Brute force is a brute force method, brute force brute force attack, which consists in finding a password from a set of all its possible values by brute force attack. A method of guessing passwords for a computer system, in which automatically generated sequences of characters are used to obtain hashed passwords, that is, all possible combinations of them are tried until the password is found. This usually takes into account the smallest and largest possible password length.
Hydra - A utility for brute force authentication.
Burp Suite is an integrated web application security benchmarking platform. Its various tools work effectively together to support the entire testing process, from sitemap and application attack surface analysis to finding and exploiting security vulnerabilities.
Commands for working with the application:
R - Restore previous interrupted / aborted session
s - PORT
l - LOGIN (Single)
L - LOGIN (List)
p - PASSWORD (Single)
P - PASSWORD (List)
x - Generate brute force passwords, type “-x -h” for help
o - FILE
f - Exit when the username / password pair is matched
t - PROBLEMS
w - TIME
F - Element that will indicate unsuccessful authorization
H - Cookies
And so, we got acquainted with the tools. Now let's start setting up the entire flow so that we can pick up the data we need.
1. First, let's prepare a data pool of logins (soaps) and passwords
2. Let's open our website, which we check in any browser
3. Turn on Burp Suite
In the Proxy-> Intercept tab, enable the Intercept is on button
In the Proxy-> Oprions tab, set up a proxy for the attachment and for the browser in which the site was opened in order to intercept the request that will go when you try to enter.
In the Proxy-> Intercept-> Raw tab, we will receive all the data transmitted when trying to authorize through the browser
4. We go to the browser and do some kind of authorization, which will not be valid, since we need not only to take the data that is transmitted by sending the request, but we also need to see some kind of notification that the authorization failed, in order to connect it to our Hydra utility so that it can understand whether the authorization was successful or not.
In this example, we have it like this. You can even take a part from this notification, 1 word is permissible.
5. Return to Burp Suite and see all the data needed to generate the script. We need the following data types from this request:
- What type of Post / Get request
- User cookie
- Input field locators and enter buttons
6. Open the console and start sculpting the request. The sequence of operators can be any. But I will tell you what my sequence is in this request:
hydra - utility call
-l or -L login or a list of them
-p either -P password or a list of them
-f if you want the selection to end at the first required match
-V show in real-time how the selection takes place, which login to which password from the provided lists through which protocol and what type of request is passed during authorization in this case the http protocol and the post-form request sub domain, in this case / index / sub / locators
F - enter the output into it if the user data is not valid
: H - cookie
7. We press the launch and wait for the results
It would be nice, of course, if the system blocks us like a bot trying to hack, but for this we are there to check how much our project is protected from such things.
How to protect yourself:
1. Add captcha
2. Add 2-Step Verification
3. Introduce limits on incoming requests from one IP
Hydra - A utility for brute force authentication.
Burp Suite is an integrated web application security benchmarking platform. Its various tools work effectively together to support the entire testing process, from sitemap and application attack surface analysis to finding and exploiting security vulnerabilities.
Commands for working with the application:
R - Restore previous interrupted / aborted session
s - PORT
l - LOGIN (Single)
L - LOGIN (List)
p - PASSWORD (Single)
P - PASSWORD (List)
x - Generate brute force passwords, type “-x -h” for help
o - FILE
f - Exit when the username / password pair is matched
t - PROBLEMS
w - TIME
F - Element that will indicate unsuccessful authorization
H - Cookies
And so, we got acquainted with the tools. Now let's start setting up the entire flow so that we can pick up the data we need.
1. First, let's prepare a data pool of logins (soaps) and passwords
2. Let's open our website, which we check in any browser
3. Turn on Burp Suite
In the Proxy-> Intercept tab, enable the Intercept is on button
In the Proxy-> Oprions tab, set up a proxy for the attachment and for the browser in which the site was opened in order to intercept the request that will go when you try to enter.
In the Proxy-> Intercept-> Raw tab, we will receive all the data transmitted when trying to authorize through the browser
4. We go to the browser and do some kind of authorization, which will not be valid, since we need not only to take the data that is transmitted by sending the request, but we also need to see some kind of notification that the authorization failed, in order to connect it to our Hydra utility so that it can understand whether the authorization was successful or not.
In this example, we have it like this. You can even take a part from this notification, 1 word is permissible.
5. Return to Burp Suite and see all the data needed to generate the script. We need the following data types from this request:
- What type of Post / Get request
- User cookie
- Input field locators and enter buttons
6. Open the console and start sculpting the request. The sequence of operators can be any. But I will tell you what my sequence is in this request:
hydra - utility call
-l or -L login or a list of them
-p either -P password or a list of them
-f if you want the selection to end at the first required match
-V show in real-time how the selection takes place, which login to which password from the provided lists through which protocol and what type of request is passed during authorization in this case the http protocol and the post-form request sub domain, in this case / index / sub / locators
F - enter the output into it if the user data is not valid
: H - cookie
7. We press the launch and wait for the results
It would be nice, of course, if the system blocks us like a bot trying to hack, but for this we are there to check how much our project is protected from such things.
How to protect yourself:
1. Add captcha
2. Add 2-Step Verification
3. Introduce limits on incoming requests from one IP
