1 - Brute Force (low/med/high) - Damn Vulnerable Web Application (DVWA)
HTML-код
- Опубликовано: 4 авг 2024
- 1 - Brute Force (low/med/high difficulties) video from the Damn Vulnerable Web Application (DVWA) walkthrough/tutorial series. DVWA is an intentionally vulnerable application for you to learn about ethical hacking. I made this series for students on the MSc in cybersecurity course at Queen's University Belfast but hopefully it can help others too! Hope you enjoy 🙂
↢Social Media↣
Twitter: / _cryptocat
GitHub: github.com/Crypto-Cat
HackTheBox: app.hackthebox.eu/profile/11897
LinkedIn: / cryptocat
Reddit: / _cryptocat23
RUclips: / cryptocat23
Twitch: / cryptocat23
↢Damn Vulnerable Web Application (DVWA)↣
github.com/digininja/DVWA
↢Chapters↣
Start - 0:00
Low (brute force admin with BurpSuite) - 0:45
Low (brute force all users hydra - broken?) - 7:52
Low (brute force all users wfuzz) - 26:06
Med (throttling) - 34:36
High (csrf) - 36:47
Impossible - 44:46 - Наука
UPDATE: I noticed that a GitHub issue was created, showing how to solve DVWA brute force with Hydra. It turns out the command was OK, but hydra 9.1 (used in the video) had a bug which prevented it from working - github.com/vanhauser-thc/thc-hydra/issues/612
I was struggling with hydra also. In newest hydra I got a little bit different behavior (error message) but I found the problem. I tried with version 9.1 that you used as well, and I think it's the same problem. Parameter that distinguishes successful attempts from failures MUST be last in the command line, so this works even with hydra 9.1:
./hydra -l admin -P SecLists/Passwords/500-worst-passwords.txt 172.17.0.2 "http-get-form" "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie\: PHPSESSID=qvthc81qv13c9eq5vl2nd8oif7; security=low:incorrect" -I
It is really confusing, and information about this is not clear at all. In latest hydra you can find a note in source code: hydra-http-form.c.
That Hydra issue had me on the ropes! Thanks for showcasing it so thoroughly m8! And especially for not cutting the errors you made, got to learn quite a bit through those! Amazing vid!!
thanks mate! 🥰 glad i didn't cut the struggle now as a few people have said it helped 😅
It's a progression.
Thank you for leaving in the try and fail section! Often times the most important thing for a beginner is to learn the thought process. Great tutorial
thanks mate 🥰 i was tempted to take it out to reduce the total video time. good to hear it can provide some benefit 😊
This.
Nice tutorial and that wasn't waste of time(interesting behind the scenes 😜)
Keep up the good work mate!
Subscribed! Amazing work bro can't wait to finish this series !
awesome! thanks mate 😊
Thanks a lot for the hydra part, m8. I was literally pulling my hair off until I watched this video and realized that hydra has a bug...
Thank you for the video. I was able to resolve the setup issue.
I loved this. So many mistakes to learn from too. We are in this together :))))))
thanks mate 🥰
Love this sarcasm in your voice about "just use Burp instead of Hydra" :D
haha xD I've only used hydra a handful of times since this making video. Mostly use gobuster and ffuf for web and crackmapexec where possible for other protocols.
thank you very much! big help :D
🙏🥰
Hey, Very great video. On the issue of Hydra maybe adding "F=Username and/or password incorrect.:" could solve the problem? I can perfectly bruteforce the password using hydra.
Bro i face the same problem.. but thank for sharing your errors too.. i became your subscriber because of this video ❤
Awww thanks mate! Welcome 🥰
good information
🙏🥰
thank bro love from India
Hey there! Amazing tutorial so far, I got all the way to High Security level before I got stuck.
so I'm doing it on Windows 11, I'm not sure if that's relevant or not.
But the first problem I encountered to follow your tutorial at High level was, when I wanted to start the attack, it would tell me I can't use multiple threads when using recursive grep. Luckily I figured a fix for that by making a new custom resource pool with only 1 maximum concurrent requests.
Now it can start attacking but I've run into another problem immediately, my first request, which sends the first password in the file correctly, always sends with a blank user_token value.
this results in the subsequent attack requests sending parts of the error message instead of proper values.
Any idea on what could be the problem?
Hmmm which tool are you using? Maybe try another (hydra, wfuzz, ffuf, burp etc) or even make your own python script!
a user_token was being generated each time we send a request. Can you please tell me more on that? Was user_token was generating on client side? Thanks for the knowledge you are sharing ❤️.
think i spoke to you on LinkedIn already but just going to reply here in case others are interested;
it's been a while since I looked at dvwa but assuming it was a CSRF token that was generated server side. i did a video on DVWA CSRF but it is TERRIBLE lol 😆 it was towards the end of this video series (which i recordered over a weekend with no prep).
