1
00:00:00,570 --> 00:00:01,403
Instructor: Welcome back.

2
00:00:01,403 --> 00:00:05,370
And in this lecture I want to talk about the subject

3
00:00:05,370 --> 00:00:09,030
on brute forcing different login pages.

4
00:00:09,030 --> 00:00:11,700
So we talked about many different attacks

5
00:00:11,700 --> 00:00:14,250
that were based on some type of a vulnerability,

6
00:00:14,250 --> 00:00:15,690
either in a code injection

7
00:00:15,690 --> 00:00:19,170
or CSRF attack or command injection.

8
00:00:19,170 --> 00:00:21,870
All of those were bugs that we covered,

9
00:00:21,870 --> 00:00:25,890
but we haven't covered how to brute force a login page.

10
00:00:25,890 --> 00:00:27,840
And for this entire section,

11
00:00:27,840 --> 00:00:31,470
we have been logging into this username and password field

12
00:00:31,470 --> 00:00:35,070
whenever we want to access the DVWA page.

13
00:00:35,070 --> 00:00:39,390
Let's say that we don't have the credentials for this page.

14
00:00:39,390 --> 00:00:42,810
We know of course that they are admin and password,

15
00:00:42,810 --> 00:00:45,870
but let's also see how we can try to brute force them,

16
00:00:45,870 --> 00:00:48,810
how we can try to guess the credentials.

17
00:00:48,810 --> 00:00:49,643
Of course, for this,

18
00:00:49,643 --> 00:00:52,080
we are going to need to have a little bit of luck

19
00:00:52,080 --> 00:00:53,910
because this will require that

20
00:00:53,910 --> 00:00:56,430
inside of the password list that we are going to use,

21
00:00:56,430 --> 00:00:58,410
we have their password there.

22
00:00:58,410 --> 00:01:01,650
So this will only work if their password is pretty weak,

23
00:01:01,650 --> 00:01:03,270
which in our case it is,

24
00:01:03,270 --> 00:01:05,403
since the password is just password.

25
00:01:06,240 --> 00:01:10,230
For this, we're going to use a tool called Hydra,

26
00:01:10,230 --> 00:01:13,050
and Hydra already pre-installed in Kali Linux

27
00:01:13,050 --> 00:01:16,840
so you can just type Hydra inside of your terminal

28
00:01:17,760 --> 00:01:20,580
and this will give you the help menu of the tool.

29
00:01:20,580 --> 00:01:23,850
However, I advise you not to look at this help menu

30
00:01:23,850 --> 00:01:26,460
because it will be in no way helpful

31
00:01:26,460 --> 00:01:28,530
for these types of the attacks.

32
00:01:28,530 --> 00:01:31,320
As we can see right here, it gets the example of usage

33
00:01:31,320 --> 00:01:34,470
but once attacking the actual webpages,

34
00:01:34,470 --> 00:01:37,590
this becomes harder and harder to use.

35
00:01:37,590 --> 00:01:39,930
The syntax becomes harder and harder.

36
00:01:39,930 --> 00:01:42,000
So I advise you to actually pay attention

37
00:01:42,000 --> 00:01:43,530
once I'm writing syntax

38
00:01:43,530 --> 00:01:46,260
so you can see how exactly am I doing it

39
00:01:46,260 --> 00:01:49,530
because for every web page that has a login page

40
00:01:49,530 --> 00:01:53,520
with username and password, this syntax will be different.

41
00:01:53,520 --> 00:01:57,480
So let's start crafting our command.

42
00:01:57,480 --> 00:01:59,910
We're going to start with Hydra

43
00:01:59,910 --> 00:02:03,720
and then after it we specify the IP address of our target,

44
00:02:03,720 --> 00:02:07,890
which in my case is 192.168.1.9

45
00:02:07,890 --> 00:02:09,152
as we can see right here.

