Website protection against brute force and dictionary attack in the Kali Linux system using Hydra.
Repository
https://github.com/Vitusc
What Will I Learn?
Today I will teach you how to protect ur website against brutal attack and dictionary attack by operating on the kali linux system.
Requirements
- Linux OS
- Good knowledge of linux
- Basics of programming in this system
- Good understanding and reading of the code
- Knowledge of the use of linux libraries.
- Reading comprehension
Difficulty
- Intermediate / Advanced
Tutorial Contents
We will check today whether the strength of the password affects the security of the site.
I decided to install the latest version of wordpress on my local server.
I will present how, using the THC-Hydra software (available in Kali Linux), in version 8.1 the person is able to attack the selected form on the website with the help of a dictionary attack (dictionary attack).
The form of this type can usually be the login panel for the website management system.
hanks to this method, in a very simple way we are also able to test the strength of your password and the correctness of server configuration.
We can also test the resistance of our scripts to dictionary attacks or brute-force attacks.
With even a single attack, hackers use many programs, usually their favorites. In this guide I am writing for the needs of utopian-io,
I will propose the following tools:
Hydra 8.1, (THC-Hydra)
Live HTTP headers plugin,
Kali Linux 2.0 system,
Mozilla Firefox,
Burp Suite Free
The following code is presented to understand the operation of the "THC-Hydra" program, which attacks forms using the HTTP protocol.
The file that most often appears under the name "login.php" looks like:
<?php
if (isset($_POST['login']) && isset($_POST['password'])) {
if ($_POST['login'] == 'admin' && $_POST['password'] == '1234') {
echo("Success!");
} else {
echo("Wrong password!");
}
} else {
?>
<form name="input" action="login.php" method="post">
Your Login:
<input type="text" name="login">
Your Password:
<input type="password" name="password">
<input type="submit">
</form>
<?php
}
?>
I recommend focusing on the name
parameter. Using this parameter, the entered values can be tested in our script. By referring to the PHP code in the POST table, we can get to the values entered by the user $_POST['login'] and $_POST['password']
.
Now put login.php in xampp, so that the path to this script looks as follows (for training):
C:\xampp\htdocs\thc-hydra\login.php
. In order to test the script, it is enough to call our local address
http://localhost/thc-hydra/login.php
in the web browser.
Test the operation of our login form now.
Now let's try using the THC-hydra software to crack the admin password.
Run Kali Linux 2.0 on your virtual machine and enter the following command in your terminal:
hydra 192.168.0.11 -l admin -P dictionary.txt http-post-form "/thc-hydra/login.php:login=^USER^&password=^PASS^:S=Success!"
Attention!
Before you execute this command, you must have your own dictionary (a sequence of example passwords that we will try to break into the page to protect it).
There are thousands of dictionaries on the internet, so you have a lot to choose from.
If we can break the password, we should get the answer "Success!"
The picture shows a successful attack on the user with the admin logon using the THC-Hydra dictionary method.
Description of the parameters used by the Hydra program:
192.168.0.53
is the IP address of the server on which the website is hosted. We can use a domain name instead, for example: utopian.io
.
-l admin
indicates the name of the user whose password we want to know.
Of course, depending on the login form, it may be, for example, an email address.
You can also pass an entire dictionary with logins using the-L
parameter.
-P dictionary.txt
path to the dictionary in which the passwords are arranged one after the other.
http-post-form HTTP POST
protocol which supports hydra. Useful other protocols may be HTTP-FORM-GET, HTTP-HEAD or HTTPS-FORM-POST.
"/Hydra/login.php:login=^USER^&password=^PASS^:F=Wrong password"
- specific syntax of the THC-Hydra command.
It is worth remembering that we can try with different parameters in such a way that we work as best and as efficiently as possible.
Before launching the attack, it is advisable to test the configuration of the hydra command on your account.
If you want to carefully examine the form how it works and what information is sent by it, it is worth using the browser function called Show page source
or Examine element
.
Most browsers have this functionality.
Let's also remember about the extension, which has the name Live HTTP headers
,
with which we can track HTTP headers sent from the form and responses.
Immediately after installing the extension, run it, press capture
, and then by going to the tested login form enter incorrect or correct login information in it and look at the screenshot in the plugin.
Checking them, you can certainly learn a lot about the form and the operation of the HTTP protocol itself.
