in the top right frame, look at the request information. Switch to ZAP and look for the POST method in the bottom (should be near the end of the list, and click on it. Login using ADMIN and 1234 as the credentials. Visit the DVWA login page with ZAP acting as a proxy. We need t capture some information before we can go ahead. The simplistic explination of this exercise is to automate submitting the username (admin) and every password in a world list (rockyou.txt) until we find a successful combination. A dictionary of Passwords - /usr/share/wordlists/rockyou.txt (I've previously extracted the source file)ĭictionary Attack: trying predefined words contained in a wordlist against a username and/or password. 
A dictionary of Usernames - however, I'll use a known login name (admin). To setup ZAP as a proxy read this page - I changed to port to 8081. An Attacker - Kali Linux OWASP ZAP (localhost:8081) and THC-HYDRA. To use THC-HYDRA to perform a dictionary attack against a login page (form) Requirements #ROCKYOU PASSWORD LIST GITHUB CRACK#
Here's a bit of information about how I was able to target and crack the initial login page for DVWA. As I was reading about Attack Methods, I was reminded that THC-Hydra could be used to submit usernames/passwords against login forms and seeing as how I have a laptop with Kali Linux installed with OWASP ZAP and THC-HYDRA already included, I grabbed that beast and sat down to use a tool I've used before in a slightly different way.
0 kommentar(er)
