You are on page 1of 21

2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite

ords with THC-Hydra & Burp Suite Null Byte


WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE

FOLLOW US

HAC K L I K E A P R O

How to Crack Online Web Form Passwords with THC-Hydra &


Burp Suite
BY OCCUPYTHEWEB 05/12/2016 7:29 PM PASSWORD CRACKING

W elcome back, my hacker novitiates!

In an earlier tutorial, I had introduced you to two essential tools for cracking online passwordsTamper Data and THC-Hydra. In that guide, I
promised to follow up with another tutorial on how to use THC-Hydra against web forms, so here we go. Although you can use Tamper Data for
this purpose, I want to introduce you to another tool that is built into Kali, Burp Suite.

Step 1

Open THC-Hydra
So, let's get started. Fire up Kali and open THC-Hydra from Applications -> Kali Linux -> Password Attacks -> Online Attacks -> hydra.

Step 2

Get the Web Form Parameters


To be able to hack web form usernames and passwords, we need to determine the parameters of the web form login page as well as how the form
responds to bad/failed logins. The key parameters we must identify are the:

IP Address of the website

URLGADGET HACKS NEXT REALITY INVISIVERSE


WONDERHOWTO DRIVERLESS NULL BYTE

type of form
field containing the username FOLLOW US
field containing the password
failure message

We can identify each of these using a proxy such as Tamper Data or Burp Suite.

Step 3
https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 1/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte

Using Burp Suite


Although we can use any proxy to do the job, including Tamper Data, in this post we will use Burp Suite. You can open Burp Suite by going to
Applications -> Kali Linux -> Web Applications -> Web Application Proxies -> burpsuite. When you do, you should see the opening screen like
below.

Next, we will be attempting to crack the password on the Damn Vulnerable Web Application (DVWA). You can run it from the Metasploitable
operating system (available at Rapid7) and then connecting to its login page, as I have here.

We need to enable the Proxy and Intercept on the Burp Suite like I have below. Make sure to click on the Proxy tab at the top and then Intercept on
the second row of tabs. Make certain that the "Intercept is on."

WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE

FOLLOW US

Last, we need to configure our IceWeasel web browser to use a proxy. We can go to Edit -> Preferences -> Advanced -> Network -> Settings to open
the Connection Settings, as seen below. There, configure IceWeasel to use 127.0.0.1 port 8080 as a proxy by typing in 127.0.0.1 in the HTTP Proxy
field, 8080 in the Port field and delete any information in the No Proxy for field at the bottom. Also, select the "Use this proxy server for all
protocols" button.

https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 2/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte

Step 4

Get the Bad Login Response


Now, let's try to log in with my username OTW and password OTW. When I do so, the BurpSuite intercepts the request and shows us the key fields
we need for a THC-Hydra web form crack.

After collecting
WONDERHOWTO GADGET HACKSthis information,
NEXT I then
REALITY INVISIVERSE forward
DRIVERLESS the request from Burp Suite by hitting the "Forward" button to the far left . The DVWA returns a
NULL BYTE

message that the "Login failed." Now, I have all the information I need to configure THC-Hydra to crack this web app!
FOLLOW US

Getting the failure message is key to getting THC-Hydra to work on web forms. In this case, it is a text-based message, but it won't always be. At
times it may be a cookie, but the critical part is finding out how the application communicates a failed login. In this way, we can tell THC-Hydra
to keep trying different passwords; only when that message does not appear, have we succeeded.

Step 5
https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 3/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte
Step 5

Place the Parameters into Your THC Hydra Command


Now, that we have the parameters, we can place them into the THC-Hydra command. The syntax looks like this:

kali > hydra -L <username list> -p <password list> <IP Address> <form parameters><failed login message>

So, based on the information we have gathered from Burp Suite, our command should look something like this:

kali >hydra -L <wordlist> -P<password list>


192.168.1.101 http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed"

A few things to note. First, you use the upper case "L" if you are using a username list and a lower case "l" if you are trying to crack one username
that you supply there. In this case, I will be using the lower case "l " as I will only be trying to crack the "admin" password.

After the address of the login form (/dvwa/login.php), the next field is the name of the field that takes the username. In our case, it is "username,"
but on some forms it might be something different, such as "login."

Now, let's put together a command that will crack this web form login.

Step 6

Choose a Wordlist
Now, we need to chose a wordlist. As with any dictionary attack, the wordlist is key. You can use a custom one made with Crunch of CeWL, but
Kali has numerous wordlists built right in. To see them all, simply type:

kali > locate wordlist

In addition, there are numerous online sites with wordlists that can be up to 100 GB! Choose wisely, my hacker novitiates. In this case, I will be
using a built-in wordlist with less than 1,000 words at:

/usr/share/dirb/wordlists/short.txt
WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE

Step 7 FOLLOW US
Build the Command
Now, let's build our command with all of these elements, as seen below.

kali > hydra -l admin -P /usr/share/dirb/wordlists/small.txt 192.168.1.101 http-post-form


"/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed" -V

-l indicates a single username (use -L for a username list)


-P indicates use the following password list
http-post-form indicates the type of form
/dvwa/login-php is the login page URL
username is the form field where the username is entered
^USER^ tells Hydra to use the username or list in the field
password is the form field where the password is entered (it may be passwd, pass, etc.)
^PASS^ tells Hydra to use the password list supplied
Login indicates to Hydra the login failed message
Login failed is the login failure message that the form returned
-V is for verbose output showing every attempt

Step 8

Let Her Fly!


