How to HACK Website Login Pages | Brute Forcing with Hydra

most websites have login pages and in this video i'm going to show you how to hack them so why target login pages well behind every login page is access to confidential information or even administrator level access this is gold dust for hackers and as penetration testers or bug bounty hunters it's extremely valuable for us as well so how do we actually go about hacking a login page well there are two main types of

How to HACK Website Login Pages | Brute Forcing with Hydra

most websites have login pages and in
this video i'm going to show you how to
hack them so why target login pages well
behind every login page is access to
confidential information or even
administrator level access this is gold
dust for hackers and as penetration
testers or bug bounty hunters it's
extremely valuable for us as well so how
do we actually go about hacking a login
page well there are two main types of
attack that we can use here
brute forcing and dictionary attacks a
brute force attack is where you try
every possible password that exists for
example we might start a
then a a then aaa then aab and so on and
so forth until the correct password is
found now in theory this will eventually
find the correct password no matter what
it is
however the time it can take can vary
greatly for example if you're finding a
5 character password with only lowercase
letters this could take seconds a 16
character password with numbers
uppercase and special characters however
could take millions of years now i don't
know about you but i don't have the
patience to wait millions of years
this is why we use the second type of
attack called a dictionary attack a
dictionary attack is actually a type of
brute force
but instead of trying every single
possible combination of letters numbers
and symbols we use pre-built lists of
possible passwords
you see us humans are not as smart as we
think we are we tend to use passwords
that are easy to type easy to remember
and even reuse the same password over
and over again
and as clever as you think you're being
unless your password is truly unique
it's likely to have been used many times
before so we can use lists of passwords
containing words phrases and known
passwords from past data breaches and
there is a good chance that we will find
a match
luckily we don't need to type these
passwords ourselves there are plenty of
tools that can do this for us and
probably the most popular is one called
hydra hydra is a free tool used to hack
logins and is what we're going to be
using today

so now let's move on to the hacking
we're going to need a hacking machine
such as kali linux or paraos and we're
also going to need a test website with a
login page for us to hack
now you can set this up yourself with
virtual machines and installing web
servers but luckily our sponsor for
today's video has us covered hack the
box academy provides real hands-on
training with browser-based hacking
environments nothing to download or
install and ready to go in minutes they
have tons of great training available
including this one called login brute
forcing this module is part of their
certified bug bounty hunter training
this training path will take you from
almost zero to hacking into websites in
no time at all
so i'm going to be using the hackthebox
academy environment to show you how this
all works if you want to follow along
use the link below in the description to
sign up
so here is our attacker's machine and
here is the website login that we're
going to hack
as you can see it's a pretty standard
username and password page
now we have our target let's see how we
can use hydra to find some credentials
now our attacking machine is running
parrot os from hack the box academy and
it has hydra pre-installed
if you're running kali linux you should
also have it
if you're using anything else you may
need to install it using apt or download
it from the official github
so let's look at the command format
there are a few bits of information here
so let's break this down
hydra is a really powerful tool with
many different options
this is the general format of the
command that we need for this attack
hydra specifies the tool
dash l login or dash l file is the
section that we tell hydra what to put
into the username field we can use a
lowercase l and specify a user account
manually or we can use an uppercase l
and use a list of usernames
dash p pass or dash p file
is the section very similar to the last
one but it tells hydra what to put into
the password field
using a lowercase p
tells us to specify the password
and the uppercase p will use a password
dash u this will try every username for
each password if we have a small
username list and a large password list
this could dramatically reduce the time
it takes to find the correct password
f is pretty simple it tells hydra to
stop trying to find passwords once the
first match is found we then need to add
the ip address or the domain name of the
target website dash s to specify the
port number of the target website and
the module section tells hydra which
modules to use now a module is a service
to attack
some module examples are http
remote desktop protocol ssh and many
many more
this last part depends on the module you
select this example shows typical
options for http attack which is what
we're going to be doing today
okay so now we have the basis of our
command let's start writing this out so
first i'm going to open a terminal
i'll make this a little bit bigger so we
can see
move this over here
and we're first going to start with sudo
because we want to run with elevated
then we type
and now we need to choose either a
specific username to try to attack or a
list of possible usernames
now a lot of the time you won't know
anything about the target nor do we have
any known usernames a good guess is
there will be something like admin
administrator or something along those

