OWASP Exercises: Dictionary Attack using Hydra

Attackers constantly try to crack the passwords of other people in order to gain access to their accounts. The dictionary attack is one of the most common ways of attempting to crack a user's password. The attack works by attempting to use all of the words in a given dictionary file as the password for the user. If the user's password is in the dictionary used in the attack, the attacker is able to gain access. Hydra is a well-known tool for performing dictionary attacks.

In this lab, you will use Hydra to perform a dictionary attack on a locally hosted website.

Learning Objectives

Upon completion of this lab you will be able to:

• Set up Hydra to perform a dictionary attack on a website

Intended Audience

This lab is intended for:

• Individuals who want to learn how to defend against dictionary attacks on websites
• Security engineers who want to understand the security level of the passwords they are using inside their company
• Individuals who want to understand how a dictionary attack is performed

Prerequisites

This lab has no prerequisites.

Updates

August 13th, 2024 - Updated the instructions and screenshots to reflect the latest UI

September 21st, 2021 - Updated HyperV VMs to not used save state to avoid an issue with Azure VMs in the same SKU not all having the same processor features

September 7th, 2021 - Upgraded underlying disk, and Kali Hyper-V VM configuration for improved performance

July 9th, 2020 - Enabled direct browser RDP connection for a streamlined experience