Now, let her fly! Since we used the -V switch, THC-Hydra will show us every attempt.

https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 4/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte

After a few minutes, Hydra returns with the password for our web application. Success!

Final Thoughts
Although THC-Hydra is an effective and excellent tool for online password cracking, when using it in web forms, it takes a bit of practice. The key
to successfully using it in web forms is determining how the form responds differently to a failed login versus a successful login. In the example

above, we
WONDERHOWTO identified
GADGET HACKS NEXT the failed
REALITY login DRIVERLESS
INVISIVERSE message,NULL
but
BYTEwe could have identified the successful message and used that instead. To use the successful

message, we would replace the failed login message with "S=successful message" such as this:
FOLLOW US
kali > hydra -l admin -P /usr/share/dirb/wordlists/small.txt 192.168.1.101 http-post-form
"/dvwa/login.php:username=^USER^&password=^PASS^&S=success message" -V

Also, some web servers will notice many rapid failed attempts at logging in and lock you out. In this case, you will want to use the wait function
in THC-Hydra. This will add a wait between attempts so as not to trigger the lockout. You can use this functionality with the -w switch, so we
revise our command to wait 10 seconds between attempts by writing it:

kali > hydra -l admin -P /usr/share/dirb/wordlists/small.txt 192.168.1.101 http-post-form


"/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed" -w 10 -V

I recommend that you practice the use of THC-Hydra on forms where you know the username and password before using it out "in the wild."

Keep coming back, my hacker novitiates, as we continue to expand your repertoire of hacker techniques and arts!

Cover image via Shutterstock

Related

HACK LIKE A PRO HACK LIKE A PRO HACK LIKE A PRO HACK LIKE A PRO

How to Crack Online Passwords with How to Hack Web Apps, Part 1 (Getting How to Hack Web Apps, Part 4 (Hacking How to Hack Web Apps, Part 3 (Web-
Tamper Data & THC Hydra Started) Form Authentication with Burp Suite) Based Authentication)

100 Comments

FLOKI
2 YEARS AGO 3

Great tutorial! I was wondering if this makes alot of noise on the server, and if it does, is the wait function the best way to prevent it? I always run into getting locked
out, or ip banned! Any cool tricks you could share?

Thanks again OTW, for another great tutorial!

REPLY

MANWUZI
1 YEAR AGO 2

I think I might be kinda late. but you can use a proxychain that changes your ip frequently....
https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 5/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte
I think I might be kinda late. but you can use a proxychain that changes your ip frequently....

REPLY

SWEETCORN
1 YEAR AGO 1

How do I find the IP address? I don't see it anywhere in the burpsuite pics?

REPLY

OBUNTU CRACKS
11 MONTHS AGO 1

type: ping <targetwebsite.com> -c1

WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE REPLY
TEO VIRGHI
1 YEAR AGO FOLLOW US 1

There are sites that doesn`t let you use burpsuit against them --> how can i bypass that , or if it is impossible can i use page source instead ????

REPLY

CRACKER|HACKER
2 YEARS AGO 1

I was right! It is -w!

REPLY

BUCKEROO BONZAI
2 YEARS AGO 1

Good article, but wouldn't it be more practical to use Burp Intruder since we are already going to be using it to intercept requests and responses. Also I have
encountered instances of hydra throwing false positives against POST forms as well as Telnet, any thoughts on this?

REPLY

URATTACKER!
2 YEARS AGO 1

burp is also used for killing iphone through a snapchat vulnerabilty

REPLY

WIZARD OT
2 YEARS AGO 1

Do you mean brute-forcing the account? Or as you describe "killing" the iPhone?

REPLY

BUCKEROO BONZAI
2 YEARS AGO 1

yeah URATTACKER i'm curious what do you mean by "Killing " iphone?

REPLY

URATTACKER!
2 YEARS AGO - EDITED 2 YEARS AGO 1

As DILL_ said "There is a vulnerability in the snapchat app for iphone that allows a hacker to perform a denial-of-service attack that can even crash the iphone. You
can use burp to exploit the vulnerability."_

REPLY

BUCKEROO BONZAI
2 YEARS AGO 1

OTW any thoughts on my statement from before?

REPLY

OCCUPYTHEWEB
2 YEARS AGO 1

Which statement?

REPLY

BUCKEROO BONZAI
https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/
2
6/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte
BUCKEROO BONZAI
2 YEARS AGO - EDITED 2 YEARS AGO 2

No i was asking about Hydra throwing false positives for web forms and telnet? Does it occur frequently because i have faced instances where where hydra throws
like two or three valid user names and passwords for a web form or telnet and then when i put them in they are not valid.

WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE REPLY

OCCUPYTHEWEB
2 YEARS AGO
FOLLOW US
2

Buckeroo:

Yes, it sometimes throws false positives. With web forms, it is totally dependent upon the "failed login" message that you use. If it doesn't see that, it will give you
a false positive. In addition, if you slow it down with the -W switch, you will get fewer false positives.