46
00:02:10,050 --> 00:02:11,610
Then you got a few options

47
00:02:11,610 --> 00:02:13,680
that you need to specify right here,

48
00:02:13,680 --> 00:02:15,630
which are based on how are you sending

49
00:02:15,630 --> 00:02:18,330
the username and password to the target.

50
00:02:18,330 --> 00:02:22,500
So in this case, if I type test right here

51
00:02:22,500 --> 00:02:25,380
and test this password, I click on login.

52
00:02:25,380 --> 00:02:28,350
This is being sent as a post form.

53
00:02:28,350 --> 00:02:31,950
So we are applying these usernames and passwords to the form

54
00:02:31,950 --> 00:02:36,300
and we are sending this to the target with post request.

55
00:02:36,300 --> 00:02:38,790
You can always check that right here

56
00:02:38,790 --> 00:02:40,230
inside of your Burp Suite.

57
00:02:40,230 --> 00:02:41,520
So you can go down here

58
00:02:41,520 --> 00:02:44,400
and we can see that this is a post request

59
00:02:44,400 --> 00:02:48,510
where we send the test username and test password.

60
00:02:48,510 --> 00:02:51,510
Okay, so how we can specify that inside of Hydra,

61
00:02:51,510 --> 00:02:56,223
well, we can specify http-form-post.

62
00:02:57,300 --> 00:03:00,210
After this, you need to open the double quotes

63
00:03:00,210 --> 00:03:01,710
and in between the double quotes

64
00:03:01,710 --> 00:03:04,470
the first argument that you must specify

65
00:03:04,470 --> 00:03:06,480
for the page that you're brute forcing

66
00:03:06,480 --> 00:03:08,820
is the path to that page

67
00:03:08,820 --> 00:03:10,800
which requires username and password.

68
00:03:10,800 --> 00:03:11,850
And in our case,

69
00:03:11,850 --> 00:03:16,293
that path is /dvwa/login.php.

70
00:03:17,760 --> 00:03:19,440
So that is the first argument

71
00:03:19,440 --> 00:03:22,050
specified in between the double quotes.

72
00:03:22,050 --> 00:03:25,050
And arguments that you specify between these double quotes

73
00:03:25,050 --> 00:03:27,210
are separated with two dots.

74
00:03:27,210 --> 00:03:28,710
So once we type the path,

75
00:03:28,710 --> 00:03:31,110
we type two dots for the second argument,

76
00:03:31,110 --> 00:03:34,440
and the second argument is the username.

77
00:03:34,440 --> 00:03:37,140
So for this, we must go to the page

78
00:03:37,140 --> 00:03:38,400
that we are brute forcing.

79
00:03:38,400 --> 00:03:41,370
We must right click and go to view page source

80
00:03:41,370 --> 00:03:44,640
and we must find the name for the username field

81
00:03:44,640 --> 00:03:46,200
inside of the code.

82
00:03:46,200 --> 00:03:48,090
Usually, the username and password fields

83
00:03:48,090 --> 00:03:49,920
will be inside of some type of a form

84
00:03:49,920 --> 00:03:51,450
as we can see right here.

85
00:03:51,450 --> 00:03:54,600
Form action login.php method post.

86
00:03:54,600 --> 00:03:57,150
And if I go to the label for the username,

87
00:03:57,150 --> 00:03:59,850
we can see that the name for username field

88
00:03:59,850 --> 00:04:03,000
is simply just username.

89
00:04:03,000 --> 00:04:07,440
Okay, so we must copy the name of this field

90
00:04:07,440 --> 00:04:10,200
and we must go right here and type it in,

91
00:04:10,200 --> 00:04:12,180
so paste it right after.

92
00:04:12,180 --> 00:04:15,360
And this username field will be equal to

93
00:04:15,360 --> 00:04:17,760
upper arrow and capital USER

94
00:04:17,760 --> 00:04:21,149
and then, once again, upper arrow.

95
00:04:21,149 --> 00:04:23,130
Now you might be wondering what is happening here.

