SBM Labs

Cyber Security Collaboration Project

Brute-Force Attack
10 May 2014

The aim of this lab is successful brute-force attack to the web application.

For this lab you will need:
1. Browser Mozilla Firefox.
2. Plugin Live HTTP Headers.
3. Software Hydra.
4. Database of most used logins and passwords.

Go to the lab Brute-Force Attack. HTTP request will be sent to the server using method GET.

Install and run plugin Live HTTP Headers for the browser Mozilla Firefox. Then enter any login and password and click button "Sign in". HTTP request will be sent to the server using method POST. After it you will see the message about authentication failure.

Then you should find POST request in Live HTTP Headers.

In order to run Hydra you will need:
1. Hostname - penlab.sbmlabs.com.
2. URL - /brute_force_attack.
3. HTTP method - POST.
4. Request parameters - username, password.
5. Web application answer about authentication failure - Authentication failed!

Then you should download database of most used logins and passwords.

Run Hydra.

hydra -L /путь к файлу/login.txt -P /путь к файлу/password.txt -f -V penlab.sbmlabs.com http-form-post "/brute_force_attack:username=^USER^&password=^PASS^:Authentication failed!"

Then enter login and password that were discovered by Hydra as valid and click "Sign In".

You should use strong passwords and CAPTCHA in order to prevent simple brute-force attack.