OTW

REPLY

BUCKEROO BONZAI
2 YEARS AGO 1

Thanks! as usual great help. Gonna go check out your python articles.

REPLY

BUCKEROO BONZAI
2 YEARS AGO 1

One more thing as far as the failed login message is that from the response headers or am i just looking for what is displayed on the page after a failed attempt
HTML, Pop up, etc.?

REPLY

_URBZ_
1 YEAR AGO 1

Wondering the same

REPLY

DILL _
2 YEARS AGO 1

There is a vulnerability in the snapchat app for iphone that allows a hacker to perform a denial-of-service attack that can even crash the iphone. You can use burp to
exploit the vulnerability.

Yes you can use burp intruder to perform brute force attacks on usernames and passwords. Much like everything else there is more than one way to do just about
anything. OTW simply showed you one of them.

REPLY

CHRIS WHT
2 YEARS AGO 1

Hey, sorry beginner here, how do I get the proxy of the site through metasploit like I got the main page but not the login one.

REPLY

OCCUPYTHEWEB
2 YEARS AGO 1

I think you are asking how to get the login of "Metasploitable"? It's at the IP/dvwa/login.php.

REPLY

VARUN GOW
2 YEARS AGO 1

Hey, as always thanks a lot OTW for all the information. I just have 2 questions which if you could answer would be greatly appreciated.

1.THC-Hydra is a brute force, and I suppose it won't work on Gmail, Hotmail or in fact any such sites? If not what tools are there that will?

2.Android, an open sources mobile OS has already Kali and backtrack running right from the App store itself, only rooting is required. Can you do a tutorial on its uses
and limitations too?
Thank You
WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE

REPLY
FOLLOW US
BLACKCAT
2 YEARS AGO 1

https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 7/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte

last time i tried brute forcing gmail it blocked me like after 500 attemps, do you have a method to pass the block otw or know how`?

you dont think you have wrote a atricle about it, maybe you should?

REPLY

OCCUPYTHEWEB
2 YEARS AGO 1

Anytime you are trying to hack a site with a lock out, dictionary or brute forcing is the wrong tool for the job.

REPLY

OBUNTU CRACKS
11 MONTHS AGO 1

your really looking 4 trouble

REPLY

PINCHES ULEMSEH
2 MONTHS AGO 1

You should always give social engineering first priority b4 tryn brute force.. Ucan always use phising sites but the quiZ is how du u get the victim get lured by ur
trap... U need to spoof gmail maill. Lets say pretend ts an email from google telling them to modify password or sms spoof using the google numbers..

But if u can get physical access with the target pc , mayb u can do a dns spoof for a gmail or the target site.. N ur target will hardly know whats going on,,,, so my
advice is that brut force should always b last option... Remembered anybod can be phised ur just need to know their weakness and exploit them.. Coz there is no
patch fo human stupidity

REPLY

BLACKCAT
2 YEARS AGO 1

But my problem is that i know that my victims password is on 8 symbols and two of them is numbers. (no big letters)
so i generated a custom wordlist just for that spesific situation with crunch.

now i just need to know the combination. But every website the victim are using has https and will proberly block me. How should i find out the combination then?

Isn't there a way to slow down the attack so the website not are blocking me? cuz i would have the time to wait a little longer than.

hacking small useless websites, that nobody have in mind to use anyway doesn't help me to crack the big sites.

I hope you have a solution

REPLY

OCCUPYTHEWEB
2 YEARS AGO - EDITED 2 YEARS AGO 1

As the article says, you can use the -w switch to slow the attack. Hope that helps.

REPLY

TURKEY BRAWL
2 YEARS AGO 1

what would the ip address be when attacking DVWA on localhost. I greatly all the help you give on your channel

REPLY

WONDERHOWTO
OCCUPYTHEWEB
GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE
1

2 YEARS AGO

If DVWA is running on your Kali system, use 127.0.0.1. FOLLOW US


REPLY

TURKEY BRAWL
2 YEARS AGO 1

Thank you I got it to work

REPLY

STAFF_OF_AARON77
1 YEAR AGO - EDITED 1 YEAR AGO 1

Thanks great Tutorial


https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 8/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte
Thanks great Tutorial

REPLY

TURKEY BRAWL
2 YEARS AGO 1

i'm mostly having trouble when i set up the proxy for iceweasel and attempt to connect to DVWA from the localhost/DVWA it doesn't connect and therefore I can't
get the required responses for Burp Suite

REPLY

CHRIS WHT
1 YEAR AGO 1

Hey! I'm trying with a different website which has an http-post-form like this " /Login.aspx?ReturnUrl=%2f" but when I type in the command it says "Wrong syntax,
requires three arguments separated by a colon which may not be null: /Login.aspx?ReturnUrl=%2f" Idk what to do. Hope you can help.

REPLY

ROBERT ANTONOV
1 YEAR AGO 1

Hi CHRIS!
I have the some problem like you, maybe someone want to help us...

REPLY

CRACKER|HACKER
1 YEAR AGO 1

You need to add the variables into the form.

REPLY

HARSHA LULZSEC
1 YEAR AGO 1

tried several times but never successful.Anyone know how install Burp suite on windows 7? (everyone say install java 1st.WTF Done it years ago.)

