Web-Form Brute Force Methods-Libre

Web Form Brute Force Methods
Demonstration by Shritam Bhowmick

Web Application Penetration Tester
Independent Consulting Security Evangelist
Dated: 6th August, 2014, Springs, 4:00 PM IST
All information contained in here are for academic research, web application exploitation research, bug
hunting research, laboratory test bed uses, and for educational purposes only. The techniques shown
he e a e t desig ed to o p o ise li e a hi es, e appli atio s o a host. These te h i ues a e
laid down on purpose for awareness and research, thereby the authors are not responsible for the
actions conducted by individuals in any form. Neither this document is transmissible or re-useable,
itte pe issio f o the autho s is a ust, faili g to hi h e tai legal a tio s ight e p o oked.
Web Application Exploitation with Shritam Bhowmick
This is web application penetration testing challenges hosted over pentesteracademylab.appspot.com, it

reflects several challenges for web application security researchers to break in a safe environment. This
is for Lab practice only and no part of this document were provided by the original authors.
Contents
Hack............................................................................................................................................................... 4
Method 1: Using Hydra to Brute Force Web Logins: .................................................................................... 8
Method 2: Using Burp Suite Intruder to Brute Force Web Logins: ............................................................. 13
Method 3: Using Python to break Web-Form Login: .................................................................................. 32
Method 4: Using WebSlayer to Brute Force Web Logins: .......................................................................... 38
Method 5: Nmap Script Code to break web form: ..................................................................................... 48
Contact Information.................................................................................................................................... 58
Challenge: Use Brute-force methods to hack into the login pages.

Target: http://pentesteracademylab.appspot.com/lab/webapp/1
Topic: Using Crunch and Brute forces on Web Application Web Forms.
Hack
Hack: So, the usernames are jack and admin for the challenge which were provided to us as a hint. We
have to create files for the users. Could be done on Linux by issuing the following commands:
#echo -e admin@pentesteracademy.com \\nnick@pentesteracademy.com > users.txt
Note: e ho ith -e s it h is used to es ape the \

hi h is e ui ed fo a li e feed. Also, a [spa e]
is t appe ded e ause of the sa e easo that it d eate a e li e a d sta t iti g f o the e
first instance without any spaces involved.
Generating custom password list with 5 minimum and the 5 maximum size with xyz as the character set.
C u h: e d use u h to ge e ated ou o
usto
pass o d list, pass o ds ould e fet hed i

case there were no hints provided, we could also later use Hydra to generate a username/password list
p io to ute fo e atta ks ut he e to keep thi gs at ease, e e used u h. Note that fo e
appli atio hi h do ot hi t ou a thi g, a d ou d ot e pe t a
i i u o a i u le gth fo
ha a te s, o eithe the ha a te s hi h a e ei g used fo the pass o d at the fi st pla e, use
fuzzdb. This includes usernames and password files which were pre-generated by the community for the
community of hackers. Use fuzzdb, for other injections as well, use if for dictionary attacks, if you
ould t a t a h id ased ute fo e fo lo g ea s usi g a lo -end spec system at your disposal.
To generate passwords using crunch, which has minimum 5 characters and maximum 5 characters as
depicted by at the hi t fo this pa ti ula halle ge, ith the ha a te s the sel es est i ted to ,
a d z , use the follo i g o
a d at the Li u o
a d li e, o do ash ope atio s. A thi g helps!
#crunch 5 5 xyz > passwords.txt
What we have is a list of users and the list of password set. Look at the URL and see if the parameters
a e ei g passed at the UL, if it is, it s a GET ased e uest. B default if the page sou e does t
des i e a
ethod, it s take as a GET ethod. To de o st ate this, input any dummy characters in
the input fields:
The pa a ete s as ell as thei alues a e efle ted o the UL hi h o fo

is sent by the client to access the resource:
s it s a GET e uest hi h
Now, if this is verified from the source, after we try to login, we will see there is no method described at
the source page, which means again that the default (if not specified by the source), the method would
be GET request:
The username hints and the domain given were jack and admin as users and domain as
pentesteracademy.com so possible username sets would be:
jack@penesteracademy.com
admin@penetsteracademy.com
Now, that we have the valid usernames (before we used nick and admin to generate the username files
as an example which were invalid), we need to go and brute force the login with these set of characters
of use a es a d the ge e ated list fo pass o d taki g , a d z ith i i u
ha a te s a d
maximum 5 characters as our password list. For this, there are four methods we can accomplish the
brute force on web applications:
1.)
2.)
3.)
4.)
5.)
Use Hydra for Brute Forcing

Use Burp Suite as a web-client proxy for Brute Forcing with Intruder
Using python scripts and designing a python script which goes ahead and brute forces the login
Using WebSlayer with Hydra generated password lists
Using power of Nmap Scripting Engine to facilitate web form bruteforces.
Method 1: Using Hydra to Brute Force Web Logins:

