HTTP Form password brute forcing is not rocket science, you try multiple username/password combinations until you get a correct answer (or non-negative answer).
Password brute forcing, especially over a network, takes time and while your software is attempting to find a correct username/password combination it is taking up your and the remote system’s resources. While the brute force is being carried out you might not want to run an automated scan, for example, as the remote server may not be able to cope with the amount of connections or the rapid succession of connections. At the same time, your network bandwidth and system memory are also limited. It makes sense that when you conduct a weak password brute force it is done as fast as possible so that your time and resources are restored for other tasks.
And of course not forgetting that you’re always going to be limited by time on a pentest/web app assessment as the client’s budget is never unlimited.
So what is the fastest way to brute force a HTTP form today? I use Burp Suite for my Web Application Security Assessments and I would normally use Burp’s Intruder, but is this the fastest tool to do it with?
Of course, there are other limiting factors when brute forcing remotely such as your Internet/Network speed, CPU speed, RAM and the remote system’s response times, as well as other factors. For this experiment we’ll only be focusing on the software used to carry out the password brute force attack. This is far from being a perfect in-depth study but it should hopefully give an idea which tool out of my small collection (Burp Intruder Spider Vs Hydra http-post-form) is fastest.
On both tools I set one user to brute force, admin, and used the rockyou-75.txt wordlist (19963 lines), which has one addition which is the correct password which was added to the last line of the file. Both the same username and password list was used for Burp’s Intruder (Sniper) and Hydra. Each tool was run one after the other, not at the same time.
Burp Suite Professional Intruder (Sniper) Version: 1.5.11
Hydra (http-post-form) Version: 7.4.2
A “Local” test was carried out on a localhost Apache 2 web server as well as a “Remote” test against the www.ethicalhack3r.co.uk Nginx web server.
The Test Form that I created to test against (both locally and remotely) does not make a database call which is what would normally be expected on a real HTTP login form. I’d expect my test login form to reply quicker than if it had to make a database call. The ‘Local’ and ‘Remote’ columns represent the time it took the tool to find the correct password which was at the end of the wordlist.