KEMBAR78
Wapt-The Tester | PDF | Proxy Server | Password
Scribd
Upload
22 views5 pages

Wapt-The Tester

Uploaded by

raxow74001
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
22 views5 pages

Wapt-The Tester

Uploaded by

raxow74001
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

3.

Bruteforcing DVWA vulnerable bruteforce page using burpsuite &


hydra:
Step1: first open the DVWA vulnerable bruteforce page in firefox and security level
to low.

Fig: opened DVWA vulenerable bruteforce page

Then open the burpsuite and go to “proxy tab” in that go to “intercept tab” and set
the intercept is on. Then go to “options tab” & add the loopback IP and port 8080.

Step2:Now open the firefox go to “preferences” in that go to network proxy and click
on manual proxy configuration and add loopback IP and port 8080 and tick the
below checkbox “use this proxy server for all protocols”. and click ok. Now you are
ready.
Fig: setting the manual proxy configuration

Step3: now go to already opened DVWA vulnerable bruteforce page in the firefox
and give wrong credentials and then click on login. Now your burpsuite is
intercepting. Now go to burpsuite and analyze the request.

Fig: analyzing the request

Step4: Now click on “forward” button in the burpsuite. After clicking the forward
button, go to DVWA vulnerable bruteforce page -> there u can see that “Username
and/or password incorrect”. i.e., means these type of responses will simply
bruteforced or we can say that weak error responses.
Fig: forwarding the request

Fig: username and/or password is incorrect response

Step5: Also here we can see the sessionID in the burpsuite. Go to “http history tab”
there down you can able to see the sessionID. This is also one of the advantage.

Fig: Able to see the sessionID

Step6: Now we are using hydra to bruteforce the DVWA vulnerable bruteforce page.
Now open the new terminal and type this command:
hydra -L usernames.txt -P passwords.txt 192.168.42.241 http-get-form
“/dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Usernam
e and/or password incorrect.:H-cookie: security=low;
PHPSESSID=2864e27c70e60744896e5539a6445393” -V

1.Now here -L means: usernames list or u can give single username.


2. here -P means: passwords list or u can give single password.
3. 192.168.42.241 means: DVWA login page IP address.
4.http-get-form means: it is a get form.
5. /dvwa/vulnerabilities/brute/index.php means: page address.
6. Then we are giving the instruction what to bruteforce, that means username and
password and login. And also we are giving the error message that is Username
and/or password incorrect.
7. Also we are giving the sessionID.
8. -V means: verbose.

Verbose means when we bruteforcing the login page, we will able to see how it is
bruteforcing.

Fig: hydra is bruteforcing the DVWA vulnerable bruteforce page


Fig: hydra found the username & password given in the list

..

You might also like