1
00:00:00,360 --> 00:00:01,050
Welcome back.

2
00:00:01,200 --> 00:00:08,670
Let's continue with our brute forcing of a page so we successfully brute force the welcome login screen,

3
00:00:08,940 --> 00:00:14,590
but now we also got this brute force page right here that also requires username and password.

4
00:00:15,210 --> 00:00:17,210
Now, this is pretty much the same thing.

5
00:00:17,400 --> 00:00:21,780
Just this is a different page to the syntax of the Hydra command will be different.

6
00:00:21,930 --> 00:00:26,700
Of course, if I were to type admin and password right here, it would still work.

7
00:00:26,700 --> 00:00:27,360
It would tell me.

8
00:00:27,360 --> 00:00:30,020
Welcome to the password protected area admin.

9
00:00:30,900 --> 00:00:36,350
But if I were to type something like a test and then test, it would not work this time.

10
00:00:36,900 --> 00:00:40,520
So we must craft a specific command just for this pitch.

11
00:00:41,040 --> 00:00:46,260
If we were to use the command that we used from the previous video, which is this one, it would not

12
00:00:46,260 --> 00:00:48,680
work because it is not the same page.

13
00:00:48,690 --> 00:00:54,790
It is not the same type of HTTP forum post, and it is also not the same type of field.

14
00:00:55,680 --> 00:01:00,090
So let's clear the screen right here and let's start crafting our comment.

15
00:01:00,190 --> 00:01:05,080
We're going to start to the same, which is Hydra and then the IP address of our target machine.

16
00:01:05,760 --> 00:01:11,880
Remember that in the previous video we used HTTP forum post because our usernames and passwords were

17
00:01:11,880 --> 00:01:13,380
sent with post request.

18
00:01:13,950 --> 00:01:20,100
This time, if you take a look at the link right here, we can see that the usernames and passwords

19
00:01:20,100 --> 00:01:22,760
are being sent inside of the link.

20
00:01:23,100 --> 00:01:26,670
And this is a good indication that this is a get request.

21
00:01:27,060 --> 00:01:32,880
Of course, you can also check that by visiting the page source, finding the form where you submit

22
00:01:32,880 --> 00:01:35,580
usernames and passwords and here it is.

23
00:01:35,910 --> 00:01:39,210
And under the form we can see that the method is get.

24
00:01:39,540 --> 00:01:47,240
So this time we cannot use http forum post, we must use http get form.

25
00:01:47,820 --> 00:01:49,080
So this is the syntax.

26
00:01:49,080 --> 00:01:54,990
Once we're sending the get the request, the next step is remember we opened it up with quotes and in

27
00:01:54,990 --> 00:01:59,790
between the double quotes, the first argument is specifying the path to the page.

28
00:02:00,120 --> 00:02:01,510
So we must go right here.

29
00:02:01,530 --> 00:02:08,010
Let's close this and let's just refresh this page just so we can get the path to it.

30
00:02:08,430 --> 00:02:14,160
So I'm just going to go right here and right here and we get the path to the page, which is going to

31
00:02:14,160 --> 00:02:19,470
be TBWA Slash Vulnerabilities, slash brute and slash at the end.

32
00:02:19,620 --> 00:02:24,500
Copy this and specified as the first argument right here.

33
00:02:24,510 --> 00:02:29,130
And remember, once we do that, we separate the second argument by typing two dots.

34
00:02:29,400 --> 00:02:34,340
And now comes the part where we specify the username, password and button field.

35
00:02:34,590 --> 00:02:41,820
So let's go to the page view page source once again and let's find the name of the user name field first.

36
00:02:42,480 --> 00:02:43,410
Here is the form.

37
00:02:43,770 --> 00:02:48,570
The first part is the user name field and its name is just username.

38
00:02:49,450 --> 00:02:57,430
So let's go to our comment and type username equals Pereiro user Pereiro, we separate the user name

39
00:02:57,430 --> 00:02:58,790
from password to design.

40
00:02:59,170 --> 00:03:01,210
Let's go and check out what's the password name.

41
00:03:01,230 --> 00:03:09,610
It is just password and let's do the same as in the previous video pass a PEREIRO and the last part

42
00:03:09,610 --> 00:03:13,930
is the button, which we can even get from the link itself.

43
00:03:13,930 --> 00:03:22,270
So if I type alow as username and world as password, we can see right here in the link that the button

44
00:03:22,270 --> 00:03:24,100
login equals login.

45
00:03:24,550 --> 00:03:26,290
So we can just copy this.

46
00:03:27,470 --> 00:03:30,920
Go to our comment and paste it right here.

47
00:03:32,040 --> 00:03:38,960
And the last argument inside of the double quotes is, if you remember, we must specify what is destroying

48
00:03:38,970 --> 00:03:40,020
that we get funds.

