Brute Force Login Pages

I intended these to be exercises in using Hydra.

If you are in my CNIT 123 class, email in sceen captures of your whole desktop, showing Hydra finding the correct passwords for each login.

0: Simple Test Case (0 pts.)

The username is root

The password is password

Click here to log in

To log in with Hydra on Kali Linux, use this command:

hydra -l root -p password attackdirect.samsclass.info http-get /brute0/

1: 3-Digit PIN (10 pts.)

The username is one of these: root, admin, administrator

The password is a three-digit PIN like 123, 245, etc.

Click here to log in

I used nano to make the usernames:

I used this script to make the dictionary:

I used this command to attack with Hydra:

hydra -L usernames1 -P pin3 attackdirect.samsclass.info http-get /basic1/

2: Top 50 Passwords (10 pts.)

The username is one of these: root, admin, administrator

The password is one of these top 50 passwords

In case that link goes down, I copied the important portion of it here.

Click here to log in

3: Top 50 Passwords + a digit (10 pts.)

The username is one of these: root, admin, administrator

The password is one of these top 50 passwords with a digit after it.

In case that link goes down, I copied the important portion of it here.

Click here to log in

4: Login Form (10 pts.)

The username is one of these: root, admin, administrator

The password is a three-digit PIN

LOGIN:       PIN:      

Hints

Here's an example of a properly formatted hydra form attack, although I have changed a few things so although it runs, it won't find the password for the form above as written:

Here's a good link explaining how to attack form logins with Hydra:

http://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html M\

Credit

This was inspired by a challenge at PentesterAcademy, which I haven't cracked yet;

http://pentesteracademylab.appspot.com/lab/webapp/auth/1/login

Last modified11-10-16