About Hydra:
For web-based forms, you have to know much more information about the form you are attacking
before you start the attack. Every web-based form is slightly different, different URLs and parameters,
and different responses for success or failure.
You need to know:
The hostname/IP and URL
Whether it is a HTTPS or HTTP service
Whether the form supports GET or POST (or both)
The parameters of the request
The difference in response between success and failure
Whether any session cookies are required to be set or maintained
What lockout features and thresholds are enabled (if any)
Now for an example consider the form fields, described below in the image:
Here consider the following:

1.) Hostname: the hostname would be your target hostname, or an IP. Just that.
2.) URI: The Uniform Resource Locator would be the resource where the form could be located.
3.) Method: The method shown in the image is POST, but in
pe teste a ade la .appspot. o /la / e app/ , the o e e e i to, it s GET, so e d use GET
rather than POST there.
4.) Also, the URI or the URL rather is cut out from the rest of the host information and kept
subjective in enclosed double quotes.

5.) Hydra basically iterates through all the username/password combinations, until it gets a
response that does not contain the text blacklisted text or it does contain a whitelist string if
whitelist string is provided.
6.) The blacklist string would be the string that comes up if the user is not authenticated and throws
out a st i g hi h h d a a pi k up a d log, this ould e the st i g hi h if H d a does ot
fi d, ill assu e that it s logged i a d log the use a e a d the pass o d e t
hi h e e
successful in bruiting the web-login
7.) The whitelist is a different scenario and if Hydra has to detect web-login authentication success
proving the string by which hydra determines that it was a valid string, hydra will go ahead and if
any such whitelist is found, hydra would log the credentials for that very request sent i.e.:
username and the password for that request (POST or GET).
Not knowing or understanding the above information can be a big cause of failure.
The host is penesteracademylab.appspot.com
It s a GET
The UL o
ethod, so pi k up the http-form-get e ause it s e fo

o e spe ifi all the fo
fields situated i
/la / e ap/
as ell.
i this ase.
With the form fields been set, append the email (users for authentication) and the passwords
with the appropriate user and password lists and note that this would be done in continuation
of the form fields in order to complete the form itself. The form fields declaration in hydra
ould e e losed i dou le uotes: /la / e app/ :e ail=ÛE^&pass o d=^PA^
We use e ail a d pass o d as ou pa a ete s he e e ause the source code has the email
and the password as its entry, if it were a different application, this might change!
Anything in-between ^_____^ specifies that hydra needs a feed into these places which turns
out to be username files and the password files respectively. Notice that there are more
10

pa a ete s hi h h d a eeds to
quotes are not closed yet.
ute fo e e logi fo
hi h is the easo , the dou les
The parameters are separated by colons (:) and the next step is to let hydra know when the
login goes success, for an instance while login, if a user fails to get authenticated, Hydra takes a
la klist st i g like Failed o Authe ti atio Failu e as the st i g a d dete ts if these la klist
o ds do ot appea , the it s a su essful logi , so e d ha e to appe d that as ell alo g ith
the /la / e app/ :e ail=ÛE^&pass o d=^PA^; hi h ould e do e e appe di g et
another colon, for an example /lab/webapp/1:email=ÛSER^&password=^PASS^: la klist
st i g
So for now, our whole query for hydra would be: hydra pentesteracademylab.appspot.com httpform-get la / e app/ :e ail=ÛE^&pass o d=^PA^:Failed
Notice that the query ends now with the doubles quotes in place, we also mentioned the black
list st i g to e Failed because in this web login, any failed login attempts generates the string
Failed! Please T Agai ! hi h ould e see elo :
Alte ati el e ould also p o ide hitelist strings in case we know the successful attempts
would look like, and the application never throws any strings on unsuccessful logins on web
forms. Now, if we are running Hydra from the directory where our users and password files
which were generated are stored, we could provide the users and the passwords list as it or
show the directory path for login users using the L switch and password list using the P switch,
which is: -L users.txt P passwords.txt
11
Next, we would also add threading because hydra supports parallel brute force power and 20 is
the maximum allowed integer for this with the t switch
At last, we include o s it h to sa e the esults i a te t file alled esults.t t
Final Query for Hydra: hydra pentesteracademylab.appspot.com http-form-get
"/lab/webapp/1:email=ÛSER^&password=^PASS^:Failed" -L users.txt -P passwords.txt -t 20 -o
results.txt
This will fetch the valid logins and the passwords, if found using a blacklist string and store the results to
a te t file alled esults.t t .
#cat results.txt
A d ou ll p o a l fi d the use a es a d pass o ds. Try them all in-case hydra goes wrong. For me,
the results looks like the following after Hydra went ahead and brute forced the web-login and hence
one of the username and corresponding password worked in the scenario:
12
That was for Hydra, but as we look here that Hydra is efficient and could get number of results and could
go wrong several times without any hints, there are some other ways we could accomplish this same
task, e ll use ethod
hi h i ludes usi g a lient side proxy with Intruder attacks using these same
files ge e ated ith C u h at ou disposal. Befo e e egi ith Bu p, e ll go th ough so e of the
basics for Burp which an attacker might need to now beforehand. If you are looking for a detailed
discussion on Burp Suite, refer to my other papers which goes deep into using Burp Suite as a Web
Application Swiss Knife, or use the compiled book delivered by me which has a section on Burp Suite and
using the tool to make most of the benefits.
13
Method 2: Using Burp Suite Intruder to Brute Force Web Logins:

About Burp Suite:
Burp Suite was designed by Portswigger to formulate a client side based web-proxy which assists
interception of HTTP requests and responses along with support for intercepting web-services based
traffic such as WSDL. Burp Suite has been written in Java Platform and provides extensions for various
other script with the help of Jython based platform which includes using Python scripting written for
Java. Most interestingly Burp Suite provides a framework for web security penetration testers to
intercept HTTP traffic, debug application, as well as black-box test web applications with included toolset like epeate , I t ude , Co pa e , De ode , and much more. The scope of this section covers
the Intruder, if you are interested in learning Burp Suite in details, there is a separate book written by
me on it and you could use them to expand your knowledge on this framework which would be
extremely helpful.
To use Burp Suite to the full extent, provided you have good VRAM storage, the following configuration
via command line on Linux would help start Burp Suite, which is included in Kali Linux already. This
version is the free edition of Portswigger Burp Suite. For Professional version, which penetration testers
use, ou d e ui e to u a li e se. Go th ough the Po ts igge FAQ to know more.
Launching Burp Suite from the Linux Terminal with known good configuration:
Locating Burp Suite on Linux if installed:
Launching Burp Suite JAR file with good known configuration allotting 2 GB of VRAM on Java
Memory Settings on Linux:
14
Accepting the Burp Agreement and proceeding further:
15
The Intruder Tab is lo ated afte the a e Ta , hi h e d use fo ute fo i g the e form, this will make use of the generated previous usernames and the password list via crunch. But
efo e a thi g else, e d e ui e to setup the u p liste e to liste o p o ided HTTP port and
forward out HTTP packets through Burp Suite Proxy. This requires configuration on the browser
because the HTTP packets requires to be forwarded to Burp via the browser, for this; go to:
Firefox/Iceweasel Preferences > Select Advanced Tab a d fi d the P o etti g , he this is do e,
the next step is to configure the browser to the below specified ports for Burp to intercept traffic:
After this has been done, anything that you browse via the browser will forward HTTP packets
(requests and responses, if responses are set to be intercepted) via the Burp Proxy which is newly
o figu ed. To ake su e of this, o Bu p uite, go to the P o Ta a d ake su e I te eptio is
set to O .
16
B o se the ta get site, i this ase it s http://pentesteracademylab.appspot.com/lab/webapp/1,

and note that the Proxy Tab now blinks and asks if any modifications are needed before forwarding
the requests to the web-server:
Click on forward and let the request be sent to the web-server and until the request is not
forwarded, the browser will wait for the response from the web-server. In-case Burp is configured to
i te ept the espo ses as ell, it d go ahead a d i te ept the esponses before forwarding it to
the browser for web-page presentation. Now, that everything is ready, and the browser has the
response, we will use a junk values on this target to capture the HTTP request and send it to
Intruder when the proxy tab blinks next, for this enter any junk values in the web-login form fields
and hit sign in to start sending the HTTP request:
17
Once, the sign-i is hit, the p o ta ill ask fo a

odifi atio s if eeded, he e e d eed to
right click the request heade s a d se d it to the I t ude , so e ould ute fo e the fo
fields:
18
The I t ude Ta o li ks, a d e d eed to a igate to the Positio s se tio fo additio al

modifications like where our given payloads would land for the customized attacks:
Burp Auto-detects the form fields where the usernames and the password might be possibly
injected, we can change this to our liking but the default payload set by the special characters in
burp such as anything enclosed in $ an $ in this case is the suita le s e a io; e ll he k the
luste o
atta k t pe e ause e ha e t o fields hi h e eed to atta k, fi st o e ei g
e ail he e ou use a e pa load ould fit a d the se o d ei g the pass o d he e ou
generated password file from crunch will fit; the Sniper attack type is for one payload at one
field at a time, which is false in this case:
19
Remember, we have two payloads, one for usernames and another for passwords. From here,
e ill go to the Pa loads se tio of I t ude ta a d use i ple List as the Pa load T pe
a d use Load f o the Pa load Optio s to load ou use ge e ated list file:
Cli k ope a d Bu p ould set the use s.t t file fo pa load

