WebApp Sec mailing list archives

Re: Dictionary and brute forcing web authentication?

From: Sasa Jusic <sasa.jusic () zesoi fer hr>
Date: 15 Sep 2003 15:19:32 -0000

In-Reply-To: <007101c37967$d88df440$800101df () edi evidentdata com>

Hi Mark,

You should try curl (http://curl.haxx.se/)in combination with some scripting language like Perl, bash, etc. It is a 
great tool for this purpose and it has a support for SSL protocol, so it is even possible to brute-force the login 
interfaces over SSL.

The problem with successful and failed attempts you mentioned, you can resolve by looking in HTTP responses from 
server. If login is successful you will probably get a special identification cookie string from server which will show 
that your login attempt is correct. Otherwise, you will get a default cookie which is sent in the first reply from 
server.

I had the identical problem few days ago, and I have solved it this way. 

If you need more information, please contact me.

Good luck,

Sasa

I'm looking for advice on dictionary and brute forcing web =
authentication.
Most of the websites I have access to at work have various kinds of =
forms
based authentication.  I've been playing with a plugin for Sleuth
(httpbrute_plugin.zip) and am having difficulty.

At a minimum I need to give the plugin the user and password fields from =
the
source of the webpage so it knows where to perform the dictionary =
attack.  I
also need a failure string so the plugin knows when it has failed (and =
if it
hasn't failed, theoretically succeeded), but herein lies the problem.  =
I'm
looking at a page called "securedefault.asp" .. When I enter a bogus
username and password, the login screen just displays again .. No =
special
failure message.

Any ideas how to handle this?

Also .. I noticed on some websites that as soon as you go to them, a =
user
and password box pops up.  I am not able to view source on these, either =
in
IE or Sleuth.  In IE the user and password box opens immediately, and in
Sleuth I get a Windows username and password box.  I'm assuming these =
are
*not* basic http authentication?  Any advice on how to dictionary attack
these things?

Thanks!

Mark

Current thread:

Dictionary and brute forcing web authentication? Mark G. Spencer (Sep 12)
- <Possible follow-ups>
- Re: Dictionary and brute forcing web authentication? DownBload (Sep 13)
- Re: Dictionary and brute forcing web authentication? Chris Varenhorst (Sep 14)
  - Re: Dictionary and brute forcing web authentication? RSnake (Sep 15)
- RE: Dictionary and brute forcing web authentication? Calderon, Juan C (EM, DDEMESIS) (Sep 15)
  - Re: Dictionary and brute forcing web authentication? Martin Eiszner (Sep 15)
  - RE: Dictionary and brute forcing web authentication? Sarbjit Singh Gill (Sep 15)
- Re: Dictionary and brute forcing web authentication? Sasa Jusic (Sep 15)
- RE: Dictionary and brute forcing web authentication? Calderon, Juan C (EM, DDEMESIS) (Sep 15)
- RE: Dictionary and brute forcing web authentication? latte (Sep 15)
- RE: Dictionary and brute forcing web authentication? Calderon, Juan C (EM, DDEMESIS) (Sep 22)