I would recommend checking out portswigger.net/web-security/csrf/tokens to learn more about CSRF. The portswigger material and labs are excellent in general and provide a lot more to learn than DVWA. Great thing to move onto after DVWA to solidify your understanding and learn more advanced techniques 😉
i seem to not have permission to the hackable/users folder. i get a 403 forbidden error in browser when accessing that resource. do you have any idea how to fix it?
Hey, check some of the issues/docs on their github: github.com/digininja/DVWA/issues/149
So what was the problem with brute force through hydra? Is it a bug in the tool, or a command misconfiguration?
I think it was due to a bug with the hydra version, which kali (and probably parrot) haven't updated still. There's some GitHub issues about it: github.com/vanhauser-thc/thc-hydra/issues/612
I got the same problem with a WordPress login attack. The problem got solved when I placed part of the error message instead of the full one.
I am about to try hydra on the dvwa on the brute force challenge, but according to the article shared by you, my version of hydra (9.1) has a bug and does not work.
Time to check.
Using hydra 9.1 on Ubuntu failed. The hydra 9.2 worked, but only when using the success message, instead of the error one.
So the full working command is:
sudo hydra -l admin -p password 'http-get-form://127.0.0.1/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=Welcome:H=Cookie:welcomebanner_status=dismiss; cookieconsent_status=dismiss; language=en; continueCode=mJBpEKkqbOJZnP15M3Legajov80bmTEirnG2YWDymNRV4xwz6pXlQ9Br7WDO; PHPSESSID=osb4ad9nogmtk8t6r4ugahg2qt; security=low'
For some reason, when fuzzing I would get a duplicate of each name with the same password -> " #1bitch " lol But I still got the proper pwd's along with them.. Enjoying the video btw!
With a different seclist wordlist, wfuzz gives a lot of fals positives. Have you come across this issue?
which ones are coming up false positive? starting with a # maybe?
@@_CryptoCat Sorry, been away for abt 2 weeks, n I don't recollect which ones they were.
is it worthily if you have to brute force a login form but it include a captcha 🙂 ?
depends on the captcha tech but unless its really basic e.g. provide answer to basic math equation it would be a challenge. if captcha is using image recognition youd need to integrate some machine learning based solution into your brute force script 😆 theres probably some tools out there to integrate though 😉
When ever i try to do wfuzz it shows me this error "UserWarning:Fatal exception: Error opening file. [Errno 2] No such file or directory:" I have got the wordlist file in Desktop and execute the wfuzz command from desktop only, But it still shows me an error. Please help
hey, make sure you providing the '-w' flag before the wordlist. if you try to print the wordlist out from the terminal (same directory/filename) does it work?
@@_CryptoCat No it doesnt work
I tried it, and there is also an error known as pycurl3
@@TVVDINAKARAN i get that pycurl SSL error as well, dont worry about that. try and re-order your command as well, make sure the URL is the last parameter provided. also, i played around with wfuzz and ffuf recently and i would personally recommend using ffuf instead of wfuzz 😉 - ruclips.net/video/N1VurPV0s0o/видео.html
@@_CryptoCat Thanks mate I will look into it
I tried using a password list and started the attack. But the length is not varying which is 300 for all the passwords, all my configurations are right, is there anything I can do to fix this?
what tool are you using? been a while since i did this but maybe try and filter by regex instead of length e.g. hide responses that contain the word "incorrect". if you are using wfuzz, you could also try to filter by number of chars, instead of number of lines/words 😉
Thanks for your response. I just realized that I had the DVWA set to high security level and that was the reason it dint work . Your videos are extremely gooddd. Im trying to use hyrda as well but im getting a parsing error coz of using '&' . I haven't tried to fix it yet though.
@@srns25 no problem! best of luck with the remaining levels 😉 if you don't get hydra working you can DM me on twitter i'll try to help 🙂
great video
.
how we can implement csrf token part with out using burp?
My preferred option would probably be a python script using BeautifulSoup e.g. stackoverflow.com/a/28292151
@@_CryptoCatdo you run this script in Kali python
@@user-wk1td4xo2d I'm using Parrot OS, but yeh Kali should be fine too ☺
Hi, great video btw. Just wondering how do we even know which combination of username and password in medium settings using throttling?
Thanks! It's been a long time since I made these but I think some usernames were provided, either in this lab or one of the others (e.g. SQL injection). For passwords I'd just use a common list.
