RE: password cracking a web form, tried hydra and brutus

From: Rob Shein (shoten_at_starpower.net)
Date: 02/04/04

  • Next message: wirepair: "Re: encrypting Autologon credentials?"
    To: <bishan@sumerusolutions.com>, <pen-test@securityfocus.com>
    Date: Wed, 4 Feb 2004 16:41:15 -0500
    
    

    The problem is you're trying to use HTTP authentication, instead of
    submitting the results to the form. Your better bet is to work something up,
    in perl most likely (but any tcp-capable language will do), that will submit
    requests just as would happen if you were to sequentially try various login
    attempts on their web page.

    There are also other ways you could poke at it...have you tried SQL
    injection attacks in either the password or login field?

    > -----Original Message-----
    > From: aRt dE vIvRe [mailto:bishan4u@yahoo.co.uk]
    > Sent: Monday, February 02, 2004 9:53 AM
    > To: pen-test@securityfocus.com
    > Subject: password cracking a web form, tried hydra and brutus
    >
    >
    > hi,
    >
    > we are conducting a PT for a website. In order to password
    > crack the login/password form authentication (which happens
    > to be squirrelmail, written in php, looks similar to the
    > login page of yahoo or msn) I was looking for some tools.
    >
    > I came across Hydra and Brutus. When I tried Brutus on an
    > inhouse dummy site, after configuring the parameters the
    > target would automatically become <target>redirect.php. I
    > googled but couldnot find a solution to it.
    >
    >
    > Then I tried hydra at with following command:
    > # hydra -l smg -p we2su 192.168.0.3 http /webmail/src/login.php
    >
    > it resulted as:
    > [80][www] host: 192.168.0.2 login: smg password: we2su
    >
    > which is a wrong result since I had given the wrong password.
    >
    > I get the same result for valid or invalid passwords.
    >
    > Am I doing anything wrong?
    >
    > Is there any other tool which does what I'm looking for?
    >
    > Pls. help me with this :)
    >
    > Regards,
    > B'shan
    >
    >
    >
    >
    >
    >
    >
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > --------------
    >
    >
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: wirepair: "Re: encrypting Autologon credentials?"

    Relevant Pages

    • Re: Web Scraping Login Required
      ... What I'm missing is whether this is possible for ... Usually this uses http authentication. ... site uses vast amounts of javascript to handle login you ...
      (comp.lang.tcl)
    • Re: [PHP] restrict access to multiple pages
      ... login page, so that you avoid the superfluous transaction. ... However, this implements HTTP authentication, ... Chris Shiflett - http://shiflett.org/ ... PHP Security Handbook ...
      (php.general)
    • Re: Streamlining login to Web site
      ... A form and CGI? ... presented with the login dialogue again. ... If you want to stick with HTTP authentication, ... the static HTML would be generated, some how, based on ...
      (comp.lang.perl.misc)