96
00:04:23,130 --> 00:04:26,970
Well, after we specify the name of the field on our page,

97
00:04:26,970 --> 00:04:30,000
we equal that to this syntax right here.

98
00:04:30,000 --> 00:04:32,250
And this is just Hydra syntax.

99
00:04:32,250 --> 00:04:34,380
You use this upper arrow right here

100
00:04:34,380 --> 00:04:36,630
and you type user in between that

101
00:04:36,630 --> 00:04:39,120
and you close it with upper arrow.

102
00:04:39,120 --> 00:04:41,310
What this is telling to the program to do

103
00:04:41,310 --> 00:04:45,240
is it will exchange any username that we have in a list

104
00:04:45,240 --> 00:04:47,340
between these two upper arrows.

105
00:04:47,340 --> 00:04:49,080
So essentially any type of username

106
00:04:49,080 --> 00:04:50,940
from the list that we are going to use

107
00:04:50,940 --> 00:04:53,133
will be stored right here.

108
00:04:54,030 --> 00:04:55,860
But this is not the only field that we have.

109
00:04:55,860 --> 00:04:59,940
We also must specify the same thing for the password field.

110
00:04:59,940 --> 00:05:03,000
Now, to separate the username field from the password field

111
00:05:03,000 --> 00:05:05,250
we use this sign right here.

112
00:05:05,250 --> 00:05:06,660
So specify this sign

113
00:05:06,660 --> 00:05:10,350
and then after it we can specify the password field name,

114
00:05:10,350 --> 00:05:12,300
just like we did right here.

115
00:05:12,300 --> 00:05:14,880
So let's go and find the label for the password.

116
00:05:14,880 --> 00:05:16,050
Here it is.

117
00:05:16,050 --> 00:05:20,010
And the name for the password field is simply just password.

118
00:05:20,010 --> 00:05:21,660
And this is something that can change

119
00:05:21,660 --> 00:05:24,630
depending on which page you are brute forcing.

120
00:05:24,630 --> 00:05:27,270
So let's go right here and type password,

121
00:05:27,270 --> 00:05:28,530
which is the name of our field,

122
00:05:28,530 --> 00:05:33,530
and this will be equal to upper arrow and then PASS

123
00:05:33,780 --> 00:05:35,730
and then, once again, upper arrow.

124
00:05:35,730 --> 00:05:38,790
And this is also the same as with the username.

125
00:05:38,790 --> 00:05:42,150
So just any passwords that we use from our list,

126
00:05:42,150 --> 00:05:46,590
will get stored right here instead of this capital PASS.

127
00:05:46,590 --> 00:05:48,600
And the last thing that we must set

128
00:05:48,600 --> 00:05:51,510
for this second argument of our command

129
00:05:51,510 --> 00:05:53,400
is the button that we're using.

130
00:05:53,400 --> 00:05:56,460
So every time you actually try to log in,

131
00:05:56,460 --> 00:05:59,220
you click on this login button.

132
00:05:59,220 --> 00:06:01,740
And this is something that we also want to simulate

133
00:06:01,740 --> 00:06:03,900
inside of our Hydra command.

134
00:06:03,900 --> 00:06:06,390
To do that, we go view page source,

135
00:06:06,390 --> 00:06:09,060
we find the button, which is usually right after

136
00:06:09,060 --> 00:06:10,620
the username and password field.

137
00:06:10,620 --> 00:06:12,960
And in our case, here it is.

138
00:06:12,960 --> 00:06:16,770
We take a look at the type of button and the button name.

139
00:06:16,770 --> 00:06:19,380
So we can see that the button name is Login,

140
00:06:19,380 --> 00:06:21,090
which we are going to specify

141
00:06:21,090 --> 00:06:23,700
and then we are going to equal that to submit.

142
00:06:23,700 --> 00:06:25,890
So, we can do it like this.

143
00:06:25,890 --> 00:06:29,760
Again, we need to separate it with this sign right here,

144
00:06:29,760 --> 00:06:32,613
and we type the name of the button, which is Login,

145
00:06:33,450 --> 00:06:36,960
and then equal to the type of the button,

146
00:06:36,960 --> 00:06:40,050
which is, in our case, submit.

