1
00:00:00,980 --> 00:00:09,200
OK, so we're used intruder from our Burset to perform brute force attacks, but now it's time to move

2
00:00:09,200 --> 00:00:13,940
on to the more advanced specifically made for these type of the attacks.

3
00:00:14,420 --> 00:00:16,760
And that tool is called Hydra.

4
00:00:17,330 --> 00:00:23,480
Now, I said it was an advanced tool, not because the attack itself is hard to perform, but because

5
00:00:23,480 --> 00:00:28,100
the syntax for this tool can be a little bit tricky sometimes.

6
00:00:28,100 --> 00:00:34,280
And there isn't a unique command that you can run for every website in order to brute force it.

7
00:00:34,700 --> 00:00:41,410
So we're going to dissect the command and explain how can you craft one for specific pages.

8
00:00:41,990 --> 00:00:49,300
The first page that we are going to take a look at is going to be B Web page on our almost purtle machine.

9
00:00:49,820 --> 00:00:51,500
So navigate there.

10
00:00:52,190 --> 00:00:58,550
And we can see here we have a login screen and this is exactly what we need in order to brute force.

11
00:00:59,150 --> 00:01:05,300
Now, keep in mind that we do get the correct credentials right here, which is useful for us to practice

12
00:01:05,300 --> 00:01:05,840
this attack.

13
00:01:05,840 --> 00:01:12,710
So we know that B is username and bug is a password and this will work once we try to login.

14
00:01:13,400 --> 00:01:19,610
But we want to see how we can get this as an output with the help of a hydra tool and with the help

15
00:01:19,610 --> 00:01:22,710
of usernames and passwords list.

16
00:01:23,400 --> 00:01:29,530
OK, first of all, to run Hydra, we can open terminal and type in Hydra.

17
00:01:30,500 --> 00:01:37,070
This will open its health manual and this help manual will not be of much use to you once you're opening

18
00:01:37,070 --> 00:01:38,490
this tool for the first time.

19
00:01:38,570 --> 00:01:42,920
It might seem like it has little options and that it's easy to run.

20
00:01:43,460 --> 00:01:49,340
But in reality, once your brute forcing HDP pages, there are a few things that you need to take a

21
00:01:49,340 --> 00:01:49,750
look at.

22
00:01:49,820 --> 00:01:52,850
So let's start off with crafting our comment.

23
00:01:53,780 --> 00:01:58,970
The first thing they want to type is Hydra and then the IP address of the target that we are attacking,

24
00:01:58,970 --> 00:02:06,250
in my case it is the first on machine which has an IP address or wanted to that 168 that one dot.

25
00:02:07,400 --> 00:02:13,930
The second thing that we need to specify is which type of the attack are we performing?

26
00:02:14,420 --> 00:02:18,530
So we know that we have get request and post request.

27
00:02:19,250 --> 00:02:26,510
We can either specify the username and password right here with a get request or with a post request.

28
00:02:27,050 --> 00:02:35,120
And what will help us determine which one it is, is if we simply go to view page source and we find

29
00:02:35,120 --> 00:02:42,830
the form that is used to submit username and password, which is right here, we will notice that the

30
00:02:42,830 --> 00:02:44,720
method is post.

31
00:02:44,840 --> 00:02:48,830
So we're submitting the username and password with post request.

32
00:02:49,370 --> 00:02:49,850
OK.

33
00:02:50,690 --> 00:02:58,340
Let's go right here and let's type that after our IP address in Hijrah, in order to type that we type

34
00:02:58,340 --> 00:03:02,480
HTP bash form bash post.

35
00:03:03,080 --> 00:03:10,470
If it was a get request, you would type HTP bash, get that for simple as that.

36
00:03:11,180 --> 00:03:13,940
So those are the two options that you need to keep an eye on.

37
00:03:13,940 --> 00:03:19,490
And usually you will have them inside of the page source of the form that you're trying to brute force.

