BRUTEFORCE (III): ATTACKING A WEB SERVER WITH HYDRA
- Layout for this exercise:
- Enumerating the victim, the attacker Kali checks that the port 80 is open at the victim machine:
- Connecting to the DVWA Vulnerability: Brute Force page:
- Configuring a proxy server at the attacker machine:
- Launching Burp:
- Now, clicking Login at the DVWA web page, even not entering any username or password:
- Burp intercepts the connection trial:
- There are two important pieces of information data:
i) method GET is used for the login script:
ii) an ID session cookie is generated by the Web server:
- Now, launching an Hydra command (including the intercepted information by Burp) the result of the attack is successful:
- The wordlist used in the attack is provided by Kali, and it is composed of 182 lines, including the right password "password":
