Security Basics mailing list archives
Re: Web brute forcing tool against HTTPS
From: Ahmad Taha <ahmad.taha () usa net>
Date: Thu, 03 Jan 2008 10:47:22 +0200
Hi Whitehat,Or you can redirect the traffic as usual with stunnel for example, you can set stunnel to listen for connections on local tcp port 80 and forward to remote www.SiteToBeTested.com on port 443, then make your tool (e.g. Brutus) brute force your localhost on port 80 which will then be automatically redirected to www.SiteToBeTested.com on port 443, that is of course you need to use certain tool that doesn't support HTTPS by default.
Regards, Ahmad Taha Zaki Whitehat wrote:
Hi Anthony, Thank you for your valuable inputs..... Cheers !!! Regards, Whitehat. Anthony_Cicalla () McAfee com wrote:Other Brute Forcers Brutus http://www.hoobie.net/brutus/brutus-download.html Is there any other software like Brutus? There are more tools now than there were when Brutus was originally released, some tools of note include: wwwhack - Offering HTTP, POP3 & FTP - generally nice and easy to use. http://www.wwwhack.com/ Entry - Offering HTTP, POP3 & FTP - commercial and freeware versions. http://web.idirect.com/~elitesys/entry/index.html http://freeworld.thc.org/thc-hydra/ Hydra is a parallized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast. Currently this tool supports: TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, LDAP, SMB, SMBNT, MS-SQL, MYSQL, REXEC, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, Cisco auth, Cisco enable, Cisco AAA (incorporated in telnet module). This tool is a proof of concept code, to give researchers and securityconsultants the possiblity to show how easy it would be to gain unauthorizedaccess from remote to a system Sincerely, Anthony Cicalla, CNA, CEH, CISSP, GSNA, MCP, SCTA Research ScientistMcAfee, Inc. 535 Oakmead Pkwy Sunnyvale, CA 94085 408.992.8300 Main 408.992.8441 Direct 408.720.8450 Fax 925-262-7565 Cell Anthony_Cicalla () mcafee com www.Mcafeesecure.com -----Original Message-----From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] OnBehalf Of Whitehat Sent: Friday, October 24, 2008 12:27 PM To: pen-test; security-basics () securityfocus com Subject: Web brute forcing tool against HTTPS Dear List,I'm doing a Web application PT against a website running on HTTPS - in which I found that the password recovery mechanism is weak because if you enter a correct Registration ID then it'll send a new password to the corresponding email. Now my Idea is to perform a brute force attack against the input field which could lead to a potential "Denial of Service" since I know the length of Registration ID.I'm trying "Crowbar" as usual, but......It it is not able to get the base response.I could able to do this successfully for many other sites. Is it because of: 1.HTTPs- Can't we brute force HTTPs implemented sites ????? 2.Implementing ViewState in aspx. 3.Or something else that causing error??? Please suggest me different techniques Or any other TOOL to do that. Cheers, Whitehat. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------ .
Current thread:
- RE: Web brute forcing tool against HTTPS Anthony_Cicalla (Oct 28)
- Efforts for fight spam and phishing websites Adam Pal (Oct 29)
- Re: Efforts for fight spam and phishing websites Shreyas Zare (Oct 29)
- Re: Efforts for fight spam and phishing websites Thomas Jespersen (Oct 29)
- Re: Efforts for fight spam and phishing websites Michael Painter (Oct 29)
- Message not available
- Re: Web brute forcing tool against HTTPS Ahmad Taha (Oct 31)
- Efforts for fight spam and phishing websites Adam Pal (Oct 29)