38
00:03:20,490 --> 00:03:27,990
The next thing that we need to specify is the path to the log in page now in order to get the correct

39
00:03:27,990 --> 00:03:30,710
path, we want to type and username and password.

40
00:03:30,710 --> 00:03:33,510
So I'm just going to type, test and test and click on log in.

41
00:03:34,440 --> 00:03:42,660
And see, what do we get so we get invaded credentials and it's under the path, perhaps logging that

42
00:03:43,710 --> 00:03:51,090
we want to copy this path and we want to specify it in our comment in order to specify the first thing

43
00:03:51,090 --> 00:03:53,340
we need to do is open double quotes.

44
00:03:53,580 --> 00:03:56,880
After that, we paste our path.

45
00:03:57,970 --> 00:04:00,760
And we add to that.

46
00:04:02,150 --> 00:04:03,810
Now, why are we adding to that?

47
00:04:04,370 --> 00:04:08,480
Well, in the Hydra, there are a few things that we need to specify.

48
00:04:09,080 --> 00:04:13,150
The thing, number one, is the path which we specified right here.

49
00:04:13,490 --> 00:04:19,700
The thing number two is specifying the name of the username field, the name of the password field and

50
00:04:19,820 --> 00:04:21,110
the bottom itself.

51
00:04:21,740 --> 00:04:24,410
Now, I know this sounds confusing, but will do it right now.

52
00:04:24,440 --> 00:04:25,870
Hang on for just a second.

53
00:04:26,420 --> 00:04:27,550
That's the second thing.

54
00:04:27,560 --> 00:04:35,150
The third thing that we usually specify inside of our command is which error message do we get once

55
00:04:35,150 --> 00:04:40,100
we specify incorrect username and password, which in our case is this one right here.

56
00:04:40,940 --> 00:04:45,500
And at the end we add the users list and the passwords list.

57
00:04:46,220 --> 00:04:53,120
OK, so let's go back to the comment we specified at the beginning of the comment and we specified the

58
00:04:53,120 --> 00:04:56,710
first thing that comes in double quotes, and that is the path.

59
00:04:57,020 --> 00:05:03,320
Now comes the name of the username field, the name of the password field and the name of the bottom.

60
00:05:04,570 --> 00:05:09,910
So in order to get the name of those fields, we once again want to go to the page source and we want

61
00:05:09,910 --> 00:05:15,820
to navigate to the form here, we want to find the code that identifies the user name input.

62
00:05:15,820 --> 00:05:17,380
And it's right here.

63
00:05:18,220 --> 00:05:24,090
If we take a look at the name tag and ID tag, we will notice that it's called Lockin.

64
00:05:24,520 --> 00:05:31,960
So this will be the name of our user name field in order to specify that we're going to type log in

65
00:05:32,290 --> 00:05:33,070
equals.

66
00:05:33,070 --> 00:05:38,080
And then comes this arrow that is pointing upwards after this.

67
00:05:38,140 --> 00:05:44,740
So we want to specify capital user and then again, this arrow that points up.

68
00:05:45,830 --> 00:05:47,960
OK, what did we do right here?

69
00:05:48,530 --> 00:05:52,730
Well, the first thing that we did is we specified the name of our user name field.

70
00:05:52,880 --> 00:06:01,370
And this part right here is just the syntax that tells Haidara to replace this user tag with the user

71
00:06:01,370 --> 00:06:06,620
names that it will read from the user names list that will specify at the end of the comment.

72
00:06:06,740 --> 00:06:11,300
So essentially, it will just replace this with all of the user names that it's trying to brute force

73
00:06:11,300 --> 00:06:11,540
with.

74
00:06:12,230 --> 00:06:13,770
Same thing goes with password.

75
00:06:14,030 --> 00:06:19,550
Now, before we specify password, we need to type this sign right here in order to separate these two

76
00:06:19,550 --> 00:06:20,030
fields.

77
00:06:20,590 --> 00:06:26,180
Now comes the name of the password field, which we can read from the page source.

