Penetration Testing mailing list archives
Password HTML form bruteforce
From: joh ket <johket () hotmail com>
Date: 18 Apr 2002 09:16:13 -0000
Hi there, I am currently involved in a pen test on a website which is using formbased authentication. I figured out that a account, named 'test' exists... (...) Now I want to brute force this account, I am using Brutus AET2 for this. But I do not know how to use the HTML response. Below the packet capture of a response of a login which was succesfull: HTTP/1.1.302.Object.Moved..Location:.start.cfm?cid= (lines deleted) <head><title>Document.Moved</title></head><body
<h1>Object.Moved</h1>
This.document.may.be.found.<a.HREF="start.cfm? cid= (lines deleted) A capture of an unsuccessfull capture looks like this: HTTP/1.1.302.Object.Moved..Location:.original.cfm? login=Invalid password. Please try again (lines deleted) Document.Moved</title></head>.<body><h1>Object. Moved</h1>This.document.may.be.found.<a.HREF=" original.cfm?login=Invalid password. Please try again">here</a> So depending on the password I get redirected to a page... How should the primary and the secondary repsonse be configured? Or does somebody else have a better idea how to do this? Thanks in advance! Joh Ket ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Password HTML form bruteforce joh ket (Apr 18)
- Re: Password HTML form bruteforce Vladimir Parkhaev (Apr 19)
- RE: Password HTML form bruteforce Greg (Apr 22)
- RE: Password HTML form bruteforce Greg (Apr 22)