Re: Dictionary and brute forcing web authentication?

[DownBload <downbload () hotmail com>]

In-Reply-To: <007101c37967$d88df440$800101df () edi evidentdata com>

Hi,

For basic http authentication cracking (I suppose that is your second described situation), you can try my 
htpasswdbrute2.pl simple perl script which you can find in this tar.gz archive:

http://www.ii-labs.org/iilabs_web/programs/mixed.tar.gz

bye...

> I'm looking for advice on dictionary and brute forcing web =
> authentication.
> Most of the websites I have access to at work have various kinds of =
> forms
> based authentication.  I've been playing with a plugin for Sleuth
> (httpbrute_plugin.zip) and am having difficulty.
>
> At a minimum I need to give the plugin the user and password fields from =
> the
> source of the webpage so it knows where to perform the dictionary =
> attack.  I
> also need a failure string so the plugin knows when it has failed (and =
> if it
> hasn't failed, theoretically succeeded), but herein lies the problem.  =
> I'm
> looking at a page called "securedefault.asp" .. When I enter a bogus
> username and password, the login screen just displays again .. No =
> special
> failure message.
>
> Any ideas how to handle this?
>
> Also .. I noticed on some websites that as soon as you go to them, a =
> user
> and password box pops up.  I am not able to view source on these, either =
> in
> IE or Sleuth.  In IE the user and password box opens immediately, and in
> Sleuth I get a Windows username and password box.  I'm assuming these =
> are
> *not* basic http authentication?  Any advice on how to dictionary attack
> these things?
>
> Thanks!
>
> Mark


------------------------------------
DownBload / Illegal Instruction Labs
Security Research & Education
http://www.ii-labs.org
e-mail:downbload[at]hotmail.com

"Born under the lucky star magical,
 but on this earth generally tragical."