Re: Looking for good Brute-Force Web form auditing tool

[Jordan Wiens <jwiens () nersp nerdc ufl edu>]

We just finished an eval between Appscap, Webinspect, and Cenzic 
Hailstorm (ironically, they're the current sponsor for the pen-test 
mailing list, so just check out the footer of the email for their urls).

While we went with Cenzic, I'm not sure that any of those products are 
really what you need.  All of those products are built for true 
application penetration testing and would be overkill for simple 
brute-forcing.  And while I know you said free wasn't a big deal, these 
programs are very expensive if you just need a brute forcer.

Have you tried THC-Hydra?  http://www.thc.org/thc-hydra/

While it's still free (so you don't get that fuzzy feeling that you're 
getting something worthwhile just because you spent money on it), it's 
also Free in the sense that you get the source code.  So you can't 
complain that you don't think it's trustworthy since it's easy enough to 
 verify for yourself what it's doing if you've got the ability to read 
and understand code.

If you're not familiar with linux and want to try Hydra, look into any 
one of the many linux security distros on a CD.  I'm sure you'll find a 
few with new versions of Hydra.  Heck, some of them even come with QEMU 
wrappers so you can boot the OS inside of windows.

--
Jordan Wiens, CISSP
UF Security Engineer
(352)392-2061

Art Cooper wrote:
> There are two products I have used that can do this.  They aren¹t cheap, but
> reporting is good with both of them.
>
> APPSCAN is one:
> http://www.watchfire.com/products/appscan/default.aspx
>
> The other one is WEBINSPECT:
> http://www.spidynamics.com/products/webinspect/index.html
>
> I personally like WEBINSPECT better.  You can really glean a lot of
> knowledge on web apps/forms using these tools.
>
> Best Regards,
> Coop
>
> Arthur B. Cooper Jr.  ³COOP²
> Innerwall, Senior Network Engineer
> Office: (719) 264-2737‹Email: acooper () innerwall com
> 2060 Briargate Parkway, Suite 339, Colorado Springs, CO 80920
> Website: http://www.innerwall.com
>
> From: <loki74 () gmail com>
> Date: 9 Jun 2006 14:59:25 -0000
> To: <pen-test () securityfocus com>
> Subject: Looking for good Brute-Force Web form auditing tool
>
> Hello all,
>
>  Looking for a good web form brute force auditing tool.  I must be able to
> use word lists, passwords and have extensive logging.  Not really
> comfortable with all the freeware (as I have know idea what it is really
> doing). I have tried brutus, and burp suite though.  I am looking for a
> faster, more robust tool.  Free is the not the most important factor, speed
> and reporting is. 
>
>
> Thanks,
>
> T
>
> ----------------------------------------------------------------------------
> --
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
> Choice Award from eWeek. As attacks through web applications continue to
> rise, 
> you need to proactively protect your applications from hackers. Cenzic has
> the 
> most comprehensive solutions to meet your application security penetration
> testing and vulnerability management needs. You have an option to go with a
> managed service (Cenzic ClickToSecure) or an enterprise software
> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
> help you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request () cenzic com for details.
> ----------------------------------------------------------------------------


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------