78
00:06:26,180 --> 00:06:27,560
And it's right here.

79
00:06:28,040 --> 00:06:31,060
We can see that the name is just password.

80
00:06:31,070 --> 00:06:41,400
So let's specify it like that password and equals a Pereiro pass and then not Pereiro once again.

81
00:06:41,480 --> 00:06:45,160
So the idea is basically the same for the password as well.

82
00:06:45,470 --> 00:06:53,900
It will replace the passwords from the list with this pass right here and we want to separate it once

83
00:06:53,900 --> 00:06:54,370
again.

84
00:06:54,380 --> 00:06:58,660
And the last thing that we specify is the button itself.

85
00:06:58,910 --> 00:07:02,240
So we need to find the bottom code inside of the page source.

86
00:07:03,050 --> 00:07:06,140
And it's right here.

87
00:07:06,860 --> 00:07:14,430
As we can see, the name for the bottom is called for and the value is equal to submit.

88
00:07:15,260 --> 00:07:21,170
So what we want to do is we want to go right here in type form equals submit.

89
00:07:22,100 --> 00:07:27,290
That will tell the Hydra tool that once it replaces the username and password, it has to click on a

90
00:07:27,290 --> 00:07:30,790
button in order to submit them and check whether they're correct or not.

91
00:07:31,370 --> 00:07:37,310
Now, finished with the second part of this command, we can go on to the third part by separating it

92
00:07:37,310 --> 00:07:38,840
with two dots once again.

93
00:07:39,260 --> 00:07:46,400
And we need to type the string that we get once a password is incorrect and we have it right here,

94
00:07:46,400 --> 00:07:47,360
we can copy it.

95
00:07:47,360 --> 00:07:51,440
Invalid credentials or user not activate it.

96
00:07:51,650 --> 00:07:56,290
Let's copy that string or that message and we can paste it right here.

97
00:07:57,050 --> 00:08:03,410
Once you do that, you want to close the double quotes and at the end we specify the usernames and passwords

98
00:08:03,590 --> 00:08:03,980
list.

99
00:08:04,400 --> 00:08:08,930
Now, since we don't have one yet, let's just open another terminal.

100
00:08:08,930 --> 00:08:15,890
Kyprolis and NENO users, the 60 here, we can type any user names whatsoever.

101
00:08:15,900 --> 00:08:23,810
Let's go test test one, two, three, root admin and let's add the correct user name just so we can

102
00:08:23,810 --> 00:08:28,870
see whether the tool will work and whether it will manage to find this to be the correct username.

103
00:08:29,390 --> 00:08:30,770
Let me just double check.

104
00:08:30,770 --> 00:08:31,190
Yeah.

105
00:08:31,190 --> 00:08:33,980
B is username and password.

106
00:08:34,970 --> 00:08:40,100
So we will be adding the correct credentials in the list just for the purposes of this tutorial, in

107
00:08:40,100 --> 00:08:45,950
order to see whether it will work in reality, of course, you to know the correct credentials and you

108
00:08:45,950 --> 00:08:48,290
would use a much bigger list than this.

109
00:08:49,250 --> 00:08:57,230
OK, let's head, for example, mean one, two, three, and that would be about it for our users.

110
00:08:58,790 --> 00:09:03,950
Now, let's go and do the same for the past 30, 60, and here will be our passwords.

111
00:09:04,100 --> 00:09:06,230
So let's go password pass.

112
00:09:06,230 --> 00:09:06,950
One, two, three.

113
00:09:07,490 --> 00:09:08,990
Password, one, two, three.

114
00:09:09,200 --> 00:09:12,200
Let's go bug, which is the correct password.

115
00:09:12,620 --> 00:09:13,840
And let's go with test.

116
00:09:13,850 --> 00:09:14,690
One, two, three, four.