hi h o espo ds to the e ail
field. Next, we also had second payload which needs to be set, the password.txt which were
ge e ated p e iousl
Bu p, fo this, e d sele t Pa load et to a d the hoose
app op iate ope atio s hi h e did fo Pa load
ut he e ou file ill e the ge e ated
password list via crunch:
20
21
All pa loads hi h fa e e t th ough e e i ple List , e ause the a e a iage-return

sepa ated files hi h o tai use a es fo the e ail filed a d pass o ds fo the pass o d
field which we previously enumerated looking at the form-fields from the source page.
When everything is set-up, e ould e ui e to a igate to the I t ude optio f o the

menu- a a d li k o ta t Atta k , follo i g hi h Bu p uite ould go ahead usi g its o n
browser user-agent engine, parsers etc. and brute force the form fields:
22
As fo
o , e ould see that the I t ude had sta ted a d is
ute fo i g the e -form.
23
Next is detecting the successful logins, if any. By default any credentials you throw at this
pa ti ula e appli atio ill fet h ou a
OK espo se ith the espo se Code ei g
, a d the easo
ei g OK look at HTTP FC s fo o e details a d at the gi e HTTP
document by me). Now, unsuccessful logins will e gi e
OK espo se, ut if e ould
so eho eli i ate
f o the olu
ta , hat ould e left is the status ode i ludi g
3xx which would be redirect responses, 4xx which would be bad client side errors, 5xx which
would be any server side errors. Beyond that 2xx are informational, which in this case needs to
e eli i ated, e he k ith this app oa h fi st; to do this, e ho e o e the Filte
hi h
u e tl sa s ho All , left li k a d de-sele t
espo ses, a d o
e d e left ith 3xx,
4xx and 5xx responses only:
No , I t ude sho s, it s hidi g a

5xx responses:
i fo
atio al espo ses, a d sho i g us
a d
But, e ha e t ade still e ause e see the e e e o espo ses hi h i luded a

redirection which could hint us with a successful login or anything which might hint a successful
Brute force of the provided credentials for this attack.
What else could be possible scenarios to look for a successful login? This could be the received
content-length header. Now, the next tactical concept is, we receive 2xx for all successful logins
as well as unsuccessful logins, nothing is being redirected which is the reason there were no 3xx
status codes on completion of brute force; but we see that the content-length for all the
espo ses hi h e e se t e e sa e, this is p o ided the Bu p I t ude usi g the Le gth
olu
o I t ude upo sta ti g the atta k :
24
The length remains constant and for a better focus, we remove all other columns which could
potentiall dist a t us ight o . This ould e do e
a igati g to the u e t I t ude
menu- a , hoosi g olu s a d de-selecting all the un-required columns for analysis and
evaluation purposes:
Note: The column tab consists these: Cookies, Comments, Length, Error, Timeout, Request,
Status and the payloads that were made for the original intercepted request. Additionally
espo se e ei ed a d espo se Co pleted p o ides additio al i fo atio hi h ould e
later used at different attack scenarios which might be useful.
25
We de-sele t the o es e do ot eed, p efe a l , pe so all I d de-sele t e uest , e o ,

status , ti eout , o
e t a d a thi g else e ept the pa loads Bu p ade usi g the
custom tailored payloads and the Le gth . Be ause Le gth is hat e eed fo fo us, a d
status is t the o e he e a d he e e e ai o l ith the pa loads a d the o te tlength which came with the response header:
26
Now, closely looking at it, and scrolling down from the numerous requests made by Burp, we get
a e eptio al Le gth alue hi h has a diffe e t alue f o the othe ide ti al o es.
This is where we need to stop and inspect:
The le gth alue is diffe e t, a d the pa loads hi h e e the ede tials fo e ail and
pass o d e e ad i @pe teste a ade . o a d zzz
espe ti el . Upo i spe tio o
the espo se ta , a d looki g at the e de ta , the Bu p B o se E gi e ill e de , a d e
can be presented with how would it look if an user submitted those credentials:
27
And that meant the challenge was cracked and we could use those credentials to verify that
use a e as e ail e e ad i @pe etste a ade . o a d pass o d used fo this
pa ti ula e ail as zzz as pass o d as pe the GET request parameter).
Go to B o se p efe e es, use the o-p o so ou ould o all
o se all sites a d p ess
OK fo Bu p ot to i te ept, o alte ati el , go to Bu p uite P o Ta , a d li k
I te eptio Off to disa le i te eptio of any traffic. Another alternative method is using an
addo alled s ap-p o a d othe addo s si ila :
Render the original target page at http://pentesteracademylab.appspot.com/lab/webapp/1 and

enter the credentials Burp had cracked using Intruder:
28
A d, ou ll get the o g atulatio s hi h ea t, the ede tials e e a ked a d su essfull