REPLY

CRACKER|HACKER
1 YEAR AGO 1

Download it, extract it, run it. If it doesn't work on Java 8, try Java 7.

REPLY

HARSHA LULZSEC
1 YEAR AGO - EDITED 1 YEAR AGO 1

WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE

FOLLOW US

Java 7 .after click on it nothing happen except opening cmd and closing once.

REPLY

BURNCT
1 YEAR AGO 1

Followed this tutorial to the T, but I'm still having issues. I keep getting "1 of 1 target successfully completed, 5 valid passwords found" (see below) when only ONE of
those passwords is actually the valid one. I'm trying this against a local Joomla 2.5 site on my home server.

80www-form host: 192.168.10.10 login: admin password: admin


80www-form host: 192.168.10.10 login: admin password: password2
80www-form host: 192.168.10.10 login: admin password: 12345
80www-form host: 192.168.10.10 login: admin password: password1
80www-form host: 192.168.10.10 login: admin password: password

I'm using the following command per the information found in Burp:
https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 9/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte
I'm using the following command per the information found in Burp:

hydra -l admin -P pass.txt 192.168.10.10 http-post-form


"/testsite/administrator/index.php:username=^USER^&passwd=^PASS^&lang=&option=com_login&task=login&return=aW5kZXgucGhw&9567f9b6921e51f0d45edb26177b2
612:Username and password do not match or you do not have an account yet." -W 10 -V

Any ideas?

REPLY

OCCUPYTHEWEB
1 YEAR AGO 1

The key is getting the "failed" message correct in the command

REPLY

BURNCT
1 YEAR AGO 1

"Username and password do not match or you do not have an account yet." is the failed message that pops up, though.

REPLY

OCCUPYTHEWEB
1 YEAR AGO 1

From my tutorial;

"Getting the failure message is key to getting THC-Hydra to work on web forms. In this case, it is a text-based message, but it won't always be. At times it may be a
cookie, but the critical part is finding out how the application communicates a failed login. In this way, we can tell THC-Hydra to keep trying different passwords;
only when that message does not appear, have we succeeded."

REPLY

BURNCT
1 YEAR AGO 1

So you're saying even if a text-based message pops up, it may not be the way a failed attempted is communicated? How would we indicate on the CLI if it's cookie
based then?

REPLY

WONDERHOWTO OCCUPYTHEWEB
GADGET HACKS NEXT REALITY
1 YEAR AGO
INVISIVERSE DRIVERLESS NULL BYTE
1

Burnct:
FOLLOW US
You are getting ahead of yourself. First, find out how the application communicates a failed attempt.

REPLY

BURNCT
1 YEAR AGO 1

Here's more information from the Burp's two interceptions during login. I'm not entirely sure how to find out in which way it "communicates" the failed attempt.
This seems pretty straight forward that it posts a message in plain text:

POST /testsite/administrator/index.php HTTP/1.1


Host: 192.168.10.101
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.10.101/testsite/administrator/
Cookie: PHPSESSID=59ivhamr6svumtpp18442evuk3; af5dc374e4af2e4345969e6b50136729=ucp00rfi9vpr11r436dr3idn36
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 114

GET /testsite/administrator/index.php HTTP/1.1


Host: 192.168.10.101
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.10.101/testsite/administrator/
Cookie: PHPSESSID=59ivhamr6svumtpp18442evuk3; af5dc374e4af2e4345969e6b50136729=ucp00rfi9vpr11r436dr3idn36

https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 10/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte

REPLY

BURNCT
1 YEAR AGO 1

LOL, I give up!

REPLY

PP
1 YEAR AGO 1

Have you figured this out? Did you try "Use a valid username and password to gain access to the administrator backend"?

REPLY

1
WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE
PP
1 YEAR AGO
FOLLOW US
I'm sort of struggling with this too. Did you try using "Use a valid username and password to gain access to the administrator backend"?

REPLY

_URBZ_
1 YEAR AGO 1

Where else other that the POST response or text would we find this? I struggled here also

REPLY

BURNCT
1 YEAR AGO 1

I read somewhere about using the cookie data to flag a failed response but not sure how to implement that.

REPLY

PP
1 YEAR AGO - EDITED 1 YEAR AGO 1

You can get it using tamper data. It's an addon. Go to addons and search for tamper data and install it. Then navigate to the login page and fill out the user name
and password. Before clicking submit, open the tamper data tool and click 'start tamper'. Hit submit button on the website. A pop up will ask you whether you'd
like to tamper, discard, or submit. Hit submit. Then look through the entries in tamper data and click on it. It will give you the request along with the post data.
This works best if no other website is open; just the one you're trying to log into. Otherwise you're going to get a lot of pop ups asking you whether you'd like to
tamper, in which case you could just discard, but it's harder to find request you're looking for. Hope this helps. I saw OTW did an article about how to crack
passwords using tamper data and hydra. It's the same concept as when using burp essentially. I'm sure it provides a better instruction

REPLY

_URBZ_
1 YEAR AGO 1

I've been using the tamper data addon for years. It was the first thing I tried. I'm able to get this to work on most routers. However, the problem on my router is
that I cannot figure out the format of adding the username and passwd to the url bar. Thats all tamper data / burp suite shows. I've tried adding it after the
/check.php and nada.

