Test for authentication data compatibility with popular dictionaries

Most web application users do not follow the recommendations for using difficult, non-dictionary access data. They often base their passwords on words and phrases they easily won't forget. These words are children's names, street addresses, favorite football team, place of birth, etc.User accounts – Especially administrative accounts should be protected with hard-to-guess access data.


To test whether access data is not too easy to guess, you can use the hydra tool together with a specially prepared list of the most popular access passwords e.g. rockyou.txt. Hydra is a tool that, in a balanced manner, supports several threads at the same time, automatically attempts to log on to network resources. Supports many protocols such as Cisco AAA, Cisco auth, Ciscoenable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST. In its operation it is very fast and flexible. It allows you to set a query period to avoid blocking. You can also add new modules. On Ubuntu, you can install it from the synaptic package manager. On Kali Linux, it is already available by default.

The figure below shows the use of the hydra tool against an application that uses easy access data.

Example of using hydra against a tested application

Figure. An example of using the hydra tool against the application being tested. Source: [Own study]

Chcesz wiedzieć więcej?

Zapisz się i bądź informowany o nowych postach (zero spamu!). Dodatkowo otrzymasz, moją prywatną listę 15 najbardziej przydatnych narzędzi (wraz z krótkim opisem), których używam przy testach penetracyjnych.

Nigdy nie podam, nie wymienię ani nie sprzedam Twojego adresu e-mail. W każdej chwili możesz zrezygnować z subskrypcji.

Bookmark the permalink.

Share your opinion about the article.