Attackers constantly try to crack the passwords of other people in order to gain access to their accounts. The dictionaryattack is one of the most common ways of attempting to crack a user’s password. The attack works by attempting to use all of the words in a given dictionary file as the password for the user. If the user’s password is in the dictionary used in the attack, the attacker is able to gain access. Hydra is a well-known tool for performing dictionary attacks.
In this lab, you will use Hydra to perform a dictionary attack on a locally hosted website.
Upon completion of this lab you will be able to:
- Set up Hydra to perform a dictionary attack on a website
This lab is intended for:
- Individuals who want to learn how to defend against dictionary attacks on websites
- Security engineers who want to understand the security level of the passwords they are using inside their company
- Individuals who want to understand how a dictionary attack is performed
Load the Virtual Machines (Kali & Hydra)
In this lab step, you will load the two virtual machines you will need in the lab. You will open a Kali Linux VM and a Hydra VM.
- Start up the Kali VM by double-clicking on it in the list and press “Start” in the window that will appear:
- You should now be presented with the desktop:
- Go back to the Hyper-V Manager and make sure the Hydra VM is in Running state:
Conduct the Dictionary Attack
In this lab step, you will use Hydra to perform a dictionary attack on a website to retrieve the administrator’s password and login.
1. In the Kali VM launch the Firefox browser:
2. Navigate to the Hydra VM‘s IP address:
- If you click the link on the page, it will prompt you for a username and password:
The hint on the webpage informs you that the username is admin, but it doesn’t give away the password. You will use Hydra to try to brute-force the password.
- Open the terminal window and type:
hydra -l admin -P /usr/share/wordlists/rockyou.txt.gz 192.168.1.95 -V http-get “/secure”
The /usr/share/wordlists/rockyou.txt.gz file is the dictionary used for this attack. Leave Hydra to run for a few minutes and record the cracked password.
Warning: The command will output a few errors, don't pay attention to them, they don't compromise the result of the lab.
5. Return to the Firefox browser and try the credentials you have discovered to see if you can now log in:
In this lab step, you have cracked the website password using a dictionary attack.