REPLY

SINGULARITY
1 YEAR AGO - EDITED 1 YEAR AGO 1

Hello World! hehe, im so funny. Jokes aside, I do have a question. I have been following your tutorial and have installed DVWA locally on kali linux (Dual booted) and
when I setup the proxy on Iceweasel, I cannot load any pages, not allowing Burp Suite to access any of the needed information. It loads for a bit, than quits. I took a
picture of my proxy settings but it was to big so I put a link to it below. Also, sorry if this is the most obvious thing, im tired and have been at this for a while. Sorry
for LQ, couldnt take a screenshot for a reason and used my phone.

REPLY
https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 11/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte
REPLY

IHAVEFORGOTTEN MYNAME
1 YEAR AGO - EDITED 1 YEAR AGO 1

Solved

REPLY

CHRISTOPHE TANG
1 YEAR AGO 1

Hey OTW, really well explained tutorial, I have a question though : should I use proxy with hydra if I want to crack password for ONE account let's say my friend's
Facebook account? Will I get an ip ban or something like that ? And BTW , I really want to know if you could make a tutorial on how in Mr.robot episode 1, Elliot
hacked his psy's password by simply adding custom word to a dictionary and instant cracking. I know you can do it with crunch but it is only creating wordlist.

Thanks.

REPLY

CHRISTOPHE
WONDERHOWTO
TANG
GADGET HACKS NEXT REALITY
1 YEAR AGO
INVISIVERSE DRIVERLESS NULL BYTE
1

Hey OTW ! Your tutorials are vey well explained and I'm learning a lot. Could you please tell me if I should use a proxy list in order to crackFOLLOW US
an online account
with
crunch and hydra ? And can you teach us how did Elliot cracked his target's password in episode 1 of Mr. Robot ? They way he adds password to a password list and
instantly run the brute force . I'm waiting for your answers , thank you .

REPLY

OCCUPYTHEWEB
1 YEAR AGO 1

He used cupp.

REPLY

CHRISTOPHE TANG
1 YEAR AGO - EDITED 1 YEAR AGO 1

sorry for double post and thanks for the reply, now that i managed to use CUPP this magical password creator, any clue on which type of password he cracked ?
Most online passwords has a tries/ip or tries/account limitaion, he treid a 90k password list :o

REPLY

CHRISTOPHE TANG
1 YEAR AGO 1

or do you have any tip on how to auto change ip addres in kali linux ?

REPLY

SHENIQUAX
1 YEAR AGO 1

So I was tryin to brute force a yahoo email , so I tested it first with my real email and made a .txt word list with 5 passwords and one of them was the right one and
the other 4 weren't.

I got and I type-


Hydra -l (my email) -P (my wordlist) -s 465 -S -v -V -t 1 smtp.mail.yahoo.com smtp

hydra checks all of the 5 words and says that all were invalid and no password was recovered even though the 3rd was my password, what my be happening?

REPLY

OCCUPYTHEWEB
1 YEAR AGO 1

You are missing probably the most important part of the Hydra command, the last section. That section defines how the server communicates that the password
was wrong. You didn't include it.

REPLY

SHENIQUAX
1 YEAR AGO 1

so what should I add to the end of the script? can you give me an example?
Hydra -l (my email) -P (my wordlist) -s 465 -S -v -V -t 1 smtp.mail.yahoo.com smtp - than whats the next part?

thanks for responding so quick :D

REPLY

https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 12/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte

OCCUPYTHEWEB
1 YEAR AGO 1

Please go back and re-read this article. There are several errors in your command.

REPLY

SHENIQUAX
1 YEAR AGO 1

WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE


Ok thanks :D

FOLLOW US REPLY

ZODO
1 YEAR AGO 1

I know that this is really late, but I still hope you respond. I followed your tutorial and did everything, but I still have one problem. I looked at the real time code for
the website and attempted a fake login and it told me that the error message was "error: "Incorrect Password" ". When I put that into hydra it just came up with the
screen you get when you open hydra. The command I'm using is

hydra -l (the email) -P Desktop/wordlist.txt 54.215.131.188 http-post-form "/api/auth/login:data%5Busername%5D=^USER^&data%5Bpassword%5D=^USER^:error:


"Incorrect username."" -V

Any help would be very much appreciated!

REPLY

KINGLEO KINGLEO
1 YEAR AGO - EDITED 1 YEAR AGO 1

Great tutorial. I managed to get something similar to work on a test VPS I use to attack.

The issue however is that the auth.log file shows my IP when simply using hydra.

Therefore I tried using:

"hydra -s 22 -v -V -l root -P /usr/share/wordlists/testlist.txt -t 4 -w 60 SERVERIP ssh HYDRA_PROXY=socks5://121.40.102.199:1080"

and also tried using

"proxychains hydra -s 22 -v -V -l root -P /usr/share/wordlists/testlist.txt -t 4 -w 60 SERVERIP ssh"

Howerver in both cases it said in the auth.log file:

"reverse mapping checking getaddrinfo for MYHOMEIP failed - POSSIBLE BREAK-IN ATTEMPT!"

Can you explain why it has my home IP some how via "reverse mapping? My proxychains list has about 15 proxies in it using dynamic_chain. Im very confused.