bruited using Burp Suite Client Side Proxy usi g I t ude a d usto tailo ed pa loads.
Alternative to using Crunch: If Crunch is too much pain and making dictionaries automated is the
goal, Burp Suite as a framework could be used to make dictionary files automatically using the
I t ude ta , he e s ho o e ould go ahead a d auto ate the di tio ge e atio usi g ,
a d z as ha a te s a d pass o d o ple it set to
i i u a d
a i u fo these
characters:
O the pa load ta , set pa load t pe t si ple list a d a uall add the use a es hi h
he e as a e a ple ould e ad i @pe teste a ade . o a d
ja k@pe teste a ade . o :
29
Cli k add a d o ti ue addi g the use a es to ou o fo t, the e t o e shall e

ja k@pe teste a ade . o :
Noti e that p e ious use a es e e added, o sele t Pa load et to

T pe as B utefo e :
a d sele t Pa load
30
We ll use the ha a te set as z i this de o st atio e ause that s the set of pass o d
characters being used, make sure in any other scenario, you need to determine this and add
these characte s to the likel s e a io, o if that s ee set, set the Mi . Le gth to a d the
Ma . Le gth to e ause that s the pass o d o ple it fo this de o st atio . E e thi g
happe s i the Pa load Optio s fo B ute Fo e set to the Pa load et
31
Afte e e thi g is set up a d do e, go to the I t ude o the e u-bar discussed before and
start the attack, the results would be the same. Check the content-length as discussed before
and look for the responses which renders the granted access.
The e de
ould o e de the ep ese tatio of the HTML as a o se e gi e ould a d
we can therefore determine that the password were indeed cracked via Burp Intruder. Now,
the e used to e a othe alte ati e ethod hi h u e tl is e pe i e tal a d does t o k
p ope l usi g the e e e sio s of o se s o Fi efo , p efe a l ade fo Fi efo as a . pi
addo , this addo as alled Fi eFo e li ked efe e ed at:
http://www.scrt.ch/en/attack/downloads/fireforce
Documentation for usage of Fireforce as a web-form login bruteforcer could be found here:
http://www.scrt.ch/outils/fireforce/fireforce_en_manual.pdf
An added reference for Fireforce and how it does, what it is supposed to be doing could be
found here: http://www.securityaegis.com/easy-breezy-beautiful-password-attacking/
The ethod fo this as ot i luded i this do u e t e ause Fi efo e f eezes o a ge
operations on newer firefox web-browsers. As soon as Fireforce releases a stable version for
e e e sio s of Fi efo , it d likel e i luded in this document. Next, we will look at
developing a python script to break the password, using python libraries. For python, first step
would be to learn python, because without knowing python libraries and how python works,
o e ould t e a le to automate all of this developing his/her own scripts. To be able to
auto ate e tai e appli atio e ploitatio , pe et atio teste s use p tho s ipts hi h
they develop out of their own expense of free time. This would be shown in the next method,
but it is recommended, people learn python to be able to understand whole of it.
32
Method 3: Using Python to break Web-Form Login:

About Python:
Using version 2.7.3:
Python terminal:
#python
33
Exiting Python terminal command-line test environment: #exit()
E ough of the asi s, it s ti e to de elop a s ipt hi h alls the p tho e e uta le f o the
Linux and loads up for the script we develop before it could do anything with the script. For this,
e use the shebang to ake su e efo e e e uti g ou ode s ipt, the Li u e i o e t
i po ts the p tho e e uta le f o /us / i
hi h has a file alled p tho , e d he k hat
this file is and learn to locate or find where python is issuing the following commands, but first
e eate a file alled e -formute.p usi g the tou h o
a d, so late e a sta t
writing our code here:
The lo ate o
a d ould ge e ate u h o e esults, ut fo e e uta les, e d use the
he eis o
a d to fi d he e p tho ould e so that late e ould use this di e to to
all the p tho e e uta le usi g she a g efo e the lo ated file a d the o ti ue iti g
our code:
34
At this point, we have many versions of python i stalled, the default e d pi k up is the o e at
/us / i /p tho . No to use the she a g hi h is ep ese ted
#! , e ould ha e to fi st
use a text editor to first open the file which we had created:
We use a o , a te t edito hi h is GNU ased in Linux. Other options on Linux are pico, vim,
gedit, leafpad and emac. There are ton of text editors available, once loaded, the screen
p o pts us to ite te t i to the edito s ee , he e e egi ith ou she a g to i lude the
python executable:
35
The code:
#! /usr/bin/python
from urllib import urlopen
import itertools, sys
def gen_passwords(universe,l):
# use itertools to create a list of all password permutations
wl = []
for i in itertools.product(universe,repeat=l):
wl.append("".join(i))
return wl
def brute(username):
root_url =
"http://www.pentesteracademylab.appspot.com/lab/webapp/1?email="+username+"@pentestera
cademy.com&password="
# want to be able to enter a password on the command line and only send that
one test
if len(sys.argv) < 2:
wl = gen_passwords("xyz",5)
else:
wl = [sys.argv[1]]
for pw in wl:
full_url = root_url+pw
p = urlopen(full_url).read()
if not "Failed!" in p:
# success
print "Username: ",username," Password: ",pw
break
else:
print "Password: %s failed"%pw
brute("admin")
brute("jack")
36
The Python Code:
oot_u i ould e the hole GET UL hi h ould the take use a e from the defined
use a es hi h a e ja k a d ad i fo this de o st atio , the def fu tio
ute does this
jo . Also e use ite tools as ou li a to ite ate. The defi ed fu tio alled ge _pass o ds
takes care of the loop which generates a pe uta le list of , a d z fo i i u
to
a i u
ha a te list a d the he ks the uted pass o ds hi h did ot ge e ate Failed
string and he e t igge s the su ess appe ded to the uted list of pass o ds. Befo e o i g
fu the h od + the p tho ode file to e e ute:
Ne t, use ./ e -formute to e e ute the ode file a d u the s ipt:
37
The s ipts egi s the utefo i g a d u til e see the su ess st i g appe ded to the
generated password of password complexity 5 minimum and 5 maximum, we have to keep
looking at the results. Once Bruteforce gets over and the script has been executed, check
through the logs generated (for this once could had redirected the output to something like:
./web-form-brute > results_brute.t t f o the e e utio poi t a d look fo the su ess st i g;
ho e e , e do get the su ess st i g he e hi h ould e useful fo a su essful logi :
The pass o d is zzz

