: usrname=(user input) pass=(user input) submit=Login which have been extracted f rom the page source: Now if we try to login into the admin page we get a javascript popup which says Incorrect Username, Password Incorrect Username sounds like text that would not show up, had it been a successf ul login so we will use this. Lets combine it all into hydra: hydra -l {username} -P {password list path} -s {port} -f {Site Address} http-post-form {Path to postback page}:{USERNAME_NAME}=^USER^&{PASSWORD_NAME}=^PASS^:{failed login text}

My command looks like: hydra -l hydra -P password.lst -s 80 -f www.sillychicken.co.nz http-post-f orm /administrator/index.php:usrname=^USER^&pass=^PASS^&submit=Login:Incorrect Username

Command break down: hydra > T he hydra program -l > (lower case L not to be conf used with a upper case i) single username to target. Use uppercase -L to specif y a username list) i have setup the hydra account f or this demo and has already been deleted -P > Provide path to password lis. -p to try a single password ie passw0rd -s > Port to target def ault port f or http is 80 -f > Exits the program af ter the f irst match is made {Site Address} I.E www.sillychicken.com. Do not include http:// http-post-f orm > service to brute f orce. Hydra README has the command as http-f orm-post will give you an error {Path to postback page} everything af ter the site address must start with /

using that

{USERNAME_NAME} > the name of the username postback variable ^USER^ > this will be replaced with the username specif ied by -l or -L username list ^PASS^ > this will be replaced with the password f rom the def ined list {Failed login text} > text that will only be f ound in a f ailed login note* ensure quotes are f rom af ter http-post-f orm T O END OF COMMAND You will get an output line with username and password if you are successf ul. Watch the video f or a live example. T his attack is only as good as your dictionary . Next how to brute f orce web f orms, make sure to come back and check it out!!

IMPORTANT: This is for educational purposes only, dont go around attacking sites, thats how you get into trouble