@@_CryptoCat Just figured it out several hours ago, it is very helpful actually your tutorial for me to do ethical hacking. Thank you , appreciate it bro
@@ikhsansdq Awesome! No problem mate 👊
Could the security=high be done using wfuzz?
not that im aware of! i dont think youll be able to grab the CSRF token with wfuzz.
@@_CryptoCat Probably. I might try a python script. Just to avoid burp suite 😊
@@StephenMolloyGoogle probably the best bet unless you have burp suite pro.. the throttling on intruder can be a real nightmare so i would recommend a custom script normally (assuming ffuf cant do the job), also good opportunity to build coding skills 😀
let's say the password of the site was in 30000th position and we're throttled to 2 sec between trying new passwords. In that case it'd take 10 hour plus for us to get the password. Is there any way to overcome this? I felt everyone's approach on the medium difficulty was flawed.
good question! a few thoughts:
- ensure password list is ordered according to most commonly found passwords
- if the website has a password policy, you can filter out invalid passwords from the wordlist
- if the throttling is IP based, you could work use VPNs and distribute the attack
- if throttling is user account based, you can distribute the attack across usernames
TLDR; depends on the password list and the throttling implementation but sometimes it will just take a really long time, other times you won't crack it at all.
@@_CryptoCat i didn't expect such a fast reply. Thanks a lot for all these suggestions
Hello, Im a windows user and i want to know if i can get wfuzz on my windows system and how. Do you know how it works?
wfuzz is python-based so if you install python, you could use wfuzz on windows. Check this: wfuzz.readthedocs.io/en/latest/user/installation.html#pycurl-on-windows
@@_CryptoCat thanks!
very nice and informative video! Can you help m ewith the word list I can't find one.
thanks mate! rockyou.txt should come with kali/parrot (/usr/share/wordlists) and i would also recommend seclists (sudo apt-get or github: github.com/danielmiessler/SecLists). aside from that i use the crackstation/haveibeenpwned wordlists, you can find on the websites / google 😉
Thank youuuu!!!
From where can we access that password list?
Kali Linux and Parrot OS should have some included e.g. rockyou in /usr/share/wordlists. You can also download some, e.g. from seclists: github.com/danielmiessler/SecLists
Where are we getting the list of passwords from, did I miss something
If you are using Kali or Parrot OS, there's wordlists in /usr/share/wordlists/
you can also install seclists either using "sudo apt-get install seclists" or download via github: github.com/danielmiessler/SecLists
for this, must i use LInux?
it will be possible without it but linux will be easiest for installing/configuring DVWA and all the relevant tools. something like kali linux / parrot os will be ideal!
@@_CryptoCat Thank you!
eu não consegui acar o endereço deste sit tem como voce colocolar o http do sait
Obrigado por me lembrar, o endereço atualmente na descrição foi comprado por golpistas :( Vou atualizá-lo agora com o repositório oficial do github: github.com/digininja/DVWA
Hi ,how can use this in actual url
well it depends on the URL, this is an intentionally vulnerable web application so there are minimal security protections (throttling/CSRF etc). if the URL you want to test is also missing security protections, then a similar attack would work i.e. just swap the URL for the one you are targetting 😀
Thanks..let's assume I have a url , so where should I swap i didn't get it bro
@@PastEventsTV you would replace the URL i use in the video, with the URL you are targetting 😆 if you dont understand where the URL goes, plz rewatch the video 😉
@@_CryptoCat gotcha man ! Thanks
How can I connect with you bro
hey i have some social media links listed on the main channel 😀
@@_CryptoCat okay thanks
@@_CryptoCat I have sent you a message on Twitter, also I connect you on LinkedIn
Can you solve impossible
You shouldn't be able to solve it 😁 If you find a way you can report to the creator 😉
for wfuzz, i couldn't get my cookie to filter out the 200 response. My PHPSESSID is different from yours
PHPSESSID should be different each time, try to insert yours in wfuzz 😉
@@_CryptoCat i did and it printed out 3 thousand some values. How do i filter out the 200 responses?
@@iankimca -hc 200 will Hide Code 200. you can also use -hl, -hw, -hh to hide lines/words/chars (response size) 😉
@@_CryptoCat ok i used --hc 302 to hide failures but it printed out hundreds of other responses. I used -sw 248 like in the video to show successes but nothing prints out for me. I think my successful words are different from 248. Any thoughts on how I should proceed?
@@iankimca Hi mate, unless you *know* the correct number of words for a successful login is 248, i would use "hide words" (hw) instead of "show words" (sw) e.g. if incorrect login is 420 words, use -hw 420.
First of all must say that i really love your videos! You are the best!
