Hydra is a very good brute force tool in Kali Linux. It is very effective but requires some understanding to make sure it works as intended.
In this case, I will use it to brute force the admin account in the web app, but hydra can be used for much more.
The first step is to see how the web app responds to the login attempt since this info is necessary for hydra. BurpSuite is very helpful in it.
Once we have the info we need, we can craft the hydra request.
We use lower case -l since we provide a specific value for a user account
We use upper case -P since we provide a wordlist for the password
We use “username” and “password” parameters as we saw with BurpSuite
“Invalid username or password” is a necessary fail condition so hydra knows what the failed login attempt looks like.
-f will make hydra stop on success so it will not keep going once the password is found
-V shows us failed attempts
After we ran the command, it might take a while to find the correct value. As we can see, we get a hit here.
We use the login and password and get access to the admin account.
Vulnerability mitigation is simple. Change admin login from default into something stronger and use a stronger password as well.