1
00:00:00,360 --> 00:00:01,200
Instructor: Welcome back.

2
00:00:01,200 --> 00:00:05,100
Let's continue with our Brute Forcing of DVWA page.

3
00:00:05,100 --> 00:00:08,970
So, we successfully Brute Forced the welcome login screen.

4
00:00:08,970 --> 00:00:11,970
But now we also got this Brute Force page right here

5
00:00:11,970 --> 00:00:15,240
that also requires username and password.

6
00:00:15,240 --> 00:00:17,430
Now, this is pretty much the same thing,

7
00:00:17,430 --> 00:00:18,900
just this is a different page

8
00:00:18,900 --> 00:00:21,990
so the syntax of the Hydra command will be different.

9
00:00:21,990 --> 00:00:23,790
Of course, if I were to type "admin",

10
00:00:23,790 --> 00:00:26,610
and "password" right here, it would still work.

11
00:00:26,610 --> 00:00:27,443
It would tell me,

12
00:00:27,443 --> 00:00:30,930
"Welcome to the password protected area admin."

13
00:00:30,930 --> 00:00:33,270
But if I were to type something like "test"

14
00:00:33,270 --> 00:00:34,220
and then "test",

15
00:00:34,220 --> 00:00:36,930
it would not work this time.

16
00:00:36,930 --> 00:00:41,070
So, we must craft a specific command just for this page.

17
00:00:41,070 --> 00:00:43,470
If we were to use the command that we used

18
00:00:43,470 --> 00:00:45,091
from the previous video, which is this one

19
00:00:45,091 --> 00:00:48,660
it would not work because it is not the same page,

20
00:00:48,660 --> 00:00:51,540
it is not the same type of HTTP form POST

21
00:00:51,540 --> 00:00:55,680
and it is also not the same type of fields.

22
00:00:55,680 --> 00:00:57,960
So, let's clear the screen right here

23
00:00:57,960 --> 00:01:00,210
and let's start crafting our command.

24
00:01:00,210 --> 00:01:01,380
We're going to start to the same,

25
00:01:01,380 --> 00:01:02,213
which is "hydra",

26
00:01:02,213 --> 00:01:05,790
and then the IP address of our target machine.

27
00:01:05,790 --> 00:01:09,150
Remember that in the previous video we used HTTP form POST

28
00:01:09,150 --> 00:01:10,860
because our usernames

29
00:01:10,860 --> 00:01:13,950
and passwords were sent with POST request.

30
00:01:13,950 --> 00:01:17,820
This time, if you take a look at the link right here

31
00:01:17,820 --> 00:01:19,200
we can see that the usernames

32
00:01:19,200 --> 00:01:23,070
and passwords are being sent inside of the link.

33
00:01:23,070 --> 00:01:27,150
And this is a good indication that this is a GET request.

34
00:01:27,150 --> 00:01:28,680
Of course, you can also check

35
00:01:28,680 --> 00:01:30,930
that by visiting the page source,

36
00:01:30,930 --> 00:01:33,480
finding the form where you submit usernames

37
00:01:33,480 --> 00:01:35,940
and passwords and here it is.

38
00:01:35,940 --> 00:01:39,570
And under the form we can see that the method is GET.

39
00:01:39,570 --> 00:01:43,740
So, this time we cannot use HTTP form POST.

40
00:01:43,740 --> 00:01:47,820
We must use HTTP GET form.

41
00:01:47,820 --> 00:01:51,990
So this is the syntax once we are sending the GET request.

42
00:01:51,990 --> 00:01:54,480
The next step is remember we open the double quotes

43
00:01:54,480 --> 00:01:56,010
and in between the double quotes,

44
00:01:56,010 --> 00:02:00,120
the first argument is specifying the path to the page.

45
00:02:00,120 --> 00:02:01,500
So, we must go right here.

46
00:02:01,500 --> 00:02:02,940
Let us close this

47
00:02:02,940 --> 00:02:05,490
and let's just refresh this page.

48
00:02:05,490 --> 00:02:08,400
Just so we can get the path to it.

49
00:02:08,400 --> 00:02:11,190
So. I'm just going to go right here and right here

50
00:02:11,190 --> 00:02:13,530
and we get the path to the page,

51
00:02:13,530 --> 00:02:17,190
which is going to be slash DVWA slash vulnerabilities

52
00:02:17,190 --> 00:02:19,650
slash brute and slash at the end,

53
00:02:19,650 --> 00:02:24,570
copy this and specify it as the first argument right here.

