1
00:00:00,080 --> 00:00:05,930
In this video, we are going to see what is brute forcing and how we can practice brute forcing with

2
00:00:05,930 --> 00:00:07,760
dam vulnerable web application.

3
00:00:07,850 --> 00:00:12,830
We are going to solve brute forcing challenges on dvwa with burp and hydra.

4
00:00:14,860 --> 00:00:20,140
Brute forcing is a technique used in computer science to try a large number of possibilities, such

5
00:00:20,140 --> 00:00:23,200
as passwords or keys in order to find the correct one.

6
00:00:23,560 --> 00:00:28,030
It involves trying every possible combination until the correct one is found.

7
00:00:28,600 --> 00:00:33,580
We will use Burpsuite and Hydra to brute force the login form provided by Dvwa.

8
00:00:34,600 --> 00:00:40,060
In this challenge, we will test a password list against the user and try to log in as the target user.

9
00:00:43,820 --> 00:00:49,760
Now you should be on Kali Linux or Parrot OS in VMware VirtualBox or running natively on your PC.

10
00:00:54,630 --> 00:00:58,680
Now let's first see the low difficulty brute forcing challenge.

11
00:01:01,810 --> 00:01:05,379
Go to settings and set the difficulty to low.

12
00:01:06,960 --> 00:01:13,050
Now fire up the burpsuite in your Kali Linux Set the proxy in your Firefox to use burp as a proxy.

13
00:01:13,500 --> 00:01:17,010
You can also use the Foxy proxy add on to set the burp proxy.

14
00:01:19,540 --> 00:01:23,410
To submit a request from Firefox to log in with the wrong credentials.

15
00:01:23,770 --> 00:01:26,110
The complete request will be shown in the BRB.

16
00:01:26,800 --> 00:01:29,980
Now right click on it and send it to the intruder module.

17
00:01:30,370 --> 00:01:36,100
In the intruder module, clear all targets and locate the password file and add it as a target.

18
00:01:37,360 --> 00:01:40,320
Now in the payloads tab, you can set the word list.

19
00:01:40,330 --> 00:01:42,010
I'm using John dot list.

20
00:01:45,970 --> 00:01:47,220
Now start the tag.

21
00:01:47,810 --> 00:01:49,750
BRB will try to brute force it.

22
00:01:49,780 --> 00:01:51,820
Keep looking for the response size.

23
00:01:51,850 --> 00:01:56,110
The request response with the changed response size will be our matched password.

24
00:01:56,140 --> 00:01:58,330
We can also do this attack with Hydra.

25
00:01:58,780 --> 00:02:04,870
Hydra is a network login tracking tool that is used to perform brute forcing attacks on network protocols

26
00:02:04,870 --> 00:02:08,740
such as Http, FTP, Telnet and SSH.

27
00:02:10,650 --> 00:02:14,910
Hydra can brute force the password much faster than Burpsuite Community Edition.

28
00:02:15,120 --> 00:02:17,850
However, you need to format the command for it.

29
00:02:18,270 --> 00:02:22,830
You need to provide it complete URL of the form which you can get from the network tab.

30
00:02:22,830 --> 00:02:29,340
If you inspect a page, just replace username and password with the capital user and password respectively

31
00:02:29,370 --> 00:02:30,390
with flags.

32
00:02:30,930 --> 00:02:34,320
Get the cookie information from the storage tab in the debug menu.

33
00:02:35,320 --> 00:02:38,230
And set the login failure information with the F flag.

34
00:02:42,200 --> 00:02:45,680
Then you can use the following command to brute force the password with Hydra.

35
00:02:47,290 --> 00:02:52,150
Their admin is a target user and we are using a word list to crack the password.

36
00:02:53,320 --> 00:02:55,510
And the target is to get form.

37
00:02:58,810 --> 00:03:01,570
Once the password is cracked, it will be displayed on screen.

38
00:03:05,480 --> 00:03:07,550
Now let's get to the practical part.

39
00:03:08,240 --> 00:03:14,630
So on your machine, you can see a web application just change the security level to low.

40
00:03:19,290 --> 00:03:21,030
Now select the brute force tab.

41
00:03:22,960 --> 00:03:24,550
And you can see a login form.

42
00:03:29,850 --> 00:03:35,010
If you try to log in with the wrong credentials, you will get the error username and password incorrect.

43
00:03:37,760 --> 00:03:43,850
And if you look at the you will see the complete URL which indicates that it is a get request.

44
00:03:45,590 --> 00:03:48,680
We can also get the complete URL from the network tab.

45
00:03:51,450 --> 00:03:55,530
Just inspect the page, go to the network tab and you can see the complete URL.

46
00:04:05,130 --> 00:04:06,660
Now start the burp suite.

47
00:04:13,080 --> 00:04:14,460
Create a temporary project.

48
00:04:17,980 --> 00:04:19,360
And go to the proxy tab.

49
00:04:25,460 --> 00:04:28,130
Now set the Firefox to use burp as proxy.