REPLY

STAFF_OF_AARON77
1 YEAR AGO 1

A great tutorial from OTW but this one has a more detailed explanation for those still having trouble:

WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE

https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 13/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte

FOLLOW US

REPLY

DOG
1 YEAR AGO - EDITED 1 YEAR AGO 1

While setting up Burpsuite and Iceweasel I did everything you stated and after that every page will result into unlimited loading........ and Burpsuite seems to only get
the GET request or parts of it. Of course when I put the proxy off in Iceweasel everything works perfectly fine.

EDIT:
Fixed it by going to options and enabling all the 'Intercept Client Request'.

REPLY

DOG
1 YEAR AGO 1

I tried the following commands which none of them worked....... :(:

hydra -l admin -p '/root/Desktop/Passwords/rockyou.txt' IP http-post-form "/login.cgi:username=^USER^&password=^PASS^:The username or password is not


correct." -V
hydra -l admin -p '/root/Desktop/Passwords/rockyou.txt' IP http-post-form "/login.cgi:username=^USER^&password=^PASS^=1234&submitValue=1:The username or
password is not correct." -V

REPLY

TRIPHAT
1 YEAR AGO 1

Try adding in your request a proper User-Agent an Referer headers


Add all additional fields in the request, like hiddenPassword and submitValue (kinda your second string, but you left out the param name in hiddenPassword)
Try shortening the trigger, use less words, possibly just one instead of full sentence ( like use only correct if applicable..)

WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE REPLY

DOG
1 YEAR AGO
FOLLOW US
1

Triphat, can you give me an example of what you mean? So far I have this:

hydra -l admin -p '/root/Desktop/Passwords/rockyou.txt' IP http-post-form


"/login.cgi:UserName=^USER^&password=^PASS^=1234&hiddenPassword=1234&submitValue=1:The username or password is not correct." -V

I am not sure what words are useless in the string?


Its just the IP/login.cgi as header.
https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 14/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte
Its just the IP/login.cgi as header.

REPLY

ABYSSOFDESPAIR
1 YEAR AGO - EDITED 1 YEAR AGO 1

Hey, great tutorial. I follow those steps, but something is still wrong (I get 16 valid password, from which mine is none) and I don't really know what it is.

My command is:

hydra -l (my username) -P /usr/share/wordlists/rockyou.txt.gz 69.162.92.205 http-post-form


"/login.php:action=login&login=^USER^&autologin=1&password=^PASS^:Authentication failed." -V

Also my console shows me those "signs" instead of letters. I never encountered that before.

Thanks for incoming help :)

REPLY

NICHOLAS DISALVIO
1 YEAR AGO 1

The DHS uses Login.aspx......

REPLY

PUNIT CHAUDHARI
1 YEAR AGO - EDITED 1 YEAR AGO 1

Please help me
I'm getting this:

DATA attacking
WONDERHOWTO service
GADGET HACKS NEXThttp-post-form
REALITY INVISIVERSEon DRIVERLESS
port 80 NULL BYTE
ATTEMPT target mysite - login "test" - pass "0" - 1 of 957 child 0
ATTEMPT target mysite - login "test" - pass "00" - 2 of 957 child 1
ATTEMPT target mysite - login "test" - pass "01" - 3 of 957 child 2
FOLLOW US
ATTEMPT target mysite - login "test" - pass "02" - 4 of 957 child 3
ATTEMPT target mysite - login "test" - pass "03" - 5 of 957 child 4
ATTEMPT target mysite - login "test" - pass "1" - 6 of 957 child 5
ATTEMPT target mysite - login "test" - pass "10" - 7 of 957 child 6
ATTEMPT target mysite - login "test" - pass "100" - 8 of 957 child 7
ATTEMPT target mysite - login "test" - pass "1000" - 9 of 957 child 8
ATTEMPT target mysite - login "test" - pass "123" - 10 of 957 child 9
ATTEMPT target mysite - login "test" - pass "2" - 11 of 957 child 10
ATTEMPT target mysite - login "test" - pass "20" - 12 of 957 child 11
ATTEMPT target mysite - login "test" - pass "200" - 13 of 957 child 12
ATTEMPT target mysite - login "test" - pass "2000" - 14 of 957 child 13
ATTEMPT target mysite - login "test" - pass "2001" - 15 of 957 child 14
ATTEMPT target mysite - login "test" - pass "2002" - 16 of 957 child 15
80www-form host: 185.27.134.143 login: test password: 03
80www-form host: 185.27.134.143 login: test password: 00
80www-form host: 185.27.134.143 login: test password: 2001
80www-form host: 185.27.134.143 login: test password: 0
80www-form host: 185.27.134.143 login: test password: 01
80www-form host: 185.27.134.143 login: test password: 2000
https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 15/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte
80www-form host: 185.27.134.143 login: test password: 2000
80www-form host: 185.27.134.143 login: test password: 02
80www-form host: 185.27.134.143 login: test password: 20
80www-form host: 185.27.134.143 login: test password: 123
80www-form host: 185.27.134.143 login: test password: 1000
80www-form host: 185.27.134.143 login: test password: 100
80www-form host: 185.27.134.143 login: test password: 1
80www-form host: 185.27.134.143 login: test password: 2
80www-form host: 185.27.134.143 login: test password: 10
80www-form host: 185.27.134.143 login: test password: 2002
80www-form host: 185.27.134.143 login: test password: 200
1 of 1 target successfully completed, 16 valid passwords found
My command was:

hydra -l test -P /usr/share/dirb/wordlists/small.txt mysite http-post-form "/index.php:userlogin=^USER^&passlogin=^PASS^&log=Login:Please enter valid Username and
Password." -V

Please reply soon

REPLY

JACK MANS
7 MONTHS AGO 1

I get the same exact thing anyone know why and how to fix it?