ith the use e ail ei g used as ad i
hi h ea s
ad i @pe teste a ade . o
ould e the e ail fo the logi fo . Use ith the pass o d
generated and we will get a successful login:
38
Method 4: Using WebSlayer to Brute Force Web Logins:
About WebSlayer:
OWASP Based Project
Reference at: https://www.owasp.org/index.php/Category:OWASP_Webslayer_Project
Enhancements to wfuzz with front-end GUI and added selected modules for web application
penetration testing, enumeration along with discovery.
Could be used as Predictable resource locator, recursion supported (Discovery) tool.
Could be used for login form Bruteforce, session Bruteforce, parameter Bruteforce.
Could also be used for parameter fuzzing, and fuzzing for injections such as SQL Injection and
Cross Site Scripting attacks provided payloads are strong and massive.
This tool besides from Metasploit and others, could also break NTLM and Digest based
authentication. Basic Authentication could be also be broken using this same tool.
In short notice: WebSlayer is a tool designed for brute forcing Web Applications, it can be used
for finding resources not linked (directories, servlets, scripts, files, etc.), brute force GET and
POST parameters, Bruteforce Forms parameters (User/Password), Fuzzing, etc. The tools has a
payload generator and an easy and powerful results analyzer. The POST parameters would
require some extend of using LiveHTTP Headers add-on on Mozilla Firefox demonstrated in this
video. The demonstration is very through while using WebSlayer as a project tool for web
application penetration testing projects.
Linux Kali which is Debian based, has WebSlayer into its loaded set of penetration test tool-set.
He e s ho ou a lau h We la e :
39
O e just eeds to t igge

e sla e f o his/he te i al the a it s sho a o e.
Ne t, e d see a s ee ith diffe e t ta s hi h ep ese t afti g of different types of
payloads and ton of things by which we can generate our own custom payloads and brute using
these generated payloads:
Capture the request by LiveHTTP Headers which just gives an easy way to input right headers
which would be thrown this fuzze . The addo e d e usi g he e is Li e HTTP Heade s
which is available in Firefox or any other tool-set which has the same functionality like Burp,
Fiddler, Charles Proxy and many more. If Live HTTP Headers is installed in Firefix (or Iceweasel),
bring it up from the menubar, goto tools and click on Live HTTP Heaaders.
40
Make su e the Captu e is tu ed o a d ef esh the page fo

http://pe teste a ade la .appspot. o /la / e app/ as shown below:
When done, the page refreshed and all the packets along with the headers went through the
Live HTTP headers and hence Live HTTP Headers captured the HTTP headers because it was set
to Captu e , ou e t o e is to op all these e a t heade s hi h e e sent by the original
browser client to Webslayer to pretend to be an original client as an original browser client
41

would be.
This as the e fi st e uest hi h the lie t ade, a d he e, e li k o epla to see o

copy or replay the original se t e uest et agai . Afte li ki g o the epla , so ethi g like
elo pop s up:
42
Cop the UL, a d paste this to We la e s UL ta :
O e, this has ee do e, e ase all the o te t f o the We la e s Heade s filed a d op