147
00:06:40,050 --> 00:06:42,063
So we equal that to submit.

148
00:06:43,950 --> 00:06:45,690
And these three steps right here,

149
00:06:45,690 --> 00:06:47,730
which is username, password, and button,

150
00:06:47,730 --> 00:06:50,670
are enough for us to actually submit a request

151
00:06:50,670 --> 00:06:53,370
for a specific username and password.

152
00:06:53,370 --> 00:06:55,920
But we also need to differentiate

153
00:06:55,920 --> 00:06:58,020
valid username and valid password

154
00:06:58,020 --> 00:07:01,800
from the incorrect username and incorrect password.

155
00:07:01,800 --> 00:07:03,540
So, how are we going to do that?

156
00:07:03,540 --> 00:07:05,400
Well, luckily Hydra allows us

157
00:07:05,400 --> 00:07:08,220
to specify something that will stick out

158
00:07:08,220 --> 00:07:10,500
once a password is incorrect.

159
00:07:10,500 --> 00:07:12,210
And if we go to our page

160
00:07:12,210 --> 00:07:14,430
and we specify the incorrect username

161
00:07:14,430 --> 00:07:16,440
and incorrect password,

162
00:07:16,440 --> 00:07:18,150
once you click on login,

163
00:07:18,150 --> 00:07:19,740
you will notice that down here

164
00:07:19,740 --> 00:07:23,730
we have this string that says, "Login failed."

165
00:07:23,730 --> 00:07:24,840
Now just by thinking,

166
00:07:24,840 --> 00:07:27,600
we can figure out that this string will not exist

167
00:07:27,600 --> 00:07:30,750
if we manage to login with successful credentials.

168
00:07:30,750 --> 00:07:32,940
So we can specify this string

169
00:07:32,940 --> 00:07:35,850
to our Hydra command to search for it

170
00:07:35,850 --> 00:07:37,320
and every time it finds it,

171
00:07:37,320 --> 00:07:39,510
it'll not print out that username and password

172
00:07:39,510 --> 00:07:43,440
as valid username and password because they are incorrect.

173
00:07:43,440 --> 00:07:45,750
So we can specify it with two dots

174
00:07:45,750 --> 00:07:49,200
and then paste it right here.

175
00:07:49,200 --> 00:07:52,260
Login failed will be the string that we are searching for

176
00:07:52,260 --> 00:07:53,910
which will indicate that the username

177
00:07:53,910 --> 00:07:56,010
and password is incorrect.

178
00:07:56,010 --> 00:07:57,510
After we specified this,

179
00:07:57,510 --> 00:07:59,880
we can exit out of the double quotes

180
00:07:59,880 --> 00:08:03,450
and all we're left to do is to specify -L

181
00:08:03,450 --> 00:08:05,280
and then the list for the usernames,

182
00:08:05,280 --> 00:08:08,070
which we are going to call usernames.txt

183
00:08:08,070 --> 00:08:12,000
and -P, which will be the list for the passwords

184
00:08:12,000 --> 00:08:14,643
which we are going to call passwords.txt.

185
00:08:15,600 --> 00:08:16,890
Now for this lists,

186
00:08:16,890 --> 00:08:19,200
you can use any type of list that you want.

187
00:08:19,200 --> 00:08:21,480
In my case, since we don't have them,

188
00:08:21,480 --> 00:08:24,150
I'm just going to create them real quick

189
00:08:24,150 --> 00:08:26,370
for the purposes of this tutorial.

190
00:08:26,370 --> 00:08:28,680
I need to make sure that I'm in the same directory

191
00:08:28,680 --> 00:08:30,120
where I'm running this command,

192
00:08:30,120 --> 00:08:34,350
and then I'm going to nano usernames.txt

193
00:08:34,350 --> 00:08:39,350
and I'm going to type right here, root, account, Admin,

194
00:08:39,750 --> 00:08:44,553
then lower case admin, password as a username, test123,

195
00:08:45,600 --> 00:08:48,690
and bunch of other things we are not going to specify.