50
00:04:30,660 --> 00:04:34,440
If you have Foxy proxy addon installed, you can just click on Burp.

51
00:04:39,310 --> 00:04:43,210
Not done on the intercept in burp and send a request from Firefox.

52
00:04:49,930 --> 00:04:51,820
And the request will be captured in burp.

53
00:04:54,350 --> 00:04:56,000
Now, right click on the request.

54
00:04:57,340 --> 00:04:58,750
And send it to the intruder.

55
00:05:05,260 --> 00:05:06,880
Now clear all targets.

56
00:05:09,840 --> 00:05:12,780
Choose the password field and add it as target.

57
00:05:17,080 --> 00:05:18,520
Now in the payloads tab.

58
00:05:21,900 --> 00:05:23,370
Select your word list.

59
00:05:26,560 --> 00:05:28,930
I'm using John Doe list in this case.

60
00:05:32,960 --> 00:05:34,310
And now start the attack.

61
00:05:38,140 --> 00:05:40,210
Burke will start cracking the password.

62
00:05:41,980 --> 00:05:43,570
Keep an eye on the length tab.

63
00:05:48,270 --> 00:05:51,690
You can sort the responses by length size by clicking on length tab.

64
00:05:56,040 --> 00:05:59,670
You can see that the password payload has a changed length size.

65
00:06:00,590 --> 00:06:02,810
Which means that it is our correct password.

66
00:06:04,690 --> 00:06:06,580
You can check it in the response tab.

67
00:06:09,090 --> 00:06:11,430
And you can see that we have received the response.

68
00:06:11,430 --> 00:06:13,560
Welcome to the password protected area.

69
00:06:16,840 --> 00:06:18,970
You can also check it in our main tab.

70
00:06:22,510 --> 00:06:24,190
Now from the inspect tab.

71
00:06:27,420 --> 00:06:31,860
You can go to the network settings, get the complete URL of the page.

72
00:06:35,690 --> 00:06:39,140
Go to the storage tab, get your cookie values.

73
00:06:40,810 --> 00:06:44,350
And format the Hydra command, as we have discussed earlier.

74
00:06:47,540 --> 00:06:49,550
Now use the command as shown on the screen.

75
00:06:53,340 --> 00:06:56,520
Just press enter and Hydra will crack a password.

76
00:07:05,320 --> 00:07:07,540
Now let's just solve the medium difficulty.

77
00:07:08,230 --> 00:07:09,610
Brute forcing challenge.

78
00:07:13,510 --> 00:07:18,700
The medium difficulty adds a delay between different attempts and can be solved in a similar fashion,

79
00:07:19,150 --> 00:07:21,040
but the tech will be much slower.

80
00:07:22,780 --> 00:07:28,420
Just capture a new request and send it to the intruder and brute force it in a similar fashion.

81
00:07:28,570 --> 00:07:33,550
You will notice that only the cookie value has changed to medium and the attack is much slower.

82
00:07:34,800 --> 00:07:40,500
Similarly in Hydra, we just need to change the cookie value to medium and use the same command as a

83
00:07:40,510 --> 00:07:45,000
flow difficulty and we can still get the medium difficulty password.

84
00:07:47,520 --> 00:07:51,330
We will notice a much slower attack, but we will be able to break through it.

85
00:07:59,600 --> 00:08:03,230
Now on your Kali Linux change the difficulty to medium.

86
00:08:09,230 --> 00:08:10,700
Go to the brute force tab.

87
00:08:16,510 --> 00:08:18,640
You can view the source code at the server.

88
00:08:20,650 --> 00:08:25,150
And you can see that only a sanitization of user input is being performed.

89
00:08:26,950 --> 00:08:30,820
And the other thing is that it is adding delay of two seconds.

90
00:08:35,340 --> 00:08:39,419
Nor in Burton the intercept on and capture a new request.

91
00:08:45,700 --> 00:08:47,500
Send it to the intruder.

92
00:08:51,620 --> 00:08:55,190
Clear our targets and use the password field as the target only.

93
00:08:59,620 --> 00:09:02,110
Set your payload as John Doe list file.

94
00:09:06,400 --> 00:09:07,600
And start the attack.

95
00:09:14,790 --> 00:09:16,890
BRB will start cracking the password.

96
00:09:18,020 --> 00:09:20,870
But you can see that our responses are much slower.

97
00:09:28,740 --> 00:09:33,300
And Burp has successfully cracked the password, which is password in this case.

98
00:09:38,620 --> 00:09:40,510
Now to crack the password with Hydra.

99
00:09:40,540 --> 00:09:42,610
Use the command as shown on the screen.

100
00:09:43,920 --> 00:09:46,170
We have just changed the cookie value to medium.

101
00:09:46,410 --> 00:09:50,930
We are using dash V flag to get more information from Hydra and dash.

102
00:09:50,940 --> 00:09:54,300
I is being used to ignore any errors if there are any.

103
00:09:59,430 --> 00:10:04,620
And you can see that Hydra has successfully cracked the password, but it has taken much more time than

104
00:10:04,620 --> 00:10:05,640
the last challenge.