With the help of this Firefox extension, you can also fake queries and re-send them using the replay
button.
It is also worth looking at the THC-Hydra manual commands to reach for other optional application parameters.
Sometimes it happens that password strength testing in this way can not take place without a certain time gap between subsequent queries.
Below are some of the useful optional arguments of the program:
-R restore a previously aborted session. Requires a hydra.restore
file was written. No other options are allowed when using -R
-S connect via SSL
-s PORT
if the service is on a different default port, define it here
-l LOGIN
or -L FILE login with LOGIN name, or load several logins from
FILE
-p PASS
or -P FILE try password PASS, or load several passwords from
FILE
-x min: max: charset
generate passwords from min to max length. charset can contain 1
for numbers, and for lowcase and A for upcase characters.
Any other character is added is put to the list.
Example: 1: 2: a1%.
The generated passwords will be of length 1 to 2 and contain
lowcase letters, numbers and / or percent signs and dots.
-e nsr additional checks, "n" for null password, "s" try login as pass,
"R" try the reverse login as pass
-C FILE
colon separated "login: pass" format, instead of -L / -P options
-u by default Hydra checks all passwords for one login and then
attempts the next login. This option loops around the passwords, so
the first password is tried on all logins, then the next pass-
word.
-f exit after the first login / password pair (per host if -M)
-F exit after the first login / password pair for any host (for
usage with -M)
-M FILE
server list for parallel attacks, one entry per line
-o FILE
write found login / password pairs to FILE instead of stdout
-t TASKS
run TASKS number of connects in parallel (default: 16)
- at TIME
defines the max wait time in seconds for responses (default: 32)
- At TIME
defines a wait time between each connection and task performs.
This is the only thing that is a task, a small task number is used, an .e.g
-t 1
-4 / -6
prefer IPv4 (default) or IPv6 addresses
-v / -V
verbose mode / show login + pass combination for each attempt -d
debug mode
-h, -help
Show summary of options.
(this code was taken from the hydra manual, I pulled out only the most important commands!)
Additionally, I would like to point out that after executing the hydra command, all actions that the program executes are written to us.
I present my security audit (breaking the password) based on another login panel prepared by me.
As we can see, we managed to break the password.
The login was "admin", password "12345678".
It so happened that in our text file (for example: dictionary.txt) the right password was in the 16th position, so breaking the password took only a few moments.
At the end, we receive a message that the password has been broken.
I would like to add that I pass this knowledge only for educational purposes, it is to be used to protect your websites against this kind of intrusion. Thanks to the guide, you have also discovered the mechanism of this type of programs, and you should already know how to secure your site with the login panel.
Beneficiaries
This post has as beneficiaries
@utopian.pay with 5%
using the Steeditor beneficiary tool
Thank you for your contribution @vitusc.
After reviewing your tutorial we suggest the following points listed below:
In the next tutorial put the github repository on what you will write. For example: Link
Improve the structure of your tutorial and be more careful to write the text so that the reader understands exactly what you are explaining.
Include proof of work under the shape of a gist or your own github repository containing your code.
This subject is very interesting to help verify that the password you have created is quite secure and not breakable quickly.
Your contribution has been evaluated according to Utopian policies and guidelines, as well as a predefined set of questions pertaining to the category.
To view those questions and the relevant answers related to your post, click here.
Need help? Chat with us on Discord.
[utopian-moderator]
Thank you for the positive consideration of my contribution.
I am very pleased to hear the words that the topic is interesting.
That's enough to motivate me to continue working and create more topics in this field.
Next time I will remember about placing github.
I will try to write in an understandable way. Unfortunately, English is not my native language, but I will do everything to make the topic easier to understand.
If I do all these activities in real time, should I also put githuba with proof of work?
Thank you also for the words of encouragement, best regards and nice day @portugalcoin!
Thank you for your review, @portugalcoin! Keep up the good work!
Hi @vitusc!
Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your post is eligible for our upvote, thanks to our collaboration with @utopian-io!
Feel free to join our @steem-ua Discord server
Hey, @vitusc!
Thanks for contributing on Utopian.
We’re already looking forward to your next contribution!
Get higher incentives and support Utopian.io!
Simply set @utopian.pay as a 5% (or higher) payout beneficiary on your contribution post (via SteemPlus or Steeditor).
Want to chat? Join us on Discord https://discord.gg/h52nFrV.
Vote for Utopian Witness!