TL;DR
This guide shows you how to brute-force the DVWA login page using the Hydra tool. It’s for learning purposes only – never use this against systems you don’t have permission to test.
Prerequisites
- A running instance of DVWA (Damn Vulnerable Web Application).
- Hydra installed on your Kali Linux machine or similar. You can install it with:
sudo apt update && sudo apt install hydra - A wordlist containing potential usernames and passwords (e.g., rockyou.txt).
Steps
- Find the Login Form Details
- Open your web browser’s developer tools (usually by pressing F12).
- Navigate to the DVWA login page.
- Inspect the HTML source code of the login form.
- Identify the names of the username and password fields. Commonly, these are ‘username’ and ‘password’.
- Basic Hydra Command
The basic syntax for a brute-force attack using Hydra is:
hydra -l -P http-post-form "/login.php:username=:password="- -l: Specifies the username to use (or leave blank for multiple usernames).
- -P: Specifies the path to your wordlist file.
- : The URL of the DVWA login page (e.g., 192.168.1.100).
- http-post-form: Indicates that you’re using an HTTP POST form for authentication.
- “/login.php:username=:password=“: Specifies the login page and the names of the username and password fields found in Step 1. Replace and with the actual field names.
- Example Command (Single Username)
Assuming your DVWA URL is 192.168.1.100, username field is ‘username’, password field is ‘password’, and you want to try the username ‘admin’ with rockyou.txt:
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.100 http-post-form "/login.php:username=username:password=password" - Example Command (Multiple Usernames)
To try multiple usernames from a wordlist, leave the -l option blank:
hydra -P /usr/share/wordlists/rockyou.txt 192.168.1.100 http-post-form "/login.php:username=username:password=password" - Monitor the Output
Hydra will display its progress as it tries different username and password combinations. Look for lines that indicate a successful login:
[STATUS] 192.168.1.100:443 - login: admin Password: password - Adjusting Hydra Options (Optional)
- -t : Specifies the number of threads to use for faster brute-forcing. Be careful not to overload the server. Example:
hydra -t 16 ... - -vV: Increases verbosity for more detailed output.
- -t : Specifies the number of threads to use for faster brute-forcing. Be careful not to overload the server. Example:
Important Considerations
- Rate Limiting and Account Lockout: DVWA may implement rate limiting or account lockout mechanisms, which can hinder your brute-force attempt.
- Wordlist Quality: The effectiveness of the attack depends heavily on the quality of your wordlist. Use a comprehensive wordlist like rockyou.txt.
- Ethical Hacking: Only perform this test on systems you have explicit permission to assess. Unauthorized access is illegal and unethical.