WebApp Sec mailing list archives
Dictionary and brute forcing web authentication?
From: "Mark G. Spencer" <mspencer () evidentdata com>
Date: Fri, 12 Sep 2003 12:55:41 -0700
I'm looking for advice on dictionary and brute forcing web authentication. Most of the websites I have access to at work have various kinds of forms based authentication. I've been playing with a plugin for Sleuth (httpbrute_plugin.zip) and am having difficulty. At a minimum I need to give the plugin the user and password fields from the source of the webpage so it knows where to perform the dictionary attack. I also need a failure string so the plugin knows when it has failed (and if it hasn't failed, theoretically succeeded), but herein lies the problem. I'm looking at a page called "securedefault.asp" .. When I enter a bogus username and password, the login screen just displays again .. No special failure message. Any ideas how to handle this? Also .. I noticed on some websites that as soon as you go to them, a user and password box pops up. I am not able to view source on these, either in IE or Sleuth. In IE the user and password box opens immediately, and in Sleuth I get a Windows username and password box. I'm assuming these are *not* basic http authentication? Any advice on how to dictionary attack these things? Thanks! Mark
Current thread:
- Dictionary and brute forcing web authentication? Mark G. Spencer (Sep 12)
- <Possible follow-ups>
- Re: Dictionary and brute forcing web authentication? DownBload (Sep 13)
- Re: Dictionary and brute forcing web authentication? Chris Varenhorst (Sep 14)
- Re: Dictionary and brute forcing web authentication? RSnake (Sep 15)
- RE: Dictionary and brute forcing web authentication? Calderon, Juan C (EM, DDEMESIS) (Sep 15)
- Re: Dictionary and brute forcing web authentication? Martin Eiszner (Sep 15)
- RE: Dictionary and brute forcing web authentication? Sarbjit Singh Gill (Sep 15)
- Re: Dictionary and brute forcing web authentication? Sasa Jusic (Sep 15)
- RE: Dictionary and brute forcing web authentication? Calderon, Juan C (EM, DDEMESIS) (Sep 15)
- RE: Dictionary and brute forcing web authentication? latte (Sep 15)
- RE: Dictionary and brute forcing web authentication? Calderon, Juan C (EM, DDEMESIS) (Sep 22)