117
00:09:15,620 --> 00:09:22,940
OK, say this as well, and now we go back to our command, what where we need to specify if we want

118
00:09:22,940 --> 00:09:28,820
to use these two files in order to brute force to specify the user names of how we type a dash and then

119
00:09:28,820 --> 00:09:29,930
capital out.

120
00:09:30,530 --> 00:09:34,760
After that comes the name of the file, which in my case is user's data.

121
00:09:35,900 --> 00:09:43,250
And after that we specify capital P for the passwords file and then the name of the passwords file,

122
00:09:43,430 --> 00:09:48,080
which is pass dot the OK, this is the entire comment.

123
00:09:48,080 --> 00:09:53,720
And I know it might sound confusing and you probably have no idea what we did right here.

124
00:09:53,720 --> 00:09:58,730
But don't worry, this is the same reaction that everyone has once they first encountered the Hydra

125
00:09:58,730 --> 00:09:59,010
talk.

126
00:09:59,150 --> 00:10:04,790
And we will be taking a look at another example of crafting the command for a different Web page in

127
00:10:04,790 --> 00:10:05,390
the next video.

128
00:10:06,020 --> 00:10:09,530
For now, let's go through this command once again and explain what we did.

129
00:10:09,800 --> 00:10:15,770
So first we type Hydra, then the IP address of the target, then which type of the brute force we want

130
00:10:15,770 --> 00:10:21,530
to perform based on how the credentials are being processed by the webpage since they are processed

131
00:10:21,530 --> 00:10:22,520
with post request.

132
00:10:22,520 --> 00:10:25,340
We use HTP Dash form Desh Post.

133
00:10:25,730 --> 00:10:32,970
If they were processed with get request we would type http dash get dash for after that comes the double

134
00:10:33,020 --> 00:10:36,800
quotes part, which has three different things.

135
00:10:37,100 --> 00:10:42,200
The first thing or the first part is the path to the page that we want to brute force.

136
00:10:42,950 --> 00:10:51,440
The second part is the name from the user name field, the name from the password field and the pattern

137
00:10:51,440 --> 00:10:51,920
itself.

138
00:10:52,460 --> 00:10:59,210
And the third part is the string or the message that we get once we specify the incorrect username and

139
00:10:59,210 --> 00:10:59,770
password.

140
00:11:00,470 --> 00:11:05,060
This will help Hijrah determine which credentials are correct based on this message.

141
00:11:05,060 --> 00:11:11,570
If we specify some credentials and we don't get this message, it will flag those credentials as correct

142
00:11:11,570 --> 00:11:14,210
ones and it will output it right here for us.

143
00:11:15,240 --> 00:11:21,420
At the end, we specified Dash Capital L and we specified the users that the default or any list that

144
00:11:21,420 --> 00:11:26,960
we want to use for user names and their DSP and then the passwords file.

145
00:11:27,750 --> 00:11:32,400
OK, let's press enter and see whether this command will work.

146
00:11:33,120 --> 00:11:39,840
And you will notice in just one second we managed to perform all the combinations of usernames and passwords

147
00:11:40,350 --> 00:11:43,560
and we got the correct one right here.

148
00:11:44,460 --> 00:11:50,790
So not only did this finish much, much faster than perhaps it intruder, but it also outputted our

149
00:11:50,790 --> 00:11:54,060
correct credentials in clear text right here.

150
00:11:54,920 --> 00:12:01,740
Let's give it a try and let's try to log in B and back and click on Log in.

151
00:12:02,350 --> 00:12:03,300
And here we are.

152
00:12:03,480 --> 00:12:04,980
We logged in successfully.

153
00:12:05,310 --> 00:12:05,730
Awesome.

154
00:12:06,330 --> 00:12:10,980
So once again, this is a little bit complicated, but don't worry.

155
00:12:10,980 --> 00:12:16,660
In the next video, we're going to check out another example of using Hydra on a Web page.

156
00:12:17,370 --> 00:12:18,260
Thank you for watching.

157
00:12:18,270 --> 00:12:19,650
And I will see you in the next lecture.