REPLY

L BA HU`NG
1 YEAR AGO - EDITED 1 YEAR AGO 1

Thanks for a awesome post.

I'm started hacking my web login of Wi-Fi router but there is a catch every time I entered a wrong password it refresh the page and doesn't show any wrong message.
What should I do?. Please help. The web file if you need: https://57cb3da913017b33230a33ee90f78e7b977fd794-
www.googledrive.com/host/0BzJkbqA_bKIEfllJR0RseVhTMF9VTktSUExPa3ZmSHRJN1NmRDRUc0wzVVFyMHc3UFF6NGc/GPON%20Home%20Gateway.rar

REPLY

OCCUPYTHEWEB
1 YEAR AGO 1

THC-Hydra is the wrong tool. Try using aircrack-ng for hacking the passwords on your WiFi router.

REPLY

WONDERHOWTO
LGADGET
BA HU`NG
HACKS NEXT REALITY
1 YEAR AGO
INVISIVERSE DRIVERLESS NULL BYTE
1

no i'm hacking the web login of my router not the wifi password. Thanks for the reply! FOLLOW US
REPLY

HENRIQUE ANDRADE
1 YEAR AGO 1

OTW, I tried to crack my own password and everything was going ok, but THC-Hydra didn't stop when the correct password was attempted.

What might be the problem?

REPLY

VOLK
1 YEAR AGO 1

Hey, after a long time trying I succeed in my tests! But...

80http-post-form host: **** login: ****


STATUS attack finished for **** (valid pair found)
1 of 1 target successfully completed, 1 valid password found

The password was found, but Hydra do not show it!


Any ideas?

P.S.: Sorry for my bad english.

REPLY

VOLK
1 YEAR AGO 1

https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 16/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte

Nobody? =(

REPLY

OCCUPYTHEWEB
1 YEAR AGO 1

Notice where the username and password appears in this tutorial. What does it say there when you run THC-Hydra?

REPLY

VOLK
1 YEAR AGO 1

My output is like yours, except this last screen:

In my case the "password : password" is not there.


Thanks for your time.

REPLY

OCCUPYTHEWEB
1 YEAR AGO 1

It says right there that it found the password "password" for the admin user.

REPLY

VOLK
1 YEAR AGO - EDITED 1 YEAR AGO 1

WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE


Yes, but this is your screen, I just copied from your output trying to show whats is missing. I 'll try again and post my screenshot this time, just give me 2 min =)

FOLLOW US REPLY

VOLK
1 YEAR AGO 1

Image via postimg.org

REPLY

OCCUPYTHEWEB
1 YEAR AGO 1

How can I help you when you have obscured all the key information?

REPLY

COMMINGSOON
10 MONTHS AGO 1

I see green color.

REPLY

VOLK
1 YEAR AGO 1

Did I? Sorry. I did because the target is a website and the login is my own account.
I thought the target have nothing to do with it...
Just tell all information you need and I will be pleased to give to you =)

REPLY

SIMPLE SADMAN
11 MONTHS AGO 1

Thank you man, this is awesome! :)

I just have two questions: What about if I know that the username's password is written in another language, with maybe 2 numbers. Should I use kali linux
wordlists? Or should I create my own wordlists with crunch?

https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 17/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte

And how do I find the wordlists and passwordlists using the terminal?
I hope you can help me out :(

REPLY

COMMINGSOON
10 MONTHS AGO - EDITED 10 MONTHS AGO 1

If you know username and password then find wordlist with terminal use this command "locate wordlist" or "locate rockyou" (Kali Linux) then open with text editor
and find if there or not .. you can add in list if not found.

REPLY

COMMINGSOON
10 MONTHS AGO 1

I have problem like @BURNCT when scan my website with Hydra I get 208 valid passwords (lol)

Content-Type: application/x-www-form-urlencoded
Use: http-post-form

inputUsername, inputPassword, inputLogin - form (method="post")

Try everything
WONDERHOWTO (http-get-form,
GADGET HACKS NEXT REALITY http-post-form, use Cookie,...)
INVISIVERSE DRIVERLESS NULL BYTE but not works.

How can I use Hydra... "and hack like pro"? FOLLOW US


REPLY

SCALLE SCALLE
9 MONTHS AGO - EDITED 9 MONTHS AGO 1

Hi

Thanks for the useful guide. However i dont manage to succeed. Some help would be appreciated. Below a print of Burp results and the command line in Hydra.
Hydra tells me after 'enter' the syntax rules but does not start the job.

Also : i use Hydra with Cygwin on Windows 7. Does it matter from WHERE i start the hydra command, i mean should i do it while being in the hydra dir, or should it
be the cygwin dir or just the root dir C ?