54
00:02:24,570 --> 00:02:25,903
And remember, once we do that

55
00:02:25,903 --> 00:02:28,050
we separate the second argument

56
00:02:28,050 --> 00:02:30,401
by typing two dots and now comes the part

57
00:02:30,401 --> 00:02:34,620
where we specify the username, password, and button field.

58
00:02:34,620 --> 00:02:36,404
So, let's go to the page,

59
00:02:36,404 --> 00:02:38,520
view page source once again

60
00:02:38,520 --> 00:02:42,109
and let's find the name of the username field first.

61
00:02:42,109 --> 00:02:43,800
Here is the form.

62
00:02:43,800 --> 00:02:45,960
The first part is the username field

63
00:02:45,960 --> 00:02:49,470
and its name is just "username".

64
00:02:49,470 --> 00:02:51,000
So let's go to our command

65
00:02:51,000 --> 00:02:56,000
and type username equals upper arrow USER upper arrow.

66
00:02:56,040 --> 00:02:59,190
We separate the username from password with this sign.

67
00:02:59,190 --> 00:03:01,260
Let's go and check out what's the password name.

68
00:03:01,260 --> 00:03:02,550
It is just "password".

69
00:03:02,550 --> 00:03:06,058
And let's do the same as in the previous video.

70
00:03:06,058 --> 00:03:08,460
PASS, upper arrow.

71
00:03:08,460 --> 00:03:12,034
And the last part is the button which we can even get

72
00:03:12,034 --> 00:03:13,890
from the link itself.

73
00:03:13,890 --> 00:03:18,653
So, if I type "hello" as username and "world" as password

74
00:03:18,653 --> 00:03:20,610
we can see right here,

75
00:03:20,610 --> 00:03:24,570
in the link that the button login equals login.

76
00:03:24,570 --> 00:03:26,433
So, we can just copy this,

77
00:03:27,480 --> 00:03:31,307
go to our command and paste it right here.

78
00:03:31,307 --> 00:03:35,250
And the last argument inside of the double quotes is,

79
00:03:35,250 --> 00:03:36,540
if you remember

80
00:03:36,540 --> 00:03:39,780
we must specify what is the string that we get,

81
00:03:39,780 --> 00:03:42,930
once we specify the incorrect username and password.

82
00:03:42,930 --> 00:03:44,400
And we can see it right here.

83
00:03:44,400 --> 00:03:47,850
It says username and/or password incorrect.

84
00:03:47,850 --> 00:03:49,540
So, let's just copy this

85
00:03:51,270 --> 00:03:54,183
and let's paste it right here.

86
00:03:55,980 --> 00:03:58,200
Great, now if we go outside

87
00:03:58,200 --> 00:04:01,410
and specify dash L and then usernames dot txt

88
00:04:01,410 --> 00:04:04,050
and dash P for the passwords dot txt.

89
00:04:04,050 --> 00:04:05,283
If I press enter,

90
00:04:07,350 --> 00:04:10,110
you will notice that it will not work.

91
00:04:10,110 --> 00:04:11,193
It will tell me that every username

92
00:04:11,193 --> 00:04:14,103
and every password is correct.

93
00:04:15,120 --> 00:04:17,190
Sometimes when this happens,

94
00:04:17,190 --> 00:04:19,500
you haven't specified enough arguments.

95
00:04:19,500 --> 00:04:22,079
Either you have a syntax error inside of your command

96
00:04:22,079 --> 00:04:23,884
or you didn't specify something well

97
00:04:23,884 --> 00:04:26,640
or you're missing additional arguments,

98
00:04:26,640 --> 00:04:28,770
such as the cookie value.

99
00:04:28,770 --> 00:04:31,740
So, sometimes we must specify the cookie value also

100
00:04:31,740 --> 00:04:32,766
in order for this to work.

101
00:04:32,766 --> 00:04:35,790
Let me show you what I mean.

102
00:04:35,790 --> 00:04:37,470
To specify the cookie value,

103
00:04:37,470 --> 00:04:40,530
we must go right here and before closing the double quotes

104
00:04:40,530 --> 00:04:42,930
we're going to add another arguments.

105
00:04:42,930 --> 00:04:47,930
So, separate two dots and we can type H dash Cookie,

106
00:04:48,660 --> 00:04:52,680
two dots and the cookie value right next to it.

