HTTP Form Password Brute Forcing - The Need for Speed

HTTP Form password brute forcing is not rocket science, you try multiple username/password combinations until you get a correct answer (or non-negative answer).

Password brute forcing, especially over a network, takes time and while your software is attempting to find a correct username/password combination it is taking up your and the remote system's resources. While the brute force is being carried out you might not want to run an automated scan, for example, as the remote server may not be able to cope with the amount of connections or the rapid succession of connections. At the same time, your network bandwidth and system memory are also limited. It makes sense that when you conduct a weak password brute force it is done as fast as possible so that your time and resources are restored for other tasks.

And of course not forgetting that you're always going to be limited by time on a pentest/web app assessment as the client's budget is never unlimited.

So what is the fastest way to brute force a HTTP form today? I use Burp Suite for my Web Application Security Assessments and I would normally use Burp's Intruder, but is this the fastest tool to do it with?

Of course, there are other limiting factors when brute forcing remotely such as your Internet/Network speed, CPU speed, RAM and the remote system's response times, as well as other factors. For this experiment we'll only be focusing on the software used to carry out the password brute force attack. This is far from being a perfect in-depth study but it should hopefully give an idea which tool out of my small collection (Burp Intruder Spider Vs Hydra http-post-form) is fastest.

The Setup

On both tools I set one user to brute force, admin, and used the rockyou-75.txt wordlist (19963 lines), which has one addition which is the correct password which was added to the last line of the file. Both the same username and password list was used for Burp's Intruder (Sniper) and Hydra. Each tool was run one after the other, not at the same time.

Burp Suite Professional Intruder (Sniper) Version: 1.5.11
Hydra (http-post-form) Version: 7.4.2

A "Local" test was carried out on a localhost Apache 2 web server as well as a "Remote" test against the Nginx web server.

The Test Form that I created to test against (both locally and remotely) does not make a database call which is what would normally be expected on a real HTTP login form. I'd expect my test login form to reply quicker than if it had to make a database call. The 'Local' and 'Remote' columns represent the time it took the tool to find the correct password which was at the end of the wordlist.

The Results

The first test was done with Hydra's and Burp's default thread/task settings, by default Hydra sets '16 tasks' and by default Burp's Intruder sets '5 threads'.

default burp vs hydra

As you can see from the above table, Hydra vastly outperforms Burp when using the default settings both locally and remotely.

The second test was done with Burp's threads set to 16, to match Hydra's default tasks setting.

burp 16 threads

The above table gives some unexpected results. Locally Hydra vastly outperforms Burp, but remotely Burp vastly outperforms Hydra.

It looks as though to get the most out of my remote HTTP Form password brute forcing I should be using Burp's Intruder and changing the default 5 threads to something higher, like 16 (depending on how the remote server handles the attack). Of course, this is not conclusive evidence of which tool is faster than the other due to the many variables involved. If you get different results let me know! As Hydra is a dedicated password brute forcing tool I did expect it to outperform Burp's Intruder as Burp is an all round Web Application Security Assessment tool. This doesn't mean I won't be using Hydra to brute force other services, like FTP for example. They have done a comparison themselves using FTP and SSH which shows them as being the fastest for these services out of a few different tools, the comparison can be found at the bottom of this page.


Recently there was a spike in WordPress brute force attacks, here is a table comparing Hydra, Burp's Intruder and WPScan's bruter against local and remote WordPress installs.

Screen Shot 2013-04-17 at 20.47.26

WPScan came in behind Burp's Intruder but in front of Hydra's http-post-form module in both local and remote tests. If you're going to brute force WordPress and you are determined (using a large list) you may want to use Burp Suite Professional's Intruder tool, otherwise use WPScan. ;)

If you compare this table against the brute force against the Test Form table, you can see the difference the login form itself makes on the time a brute force takes to complete. In Hydra's case, this is significant.

Hydra Commands Used in Testing

Local at default tasks:

$ hydra -l admin -P ~/Tools/wordlists/rockyou-75.txt http-post-form "/login.php:username=^USER^&password=^PASS^&submit=Submit:Incorrect"

Remote at default tasks:

$ hydra -l admin -P ~/Tools/wordlists/rockyou-75.txt http-post-form "/files/misc/login.php:username=^USER^&password=^PASS^&submit=Submit:Incorrect"

Local WordPress (this did not output that it had found the valid pass due to what looks like a WP infinite redirect bug, it did actually authenticate though):

hydra -l admin -P ~/Tools/wordlists/rockyou-75.txt http-post-form "/wordpress/wordpress-351/wp-login.php:log=^USER^&pwd=^PASS^:login_error"

WPScan Commands Used in Testing

WPScan command used (local):

$ ./wpscan.rb -u -U admin -w ~/Tools/wordlists/rockyou-75.txt -t 16

WPScan command used (remote):

$ ./wpscan.rb -u -U admin -w ~/Tools/wordlists/rockyou-75.txt -t 16