POST /login.php?action=in HTTP/1.1


Host: xxxxxx.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: nl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://xxxxxx.com/login.php
Cookie: visidincap526178=dBiizl5bQzKldS2WdMrM/ArT6VYAAAAAQUIPAAAAAAB6g3H+O0+VIC6UaHfrwDzi;

visidincap821436=nmDb/MkQTXm2VsdHkiWxuzYCN1cAAAAAQUIPAAAAAADrVUYTxunztOfbWaA78Xgm; _ga=GA1.2.242869812.1465591208
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 82

formsent=1&redirecturl=index.php&requsername=blop&reqpassword=blop&login=Login

Wrong username and/or password. This is the fail message of the site.

hydra -l yyyyy -P cygwin64/john.txt 123.456.789.000 https-post-form "/login.php:requsername=^USER^&reqpassword=^PASS^&login=Login:Wrong username and/or


password." -V

REPLY

ABE BEN
8 MONTHS AGO 1

Great tutorial. However, I do not think this technique will work with a particular router I have. The router's login page uses a Java applet. Any idea how I can
approach cracking the password. Using hydra SSH gives me an error of password authentication not supported.

The IT department gave me a Motorola router (bought in 2010) to factory reset. The guy who set it up quit and did not document the password. There is no reset
button, and when connected to the serrial port, pressing the ESC key while booting for factory firmware when loading does not work until it is too late. From what I
understand, the IT guy who set this up was a real IT genious. Motorola will not help me with it without paying for support.

REPLY

FARID GHOREYSHI
6 MONTHS AGO - EDITED 6 MONTHS AGO 1

https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 18/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte

Hello
(At first I have to say that my English is not native then if I have any problem , Excuse me)

My Router is Linksys and it has different web page login panel and there is no part that related to Username and Password

Also my Router doesn't have any Username field

Please see these pictures to see burp suite log:


http://share.pho.to/AQnpb
Now how should I write hydra command(Web form)?

REPLY

PERFECT
WONDERHOWTO GADGETSTORM
HACKS NEXT REALITY INVISIVERSE
2 MONTHS AGO - EDITED 2 MONTHS AGO
DRIVERLESS NULL BYTE
1

FOLLOW US use
All that happens is firefox says connection is not secure and there is no way around this while the proxy is changed as seen in this tutorial. Cant connect so I cant
firefox thus I cant use burpsuite or crack logins.

REPLY

TR0Y AN0
LAST MONTH - EDITED LAST MONTH 1

Hi there!

Thanks for this tutorial!

I found myself stuck, please see the print screen:

And from there, it does not go on...

I would really appreciate if I could get some guidance.

REPLY
https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 19/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte
REPLY

CHRISTY RAJIRAJ
3 WEEKS AGO 1

WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE

hi brthr , I need a help i need to view this cctv 123.231.114.138 , plzz help me to view?if u can give me username & password thats fine, if not can you plz tell me how
to view via kali linux 2016.2? plkzzz help me .... FOLLOW US
REPLY

KYRIAKOS DEMETRIOU
YESTERDAY - EDITED YESTERDAY 1

Hey OTW and nice post as always :)

Since i began researching about brute-forcing and wordlist attacks i have been very wondering if "partial brute-force/wordlist attacks exist". A succesful brute-force
attack against strong passwords may take hours, days and even weeks and it is undeniable that letting your computer operating for such long is not the best for the
machine's health. And also if we take into consideration that most users do not change their passwords that often i think that diving your brute-force attempts could
be a pretty good idea if you are not confident enough to let your machine operating 24/7. Isnt there a way to "pause" the brute-force attack either by saving the line of
the wordlist that you have stopped or maybe saving the last combination of characters and its length so you dont need to begin brute forcing again from the start?

P.S. Sorry for my bad english :P

REPLY

Share Your Thoughts

YOU
LOGIN TO COMMENT

Click to share your thoughts

HOT LATEST

HOW TO

Set Up a Headless Raspberry Pi Hacking


Platform Running Kali Linux

HOW TO HACK W I-FI

Capturing WPA Passwords by Targeting


Users with a Fluxion Attack

HOW TO

4 Ways to Crack a Facebook Password &


How to Protect Yourself from Them

WONDERHOWTO GADGET HACKS NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE

FOLLOW US

MAC FOR HACKERS

How to Get Your Mac Ready for Hacking

https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 20/21
2017-4-28 Hack Like a Pro: How to Crack Online Web Form Passwords with THC-Hydra & Burp Suite Null Byte

HOW TO

An Intro to Vim, the Unix Text Editor Every


Hacker Should Be Familiar With

NEWS

Malware Targets Mac Users Through Well-


Played Phishing Attack

HOW TO HACK W I-FI

Get Anyone's Wi-Fi Password Without


Cracking Using Wifiphisher

HOW TO

Crack Any Master Combination Lock in 8


Tries or Less Using This Calculator

HOW TO

Get Unlimited Free Trials Using a "Real"


Fake Credit Card Number

HOW TO HACK W I-FI

Cracking WPA2-PSK
WONDERHOWTO Passwords
GADGET HACKS Using
NEXT REALITY INVISIVERSE DRIVERLESS NULL BYTE

Aircrack-Ng
FOLLOW US

HACK LIKE A PRO

How to Secretly Hack Into, Switch On, &


Watch Anyone's Webcam Remotely

https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/ 21/21