Hacking into websites is one of the most fundamental skills a hacker can learn. As a developer, you should be aware of the risks.
Many websites get hacked! So how can you prevent your website or web app from being hacked? You should learn how a hacker thinks.
Once you learn how to hack into a website, you will be able to test the security of your website (or web app) and also know how others can hack into your website.
There are many tools available for hacking, but for beginners, I suggest Burp Suite or hydra. Burp Suite is a GUI tool and hydra is a terminal tool.
These tools are included in Kali Linux, a computer system for hacking. You should have some knowledge of the Linux command line.
Wait.. roll my own tools?
As a developer, you may be inclined to roll your own hacking tools. That is possible, but why reinvent the wheel?
If your goal is to test the security of your website, you wouldn't start with writing an operating system and designing a CPU. Instead, just use the tools that exist.
But.. how does the coding work?
Create a script in your favorite editor like VSCode or vim (learn vim). For example, to brute force you could intercept a curl request and run it through a Python for loop with a password text file to brute force.
hydra
Hydra lets you brute force passwords of any server. You do by having a password word list. This is a let of millions of passwords that Hydra will automatically try.
You can let it automatically bruteforce, with any protocol
The syntax is:
hydra -L <USERNAME_LIST> -P <PASSWORD_LIST> <TARGET_IP> <PROTOCOL>
You can brute force ssh, mysql, ftp and many other protocols.
hydra -L users.txt -P passwords.txt 192.168.0.1 ssh -u -V
It will output the passwords in the terminal:
Affirmative, this is a low level tool. For more high level attacks you can use a tool called burp suite.
Burp Suite
The way Burp Suite works is by intercepting your browser traffic. It then lets you modify the requests, so you can for instance brute force passwords on a login form. In the browser, you can set the Proxy to Burp Suite.
Step 1. Run Burp Suite
Step 2. Open Firefox and navigate to the login form
Step 3. Navigate to the Proxy tab in Burp Suite
Step 4. Press "Intercept On" in "Proxy -> Intercept"
Step 5. Set Burp in FoxyProxy
Step 6. Submit dummy data by clicking login with the dummy username and password in Firefox
Step 7. In Proxy Intercept -> Right click and Send to Intruder
Step 8. Click "Clear $" and add "$" around the username nad password
Step 9. Select "Cluster Bomb"
Step 10. In "Intruder -> Payloads" set a wordlist (password list) to try. You can set the payload for both parameter 1 and 2 (username and password)
Step 11. Click Start Attack and wait for credentials
Whew, this was quite a setup. Main difference is that with Burp Suite you only have to click, with hydra you have to use the command line. Burp Suite has more features than hydra.
More on web hacking? You may like: Ethical Hacking: Web App hacking
Top comments (0)