DVWA Brute Force with Hydra

TL;DR

This guide shows you how to brute force the DVWA (Damn Vulnerable Web Application) login using Hydra. It assumes you have DVWA installed and running, and a basic understanding of the command line.

Prerequisites

• DVWA Installed: Make sure DVWA is up and running.
• Hydra Installed: You’ll need to install Hydra on your system. On Debian/Ubuntu:

  sudo apt update && sudo apt install hydra

• Web Browser: For checking the login page.

Steps

1. Find the Login Form’s Details
   • Open your web browser and navigate to your DVWA installation.
   • Go to the ‘Login’ page.
   • Right-click on the username field and select “Inspect” or “Inspect Element”. This will open your browser’s developer tools.
   • Look for the name attribute of the username input field (e.g., name="username"). Note this down.
   • Repeat for the password field (e.g., name="password").
   • Submit the form to see what HTTP method is used. Usually it’s POST, but check your browser’s developer tools in the Network tab after submitting a failed login attempt.
2. Prepare Your Wordlist
   • Create a text file containing potential usernames and passwords, one per line. This is your wordlist. A common wordlist is /usr/share/wordlists/rockyou.txt (if available on your system).
   • For testing purposes, you can create a small wordlist with just a few credentials:

     echo -e "adminnpasswordn123456" > test_credentials.txt

3. Run Hydra
   • Open your terminal or command prompt.
   • Use the following Hydra command to brute force the login:

     hydra -l admin -P test_credentials.txt http://your-dvwa-ip/login.php username=%%USERNAME%% password=%%PASSWORD%%

     • Replace admin with a common username if you know one, or leave it as is to try all usernames in the wordlist.
     • Replace test_credentials.txt with the path to your wordlist file.
     • Replace http://your-dvwa-ip/login.php with the actual URL of your DVWA login page.
4. Interpret the Results
   • Hydra will attempt to log in using each username and password combination from your wordlist.
   • If a successful login is found, Hydra will display the credentials on the screen.

     [STATUS] 192.168.1.100:80 - Login success!  Username: admin Password: password

5. DVWA Security Level
   • The difficulty of brute-forcing DVWA depends on the security level you have set. Lower levels are easier to crack.
   • Higher security levels may implement rate limiting, CAPTCHAs, or other measures to prevent brute force attacks.

Important Notes

• Ethical Considerations: Only perform these tests on systems you own or have explicit permission to test. Unauthorized access is illegal and unethical.
• Rate Limiting: DVWA may implement rate limiting, which will slow down the attack. You can try using options like -t (number of threads) in Hydra to increase the speed, but be careful not to overload the server.
• Wordlist Quality: The success of a brute force attack depends heavily on the quality of your wordlist. Use comprehensive and relevant wordlists.