WebApp Sec mailing list archives
Re: Dictionary and brute forcing web authentication?
From: DownBload <downbload () hotmail com>
Date: 13 Sep 2003 18:14:45 -0000
In-Reply-To: <007101c37967$d88df440$800101df () edi evidentdata com> Hi, For basic http authentication cracking (I suppose that is your second described situation), you can try my htpasswdbrute2.pl simple perl script which you can find in this tar.gz archive: http://www.ii-labs.org/iilabs_web/programs/mixed.tar.gz bye...
I'm looking for advice on dictionary and brute forcing web = authentication. Most of the websites I have access to at work have various kinds of = forms based authentication. I've been playing with a plugin for Sleuth (httpbrute_plugin.zip) and am having difficulty. At a minimum I need to give the plugin the user and password fields from = the source of the webpage so it knows where to perform the dictionary = attack. I also need a failure string so the plugin knows when it has failed (and = if it hasn't failed, theoretically succeeded), but herein lies the problem. = I'm looking at a page called "securedefault.asp" .. When I enter a bogus username and password, the login screen just displays again .. No = special failure message. Any ideas how to handle this? Also .. I noticed on some websites that as soon as you go to them, a = user and password box pops up. I am not able to view source on these, either = in IE or Sleuth. In IE the user and password box opens immediately, and in Sleuth I get a Windows username and password box. I'm assuming these = are *not* basic http authentication? Any advice on how to dictionary attack these things? Thanks! Mark
------------------------------------ DownBload / Illegal Instruction Labs Security Research & Education http://www.ii-labs.org e-mail:downbload[at]hotmail.com "Born under the lucky star magical, but on this earth generally tragical."
Current thread:
- Dictionary and brute forcing web authentication? Mark G. Spencer (Sep 12)
- <Possible follow-ups>
- Re: Dictionary and brute forcing web authentication? DownBload (Sep 13)
- Re: Dictionary and brute forcing web authentication? Chris Varenhorst (Sep 14)
- Re: Dictionary and brute forcing web authentication? RSnake (Sep 15)
- RE: Dictionary and brute forcing web authentication? Calderon, Juan C (EM, DDEMESIS) (Sep 15)
- Re: Dictionary and brute forcing web authentication? Martin Eiszner (Sep 15)
- RE: Dictionary and brute forcing web authentication? Sarbjit Singh Gill (Sep 15)
- Re: Dictionary and brute forcing web authentication? Sasa Jusic (Sep 15)
- RE: Dictionary and brute forcing web authentication? Calderon, Juan C (EM, DDEMESIS) (Sep 15)
- RE: Dictionary and brute forcing web authentication? latte (Sep 15)
- RE: Dictionary and brute forcing web authentication? Calderon, Juan C (EM, DDEMESIS) (Sep 22)