lines so we could try our luck choosing
the username ourselves but we may be
better off using a list of common
there are lots of word lists available
with common usernames
a great place for this is seclists which
has a ton of great word lists
it's already pre-installed in our hack
the box academy machine but you can
download it from their github so to tell
hydra we want to use a list of usernames
we use the command dash
capital l
and then the location of our word list
in our example we'll use the word list
located in
set lists
and it's called
top username shortlist
this word list contains some of the most
common usernames
next we need to tell hydra which
passwords to try
again there are tons of password lists
out there one popular list is the roku
password list from a massive data breach
back in 2009
this contains over 14 million passwords
ranging from very simple to more complex
to use this list we need to type dash
capital p
and then the location of our list which
for me is
set lists
leak databases and then
dot rockyou.
now if you're not using hack the box
academy then your list may be somewhere
else or you may need to download it
then we type dash u to tell hydra to try
every username from our small user list
for each password
this is rather than 14 million passwords
for each username
now we use the dash f
to tell hydra to stop looking once a
match has been found
now if you're trying to find as many
credentials as possible then you may not
want to add this bit
now we need to add our target ip address
or domain name and the port number
in our example our ip address is here
and we'll copy that
paste it
s for the port number and as we can see
just here
and we'll paste that as well
now this last part will need a bit more
explaining this is the module section
where we tell hydra what type of logging
we're trying to attack so it knows which
techniques to use
web logins like this are the http post
form module
so we type
post dash
and this will select that module then we
need to add some parameters and we'll
open that with some quotation marks
the first parameter is the url of the
login page itself and we can see up here
at the top it's
so we'll start with
then we just need to add a colon to
separate the parameters
next we need to tell hydra where to
input the username and where to input
the password to do this we need to find
out the names of these fields now there
are a few ways to do this but one of the
easiest ways is to open a program called
burp suite
now to do that we go up to applications
and i'll go to pen testing

most use tools and there it is that burp
click onto there
a couple of prompts will come up just
skip past those
temporary project is fine for this
use the defaults start burp
burp suite has tons of great website
hacking tools but the main one and the
one we're interested in today is the
proxy at the top so proxy here
using the proxy allows us to inspect all
requests that are being sent to the web
before we can use the proxy though we
need to add the settings in our browser
to do this we'll just go back to firefox
select the menu go to preferences
then at the top right we'll just type
and where it says network settings click
and manual
proxy configuration
and we're just going to use http for
this and in the address we'll type
and the default port number for burp
suite is 80
click ok
and that's that saved
what this does is tell our browser to
send all of the web requests to our
proxy where we can then view and even
change them if we wanted to before
they're sent to the web server
so now we're set up we just need to
enter some test credentials and we
should be able to see the form input
so what i'm going to do is i'm going to
click on to user
i'm just going to type test
and for the password again i'm going to
hit test
now when i click login
nothing will happen it will kind of hang
here nothing happens but if we go over
to burp suite you'll see
this is the request being sent to the
web server
at the bottom we can see our test
credentials and most importantly we can
see the login parameter names
so we have username
and simply password
and we can use these for our hydra
so let's go back to our terminal
we'll type in username
and the tell hydra that this is where
they input the user
will go equals
up arrow
up arrow
then we do the same for the password
field by typing
and to separate them
equals and this is where to input the
perfect now the last bit we need to do
is tell hydra when to know when a
username and password is correct
if you think about it hydra won't know
what a successful login looks like right
so we need to tell it
this is the part that people tend to
forget so what we need to do is add
another parameter to tell hydra when to
stop trying passwords
now because we don't know what a
successful login looks like meaning we
don't know what happens when it logs in
we need to use something that we're
pretty sure won't be there once we do
log in
it's pretty reasonable to think that
once we log in
that this login page won't be there now
if you think about it there won't be any
need for a login page once you've
already logged in right
so let's find the name of this login
to do that we'll just press f12 on the
keyboard to bring up the developer tools
select the inspection tool
and we can just move our mouse around
until we select that form
so select that there
and we can read through here we can see
the name of the form is called login
so we use that to tell hydra hey if you
no longer see this login form then
that's a pretty good chance that that's
a successful login
so to do that we move over to our
again we do a colon to separate the
then we need to do
capital f for failure
and to say what a failure looks like
i'll add the name of our form which is
open bracket
we then need to close our module
parameters with quotation marks
so we now have the username list the
password list
the ip address the port number and our
module options
when we press enter hydra will start
trying lots of different passwords until
a match is found
so i'll press enter
and of course i get an error and that is
because the login page should start with
a forward slash
so the command should now look like this
press enter
and hydra will start to try lots of
different passwords
as we can see very quickly we receive a
match the login name is admin and the
password is the very secure password of
password one
now this just shows how quickly we can
simple passwords now in the real world
if this was a little bit more complex
this will probably take a little bit
more time
so we can confirm this works just by
going back to our login page
typing the username as admin
and the password is
and not forgetting to turn our proxy
server off we can just turn this
interception is on button off
and that's removed our name so again
we'll go admin
password one
hit the login button
as you can see we have successfully
logged in and the text you see here is
actually some clues for our next hack
the box challenge
down at the bottom we also have a flag
to complete this section
so we've just hacked a website login now
it's worth noting that most sites we use
today like facebook instagram etc will
have account lockouts this means that
after a few tries you'll be locked out
of your account for a set period of time
this dramatically reduces the
effectiveness of these attacks because
you can't try lots and lots of passwords
all at once
now a great way to make sure that your
accounts are protected against these
types of attacks is to make sure you
enable multi-factor authentication this
way even if an attacker does get your
login credentials they still need that
second factor which is usually a code on
your mobile
so that is how we can force our way into
website login forms using hydra hydra is
a great tool and it can even be used to
brute force services such as ftp and ssh
if you like this video you will really
love the module on hack to box academy
they cover everything i just did and
much much more so go check it out in the
description don't forget to give this
video a thumbs up leave a comment and
subscribe the support from you guys
really helps this channel grow thank you
for watching