196
00:08:48,690 --> 00:08:51,450
We can just leave it to be this small,

197
00:08:51,450 --> 00:08:54,450
just so we don't waste too much time

198
00:08:54,450 --> 00:08:56,160
brute forcing that page.

199
00:08:56,160 --> 00:09:00,003
And here we can type test, test123,

200
00:09:00,939 --> 00:09:03,300
123456789,

201
00:09:03,300 --> 00:09:06,420
and then, we can type admin, root,

202
00:09:06,420 --> 00:09:09,690
password, and password123.

203
00:09:09,690 --> 00:09:11,940
So we do have the correct username

204
00:09:11,940 --> 00:09:15,720
and the correct password inside of both of these lists.

205
00:09:15,720 --> 00:09:18,150
Now that we have this,

206
00:09:18,150 --> 00:09:20,850
what we can do is we can run our command.

207
00:09:20,850 --> 00:09:22,380
Let's just double check it real quick.

208
00:09:22,380 --> 00:09:24,870
So hydra, the IP address of our target.

209
00:09:24,870 --> 00:09:27,000
We're using the http form post

210
00:09:27,000 --> 00:09:28,920
because we are sending a post request

211
00:09:28,920 --> 00:09:30,180
and we are sending our username

212
00:09:30,180 --> 00:09:31,953
and password inside of a form.

213
00:09:32,820 --> 00:09:34,620
Then we open double quotes

214
00:09:34,620 --> 00:09:36,300
and the first argument is going to be

215
00:09:36,300 --> 00:09:40,800
the path to the page that the login form is located in.

216
00:09:40,800 --> 00:09:43,470
The second argument is going to be username, password,

217
00:09:43,470 --> 00:09:45,360
and the button that we are submitting

218
00:09:45,360 --> 00:09:47,250
the username password with.

219
00:09:47,250 --> 00:09:49,590
And the third argument inside of double quotes

220
00:09:49,590 --> 00:09:51,750
is going to be a string that we get

221
00:09:51,750 --> 00:09:55,440
once we specify the incorrect username and password.

222
00:09:55,440 --> 00:09:59,670
After it, we just specify -L for the usernames list

223
00:09:59,670 --> 00:10:02,160
and -P for the passwords list.

224
00:10:02,160 --> 00:10:03,303
If I click enter,

225
00:10:08,340 --> 00:10:09,750
and here it is.

226
00:10:09,750 --> 00:10:11,910
It managed to find the correct username

227
00:10:11,910 --> 00:10:13,530
and correct password.

228
00:10:13,530 --> 00:10:15,300
It printed it out right here

229
00:10:15,300 --> 00:10:17,940
and it tells us that the username is admin

230
00:10:17,940 --> 00:10:19,863
and that the password is password.

231
00:10:20,730 --> 00:10:22,830
So, it finished relatively quick

232
00:10:22,830 --> 00:10:26,580
but it only had around 49 login tries,

233
00:10:26,580 --> 00:10:27,810
as it says right here.

234
00:10:27,810 --> 00:10:30,870
So you can feel free to use bigger password lists

235
00:10:30,870 --> 00:10:34,110
in order to give this even higher chances to work.

236
00:10:34,110 --> 00:10:36,030
Now that we did this, let's give it a try

237
00:10:36,030 --> 00:10:37,650
and let's log in with the username

238
00:10:37,650 --> 00:10:42,090
and password that we got and it indeed works,

239
00:10:42,090 --> 00:10:45,720
so our tool successfully brute forced the login.

240
00:10:45,720 --> 00:10:48,600
Now, in the next video, we're also going to take a look

241
00:10:48,600 --> 00:10:51,840
at how we can brute force this page right here,

242
00:10:51,840 --> 00:10:55,323
which is the brute force login page inside of our DVWA.