About the hydra topic, i was able to harvest all credentials with this:
hydra localhost http-form-get "/dvwa/vulnerabilities/brute:username=^USER^&password=^PASS^&Login=submit:H=Cookie:security=low; PHPSESSID=i0n9avk1tr136munuo7vuac6kp:F=Username and/or password incorrect." -L /home/kenny/users.txt -P /usr/share/wordlists/rockyou.txt
Being users.txt the ones harvested before and the PHPSESSID mines. Get the 5 of theme really quick. Thank, love you bro.
Awww thank you! Great job 👏
I cant get hydra cracking DVWA either. Looked at countless amounts of tutorial vids, so annoying lol
yeh this was so frustrating! ive boycotted hydra ever since this video 😅
you only needed to make DVWA in the url in capital letters and it should work
🤔
Hydra is really shitty, it never find the password in multiples différents scenarios with all the syntax correct instead of Burp which find it every time.
Yeh, I rarely ever use hydra these days! ffuf for web stuff (burp is great, but slow if you don't have pro version) and crackmapexec for most other protocols 🙂
Man,- I love your videos. I just wish you did not smack your lips all the time like that, loool !!! :D
yeh haha im sorry bro! it took me a while but i think i'm getting there, same with the microphone static/pops. some of the video/audio quality in my earlier videos is super cringe xD
dude, for the Low level, you should have used the "Cookie\:" instead of "Cookie:"
bro you don't use insta
instagram? not for cybersecurity related stuff 😆 mostly just youtube + twitter, a little bit of reddit 😀
frustrating while listening your voice in a headset; for each word you say, you are taking down your saliva with that word.
yeh im sorry bro, these early videos were put together with little preparation or editing - basically an upload of me livestreaming the challenges. im actually surprised these videos get so many views considering the audio quality, small fonts etc. ive got better at making (and editing) videos now so if you check some of my recent uploads hopefully you will notice a big difference. maybe i will go back one day and re-record the DVWA series as it is quite popular, but atm i dont have the time unfortunately. apologies! 💜
@@_CryptoCat There is nothing wrong with the sound in the video and there is absolutely no need to re-record. A simple thank you for your time and effort is what I think he was supposed to say.
In the words of Alfred Pennyworth, "Some men aren't looking for anything logical, like money. They can't be bought, bullied, reasoned, or negotiated with; some men just want to watch the world burn."
@@ReturnTypeVoid Thanks mate 🥰 The audio is definitely a bit hit and miss compared to my recent videos but you're right, I take the time to make and publish these videos for free in case it can help others.. If it doesn't, or the quality isn't good enough.. Just don't watch it 😂
Dud! Keep it simple. Youre picking things to show at random without even showing the password attack completes. Relax man. Start showing us something and follow through with it instead of running to something else.
i gotta dislike my dude
Well thanks for letting me know! Any feedback on why you dislike?
Seems like hydra can only work on the /dvwa/login.php
This might be a late reaction, but you need Hydra version 9.2 or higher for this to work.
@@LucassenR thanks for the info!
GREAT EXPLAINATION FOR NEWBIES .... I WONDER Y ARE YOU STILL NOT FAMOUS !!!! LET'S CONNECT ON SOCIAL MEDIA
I tried exactly what you did but put http-get-form and it worked for me
nicely done!
You needed to add the ':F=' (for failure I presume) after the form data and before the failure message. So it would look similar to this:
hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 127.0.0.1 http-get-form "/vulnerabilities/brute/:username=admin&password=^PASS^&Login=Login:F=incorrect:H=Cookie: PHPSESSID=[YOUR PHPSESSID]; security=low" -V
See example
pasteboard.co/K1omrQY.png
hmmm thats interesting and cool you got it working! 😎 when i made this video i hadnt used hydra in a couple of years (since OSCP) but none of the commands in my notes specify the ":F" part, they just look like: '...http-post-form "/login:username=^USER^&password=^PASS^&submit=Login:Login failed' and always worked without issues. looking at the hydra documentation now, the only thing i can see about "F" option is that it will end the fuzzing once it finds a correct password. that being said, i cant find any github code for hydra, is the project even active anymore? 🤔
@@_CryptoCat I believe you're right, my notes do not mention the 'F' option either. If I figure out that mystery I'll be sure to share. The github project can be found here: github.com/vanhauser-thc/thc-hydra
ooo ok yeh so looking at the code comments it should use the failure message by default if you dont specify F or S - "By default, if no header is found the condition is assume to be a fail" - github.com/vanhauser-thc/thc-hydra/blob/master/hydra-http.c. looking elsewhere on the github it seems the original issue was addressed: github.com/vanhauser-thc/thc-hydra/issues/612
@@_CryptoCat Got it!