105
00:10:09,110 --> 00:10:10,880
Now let's solve the high difficulty.

106
00:10:11,540 --> 00:10:12,830
Brute forcing challenge.

107
00:10:18,270 --> 00:10:19,320
In high difficulty.

108
00:10:19,350 --> 00:10:25,440
A csrf token is generated for each request, so it becomes very difficult to brute force through it.

109
00:10:25,710 --> 00:10:31,290
Hydra fails completely and give false positives so we cannot use it in isolation to break the password

110
00:10:31,290 --> 00:10:32,490
in high difficulty.

111
00:10:34,410 --> 00:10:37,230
Now generate a new request and send it to a burp proxy.

112
00:10:37,980 --> 00:10:40,350
Following the same steps, send it to the intruder.

113
00:10:40,560 --> 00:10:43,680
In Tudor we need to perform a few additional steps.

114
00:10:43,860 --> 00:10:47,070
Select both the password and token fields as targets.

115
00:10:47,100 --> 00:10:48,420
Now change attack.

116
00:10:48,450 --> 00:10:49,440
Type to Pitchfork.

117
00:10:49,440 --> 00:10:50,100
Attack.

118
00:10:51,040 --> 00:10:57,430
Now in payload section for Target one select the same John dot list file for the second payload select

119
00:10:57,430 --> 00:10:58,780
to use recursive grep.

120
00:11:01,390 --> 00:11:06,130
Now in the options tab, add a new grep extract and select the token to extract it.

121
00:11:08,390 --> 00:11:11,030
Ensure that the reader actions are set to always.

122
00:11:12,560 --> 00:11:16,880
Now in the resource pool, create a new pool with only one thread and start the attack.

123
00:11:20,350 --> 00:11:23,920
The bird will find the password, which will have a change response length.

124
00:11:24,730 --> 00:11:26,560
Now let's see the attack in action.

125
00:11:28,050 --> 00:11:29,500
Back on your gorilla necks.

126
00:11:29,700 --> 00:11:31,980
Change the sky to high.

127
00:11:34,670 --> 00:11:37,640
First of all, let's use Hydra to brute force it.

128
00:11:42,440 --> 00:11:45,590
And you can see that it is giving us false positives.

129
00:11:51,280 --> 00:11:56,890
If you look at the source code, you will see that it first of all checks for anti csrf token.

130
00:12:02,480 --> 00:12:04,760
So in verb, turn the intercept on.

131
00:12:08,610 --> 00:12:10,110
The rate a new request.

132
00:12:14,270 --> 00:12:15,420
Captured it in burp.

133
00:12:20,240 --> 00:12:21,560
Forwarded to the intruder.

134
00:12:26,010 --> 00:12:27,840
Change the tag type to Pitchfork.

135
00:12:34,410 --> 00:12:37,050
Select the password field as your first target.

136
00:12:39,850 --> 00:12:41,830
And token field as your second target.

137
00:12:47,690 --> 00:12:49,370
Now go to the payload section.

138
00:12:49,580 --> 00:12:53,210
Now choose John Dot list as your first payload list.

139
00:12:56,270 --> 00:12:57,560
For the second payload set.

140
00:12:57,560 --> 00:12:59,180
Change the type to recursive grep.

141
00:13:03,280 --> 00:13:04,900
Now go into the options tab.

142
00:13:07,080 --> 00:13:08,880
In the grape extract section.

143
00:13:11,880 --> 00:13:13,740
Click to add a new grape extract.

144
00:13:16,220 --> 00:13:17,540
A new window will open.

145
00:13:19,770 --> 00:13:21,390
Click on Fetch response.

146
00:13:23,890 --> 00:13:25,330
Find the generated token.

147
00:13:26,460 --> 00:13:27,480
And highlight it.

148
00:13:30,690 --> 00:13:34,350
Now choose the option to start at offset and end at fixed length.

149
00:13:36,800 --> 00:13:37,820
And click okay.

150
00:13:40,770 --> 00:13:42,240
Now in grab mass action.

151
00:13:42,240 --> 00:13:43,590
Clear the existing list.

152
00:13:47,840 --> 00:13:53,060
Add incorrect as we received password incorrect response in case of a wrong password.

153
00:13:59,430 --> 00:14:02,280
So scroll down and set the redirections to always.

154
00:14:06,440 --> 00:14:08,720
Now go to the tab of resource pool.

155
00:14:11,170 --> 00:14:14,290
Now create a new resource pool and set the threads to one.

156
00:14:20,220 --> 00:14:21,750
And click on Start Attack.

157
00:14:26,350 --> 00:14:29,290
And you will see that BRB will start cracking the password.

158
00:14:35,070 --> 00:14:37,440
And in a few seconds it will crack our password.

159
00:14:38,070 --> 00:14:40,770
The tag is much slower, but it will still work.

160
00:14:43,930 --> 00:14:46,480
And we can see that it has found our password.