Hydra & Crunch: HTTP GET Form Cracking

TL;DR

Yes, Hydra and Crunch can be combined to brute-force HTTP GET form parameters. Crunch generates the password list, and Hydra uses that list against the target URL with the specified form fields.

How to Use Hydra & Crunch Together for HTTP GET Form Cracking

1. Understand the Target
• Identify the URL of the web page containing the HTTP GET form.
• Determine the parameter name(s) you want to brute-force (e.g., username, password). You can find this by inspecting the URL when submitting the form or using browser developer tools.
2. Generate a Password List with Crunch

Crunch creates password lists based on specified criteria. For example, to create a list of lowercase letters and numbers between 6 and 8 characters long:

crunch 6 8 -c lowercase,numbers

This will output the password list to standard output. Redirect this output to a file (e.g., passlist.txt).

crunch 6 8 -c lowercase,numbers > passlist.txt

3. Run Hydra with the Password List

Use Hydra’s http-get-form module to attack the target URL.

• Basic Command: This is a general example, adjust parameters as needed.

hydra -l  -P passlist.txt ?=%s

• Replace with the actual username if required by the form.
• Replace passlist.txt with the name of your generated password list file.
• Replace with the URL of the web page containing the form.
• Replace with the name of the parameter you are trying to crack. The %s placeholder will be replaced by each password from the list.
4. Example: Cracking a ‘password’ Parameter

Let’s say your target URL is http://example.com/login.php and you want to crack the password parameter, with a username of ‘testuser’.

hydra -l testuser -P passlist.txt http://example.com/login.php?password=%s

5. Advanced Options (Optional)
• Multiple Parameters: If you need to crack multiple parameters, you’ll likely need a more complex approach using custom scripts or other tools as Hydra doesn’t directly support multiple GET parameters in this way.
• Proxy Support: Use the -p : option if you need to route your traffic through a proxy server.
• User Agent: Set a custom user agent with the -a option.

Important Considerations

• Legality: Always ensure you have permission to test the security of any system before attempting brute-force attacks. Unauthorized access is illegal and unethical.
• Rate Limiting & Blocking: Web servers often implement rate limiting or blocking mechanisms to prevent brute-force attacks. Be mindful of these limitations and adjust your attack speed accordingly (using Hydra’s -t option, but be cautious).
• Account Lockout: Repeated failed login attempts may lock the account you are testing.
• Password Complexity: The success of this method depends on the complexity and length of the passwords used by the target system. Longer and more complex passwords will take significantly longer to crack.