Brute Forcing

Hell there, I’m back with my third post here.

Cracking the Password or username by random guessing is called Brute forcing or brute force attack in hacker's term.

Brute Forcing

Today I’m going to teach you how to use crunch for get a wordlist of password or username combination and using it.

Crunch is a kali app that let you create a list of every possible combination of alphabets, numbers and symbols you typed. Example of kali command that will create combination: “crunch 6 8 abcdef120”

this command will generate a password combination between 6 to 8 character with this alphabets and numbers(abcdef120).

Command for saving the combination file: “crunch 6 8 abcdef120>Desktop/output.txt”

above command will generate a file named output.txt in desktop which will contain the alphanumeric combination.

Now you know how to generate password or username list, but you've to work with it. For use the file generated by crunch you've to use another kali app called hydra.

We've to use hydra in a web form so that we can use to crack any login form by brute forcing. Here is an example for using hydra: “hydra -l username -p Desktop/output.txt target”

In this example username can be changed by the username you are guessing such as “admin” and password is the list generated by crunch. You can also use username list generated by crunch. Target would be any ip address of victim with open port or it can be any specific web form field.

There is many built in wordlist in kali you can use them. For using them change your directory by this command: “cd/usr/share/wordlists” after this command execute “ls” command and you will be able to see there is many built in text file, use them for brute forcing.

Below is an example where I am using hydra for crack “admin” password using the “output.txt” wordlist at 192.168.148.129 on port 80

Ex. “hydra -l admin -p Desktop/output.txt 192.168.148.129:80”

Using hydra on a web form

Using hydra on a web form is little bit tougher than normal brute forcing.

Here is the syntax of brute forcing on a web form: <url>:<form parameters>:<failure string>

Here we still need wordlist of username and password. Probably the ‘failure string’ is the most critical part in a web form brute forcing. This is the string that the web from returns when the username or password is incorrect. We need to capture the string and provide it to the hydra so hydra can know that the password or username attempted by hydra is wrong and after that it will try the next word in the list.

 We need identify some of the key parameters, those are

                                  ·        Ip address of the web site

                                  ·        URL

                                  ·        What type of form is that

                                  ·        Field of username

                                  ·        Field of password

                                  ·        Wrong attempt message

 In case of identify these we need to get a chrome plugin. Here I wanna introduce you to a new app called temper data which is chrome plugin and it can provide us web site data we need for brute forcing by hydra.

Okay. thank you all for reading this i will coming soon with my forth post on which i'll write about Temper data and using information to THC-HYDRA.

i'll be back soon. comment below. thank you.