49
00:03:40,020 --> 00:03:44,400
We specified the incorrect username and password and we can see it right here.

50
00:03:44,400 --> 00:03:47,300
It says username and or password incorrect.

51
00:03:47,820 --> 00:03:49,500
So let's just hope is.

52
00:03:51,220 --> 00:03:54,010
And let's based it right here.

53
00:03:56,000 --> 00:04:03,680
Great, now, if we go outside and specify that Shell and then usernames, 30 and 40 passwords at 60,

54
00:04:04,040 --> 00:04:05,150
if I press enter.

55
00:04:07,320 --> 00:04:09,930
You will notice that it will not work.

56
00:04:10,110 --> 00:04:13,980
It will tell me that every username and every password is correct.

57
00:04:15,090 --> 00:04:21,030
Sometimes when this happens, you haven't specified enough arguments, either you have a syntax error

58
00:04:21,030 --> 00:04:26,880
inside your command or you didn't specify something well, or you're missing additional arguments such

59
00:04:26,880 --> 00:04:28,250
as the cookie value.

60
00:04:28,740 --> 00:04:33,480
So sometimes we must specify the cookie value also in order for this to work.

61
00:04:34,080 --> 00:04:35,090
Let me show you what I mean.

62
00:04:35,820 --> 00:04:38,610
To specify the cookie value, we must go right here.

63
00:04:38,640 --> 00:04:45,090
And before closing the double quotes, we're going to add another arguments so separate to dots and

64
00:04:45,090 --> 00:04:51,950
we can type H dash cookie, two dots and the cookie value right next to it.

65
00:04:52,650 --> 00:04:54,030
How do we get the cookie value?

66
00:04:54,240 --> 00:04:56,870
Well, we get it with the help of it.

67
00:04:57,420 --> 00:05:04,110
So let's find the HTTP request where we send the helo and world as usernames and passwords.

68
00:05:04,110 --> 00:05:07,200
And let's see what cookie do we have right there.

69
00:05:08,100 --> 00:05:09,500
So let's go right here.

70
00:05:09,520 --> 00:05:11,010
Let's try to find it.

71
00:05:12,030 --> 00:05:20,940
It is right here, deep vulnerabilities, let's just find the correct request and here it is here we

72
00:05:20,940 --> 00:05:25,500
can see inside of the link that we are sending helo as username and world as password.

73
00:05:25,890 --> 00:05:29,000
And the cookie that we have is this right here.

74
00:05:29,490 --> 00:05:37,140
So we want to copy all of it, including the security equals low and including the session ID equals

75
00:05:37,320 --> 00:05:41,200
and then our cookie value SCoPI that go to the command.

76
00:05:41,220 --> 00:05:44,430
And right here you can paste the cookie value.

77
00:05:44,790 --> 00:05:50,730
So after the two dots, each dash cookie, two dots and then the cookie value right here.

78
00:05:51,800 --> 00:05:53,420
If I tried once again.

79
00:05:56,640 --> 00:05:58,270
Well, now it works.

80
00:05:58,410 --> 00:06:04,710
Now it tells me that the username is admin and that the password is password, just keep in mind the

81
00:06:04,710 --> 00:06:09,780
sometimes Hydra doesn't really make a difference between capital and lowercase letters.

82
00:06:09,810 --> 00:06:12,030
That's why we got two results right here.

83
00:06:12,660 --> 00:06:15,990
But it gave us the correct username and the correct password.

84
00:06:16,290 --> 00:06:22,050
So once you notice that the brute force doesn't work, try adding this cookie value and then it might

85
00:06:22,050 --> 00:06:22,800
actually work.

86
00:06:22,800 --> 00:06:27,420
Because if you remember, once we didn't have it, it gave us that all of the usernames and all of the

87
00:06:27,420 --> 00:06:31,120
passwords are valid and that we can log in with all of that.

88
00:06:31,860 --> 00:06:37,620
So the difference once again between this and previous command is inside of this http get form because

89
00:06:37,620 --> 00:06:41,490
we are sending with the get request, then we have the different link.

90
00:06:41,850 --> 00:06:47,220
The username and password fields are the same and the string that we get once specifying the incorrect

91
00:06:47,220 --> 00:06:49,630
password is also different.

92
00:06:49,650 --> 00:06:55,230
And here we also specify a cookie value, which we didn't have to specify in the previous video.

93
00:06:55,830 --> 00:06:56,710
OK, great.

94
00:06:56,730 --> 00:07:01,200
Now that we covered the Hydra tool in the next video, I will show you a way how you can perform brute

95
00:07:01,200 --> 00:07:05,700
force much, much easier with the help of Burset to see you there.