107
00:04:52,680 --> 00:04:54,270
How do we get the cookie value?

108
00:04:54,270 --> 00:04:57,420
Well, we get it with the help of Burp Suite.

109
00:04:57,420 --> 00:05:01,770
So, let's find the HTTP request where we send the "hello"

110
00:05:01,770 --> 00:05:04,140
and "world" as usernames and passwords.

111
00:05:04,140 --> 00:05:08,130
And let's see what cookie do we have right there.

112
00:05:08,130 --> 00:05:09,480
So let's go right here.

113
00:05:09,480 --> 00:05:11,163
Let's try to find it.

114
00:05:12,060 --> 00:05:16,050
It is right here slash DVWA slash vulnerabilities.

115
00:05:16,050 --> 00:05:19,170
Let's just find the correct request.

116
00:05:19,170 --> 00:05:20,520
And here it is.

117
00:05:20,520 --> 00:05:22,170
Here we can see inside of the link

118
00:05:22,170 --> 00:05:24,000
that we are sending "hello" as username

119
00:05:24,000 --> 00:05:25,920
and "world" as password.

120
00:05:25,920 --> 00:05:29,490
And the cookie that we have is this right here.

121
00:05:29,490 --> 00:05:31,110
So we want to copy all of it

122
00:05:31,110 --> 00:05:33,570
including the security equals low

123
00:05:33,570 --> 00:05:37,380
and including the PHP session ID equals

124
00:05:37,380 --> 00:05:38,850
and then our cookie value.

125
00:05:38,850 --> 00:05:41,190
So copy that, go to the command

126
00:05:41,190 --> 00:05:44,790
and right here you can paste the cookie value.

127
00:05:44,790 --> 00:05:48,120
So after the two dots, H dash cookie two dots

128
00:05:48,120 --> 00:05:51,431
and then the cookie value right here.

129
00:05:51,431 --> 00:05:53,583
If I try it once again.

130
00:05:56,640 --> 00:05:58,410
Well, now it works.

131
00:05:58,410 --> 00:06:01,200
Now, it tells me that the username is "admin"

132
00:06:01,200 --> 00:06:03,900
and that the password is "password".

133
00:06:03,900 --> 00:06:04,733
Just keep in mind

134
00:06:04,733 --> 00:06:07,770
that sometimes Hydra doesn't really make a difference

135
00:06:07,770 --> 00:06:09,780
between capital and lowercase letters.

136
00:06:09,780 --> 00:06:12,690
That's why we got two results right here.

137
00:06:12,690 --> 00:06:14,370
But it gave us the correct username

138
00:06:14,370 --> 00:06:16,320
and the correct password.

139
00:06:16,320 --> 00:06:18,930
So once you notice that the Brute Force doesn't work,

140
00:06:18,930 --> 00:06:22,770
try adding this cookie value and then it might actually work

141
00:06:22,770 --> 00:06:24,030
because if you remember,

142
00:06:24,030 --> 00:06:25,680
once we didn't have it, it gave us

143
00:06:25,680 --> 00:06:28,830
that all of the usernames and all of the passwords are valid

144
00:06:28,830 --> 00:06:31,890
and that we can log in with all of that.

145
00:06:31,890 --> 00:06:34,020
So, the difference once again between this

146
00:06:34,020 --> 00:06:37,200
and previous command is inside of this HTTP GET form

147
00:06:37,200 --> 00:06:39,226
because we are sending with the GET request

148
00:06:39,226 --> 00:06:41,850
then we have the different link.

149
00:06:41,850 --> 00:06:43,890
The username and password fields are the same

150
00:06:43,890 --> 00:06:46,740
and the string that we get once specifying the

151
00:06:46,740 --> 00:06:49,710
incorrect password is also different.

152
00:06:49,710 --> 00:06:52,740
And here we also specify a cookie value

153
00:06:52,740 --> 00:06:55,860
which we didn't have to specify in the previous video.

154
00:06:55,860 --> 00:06:56,760
Okay, great.

155
00:06:56,760 --> 00:06:58,500
Now that we covered the Hydra tool,

156
00:06:58,500 --> 00:06:59,333
in the next video,

157
00:06:59,333 --> 00:07:01,779
I will show you a way how you can perform Brute Force,

158
00:07:01,779 --> 00:07:05,160
much easier with the help of Burp Suite tool.

159
00:07:05,160 --> 00:07:05,993
See you there.