the headers fro the Li e HTTP Heade s field to We la e s Heade s field:
43

We do ot eed a POT data to e se t e ause the fo does ot ha e POT e a led to it.
This is the attack pre-setup, now, before we generate out payloads, we need to set the keyword
FU)) to the heade s, pa a ete s o a field he e e d like We la e to ute ou
ge e ated lists of use a es o pass o d. I We sla e , o e eeds to k o the use a es to
brute the passwords (which is the limitation) but in this case to demonstrate how an attacker
tool-set is used, e al ead k o the use a e hi h is ad i @pe eteste a ade . o a d
we need to generate password list of minimum 5 and maximum 5 with the help of WebSlayer.
He e, e k o the pa a ete s hi h e d e t i g to ute is a GET request with parameters
e ail a d pass o d . We also k o the e ail pa a ete ould take
ad i @pe teste a ade . o a d pass o d is the pa a ete e d eed to fuzz; so e d
quickly change the URL from the Webslayer to suit our needs (notice the URL, when we put
ju k alues i to the logi fo usi g o igi al o se , the o se ge e ates a GET ased UL
which reveals the whole URL):
o, e feed this UL to the We la e s UL a d ake so e ha ges, e ll see hat a e the

changes which is required. For now, we just need to copy this GET based request to WebSlayer.
No , that the o igi al GET ased e uest had ee fed to We la e s UL ta , e eed to

make the changes to these parameters:
a.) email
b.) password
We know the usernames to e ad i @pe teste a ade
. o
, a d e eed to FU)) the
44

pass o d pa a ete , so the alue fo e ail pa a ete ould e
ad i @pe teste a ade . o a d the alue fo the pass o d pa a ete ould e FU))
since we need to brute this parameter in order to determine the credentials; so the URL
e o es ot that FU)) is a ke o d, a thi g ou put the te as FU)) ill e take as a
target input feed for Webslayer.):
Notice the changes made to the URL for WebSlayer to be configured so that it could take
ad i @pe etste a ade . o as the use a e a d the pa loads e ge e ate o the
pass o d pa a ete . The alue of the e ail pa a ete e ai s i ta t.
After this initial set-up, e d eed to ge e ate a pass o d list, sele t the Pa load T pe as
Di tio a as shown here:
45
I this atta k, e a e usi g the Di tio a pass o ds file p e iousl eated e ause afte a
tho ough i estigatio , I fou d that e a ot use the pa load optio si e the pa load fails at
generati g the i i u a d a i u
ha a te s usi g o i atio , it o l suppo ts
pe utatio
ith a fi ed idth t pe alo g ith the gi e ha a te s hi h a e
, a d z.
o, o e e the Di tio a atta k t pe is sele ted, e ould ge e ate the list via crunch; here
e ll use the p e iousl ge e ated list. Load up the list
li ki g o the optio a d sele t
the list file. The list file he e is a ed as pass o ds.t t :
Afte ope i g up the list hi h is pass o ds.t t , li k ta t :
46
O e ta t is hit, e a e take to Atta k esults ta :
Belo
e a top o Pause the u e t atta k a d see the pa load p o essi g:
O e, e e thi g fi ishes, a g ee st i g ould sho up the su essful eak do

password ith the gi e e ail pa a ete alue as ad i @pe teste a ade . o
pass o d alue set to FU)) to go th ough the pa load p o essi g:
of the
a d
47
He e e see that the Pa load zzz as st i g ith its MD o ked, f o he e, e a hit o

espo se HTML to e if if the pass o d ith the supplied use a e logi as a ked:
Use the sa e Pa load e t a ted at this point to login via the original browser, and same results
ould e a hie ed. Ho e e , the e a e ple t u h o e optio s i We la e in the
Pa load Ge e ato ta , he e apa t f o doi g o i atio a d pe utatio ge e atio , a
variety of possible payload generation could be done which includes Block payload generation,
credit card payload generation, username generation which could be taken for the
e u e atio pa t a d u e i al pa load ge e atio :
48
ele ti g the optio s a d defi i g a a ge, this p o ess e ui es to ge e ate a te po al

pa load a d the
odif , o d ag do the ge e ated te po a pa load to the Pa load
Creato a d the hitti g Ge e ate Pa load , i the FINAL PAYLOAD , the pe et atio teste s
ha e the optio to sa e the pa load, load a p e iousl ge e ated pa load o d op a
current payload. Certain rules apply to making generated payloads, it is recommended to read
along through a good documentation which is provided here.
Method 5: Nmap Script Code to break web form:

About Nmap:
N ap sta ds fo Net o k Mappe hi h as o igi all

itte
Go do L o F odo a d
continues to be an industry standard assisting red team with penetration testing task with
evolving community of open source scholars who keep contributing code and making
49

improvements to the Nmap Project. Nmap is both available for Linux, as well as for Windows. It
also works with Mac but with various lags in speed. Benchmarks proves Nmap is slower in Mac
rather than on Linux based operating system. There is a whole documentation available on
F odo hi self o N ap.
Nmap and how to use it which could be found here. He e s a book
In case anyone needs a very thorough understanding of Nmap, follow the book. If you need this
only for penetration testing task or as a tool-set fo ui k di t pe test ased out of et o k,
mail me at Shritam.bhowmick@gmail.com a d the e s a o goi g esea h document which I
had been preparing.
N ap a s a fo ope po ts. Ca dete t host ope ati g s ste e otel . It also a dete t
application versions, and has signatures preset for recognizing application, OS and other
daemon versions. It does host discovery, operating system enumeration, and report generation
using XML standards and firewall evasion on the go. It has both CLI and GUI versions. The GUI
e sio of N ap is k o as )e ap . Whe it s s a i g a d et o k e u e atio ,
fingerprinting, Nmap is the first favorite choice of any dedicated red team using this tool as an
army Swiss knife (same goes for Netcat!).
Nmap has an engine called Nmap Scripting Engine (NSE). The engine is documented here and is
written in Lua language. Apart from Nmap itself, NSE provides the flexibility to separate
additional tasks like automating an exploit, actually exploiting a target and provides a range of
capabilities such as enumeration, vulnerability detection and much more. Read the
documentation. Also, in kali Linux, which has been an operating system based out of Debian, the
Nmap scripts resides in /usr/share/nmap/scripts directory:
Before we go into opting NSE engine to bruteforce web based form logins, there are certain
thi gs hi h ou d eed to k o :
1. The NSE is completely community based and written in Lua.
2. As of 2014, August, there were no such scripts written in Nmap which assisted
utefo i g e ased logi s usi g GET ethod.
50

3. I had to manually change code for Lua in the NSE file and implement into a current
o ki g s ipt fo N ap hi h as http-formute. se . C edits to nnposte o
Nmap development.
4. B default, as of
, August, this pa ti ula s ipt o l uses POT method and there
is o suppo t fo GET ased e fo
utefo e a d he e the ode eeds to e
modified in order to support both methods.
5. This ode hi h ill e do u e ted he e is t a pa t of pe et atio testi g a d is
wholly devoted to scripting the NSE and then using this newly developed/modified Lua
ode s ipt to ide tif GET ased fo authe ti atio a d assist utefo i g the .
6. The script will be covered here and this might be on patch release later and hence the
original script would require a backup before we use our own script in Lua making
modifications to the original code.
7. NSE uses script arguments so there are different script arguments for different scripts.
The code which would be presented here adds yet another argument to the list apart
fo
hat as o igi all offe ed. It s e ause the s ipt p o ided suppo t fo POT
ethod a d ot GET , so odif i g the s ipt to ou o
eeds, I had to go ahead a d
add a additio al a gu e t set alled http-formute. ethod hi h takes i put as a
GET o a POT to ake su e that the e uest ethod is de la ed efo e e sta t
bruteforcing the target application.
8. The modified script itself is not stable as for now. It gives false positives which is
currently being worked against. But with several test, it showed 70% positives with the
tested methods above which proves that it could crack credentials. If the credentials
generated by this script goes wrong, trial and error is used against the application to get
the right credentials. Nmap developers are fixing this.
9. Update Nmap script database at a later time (with this revision after 2014) to make the
est usage. This is the fi st e e do u e ted s ipt a d a fu tio al o e fo the
atte pt e a e goi g to ake. Do t fo us o the s ipt and move direct to the
pe test pa t if ou do ot u de sta d Lua o a t ode o e.
Backing up the original script is easy, you would require to copy the existing original script and
store it in the same directory for later use:
51
Now one would require to update the original script with the following code provided here. A
raw version could be found here. Since we had backed up our original script code for http-formbrute.nse, we can go ahead and replace the original script code with the scrip code which has
been provided here because this new script provides new functionality including choice of
POT o a GET as a HTTP e uest.
Copy the code from the raw version of the ASCII text code in Lua provided here and paste in to
the edito of hoi e. Make su e the a e sta s the sa e that is http-formute. se . Afte
pasti g this e ode, CTL+O to sa e the ode i
a o a d hit a aige- etu i.e: E te ,
and then again CRTL+X to exit the editor. The following screenshot shows the demonstration of
the ode hi h has ee de eloped usi g a o as the te t edito of hoi e. Fo e use s,
leafpad which comes Along with Kali user would be great, or gedit which could be installed via
apt-get i stall gedit o o
a d li e.
It s e o
e ded fo e pe ie ed Lua ode s to go th ough the ode a d odif if a
ha ges
are needed. This belongs in accordance to the needs of the pentester. Also mail me if there is
so ethi g ou odif , si e I d e i te ested to keep t a k of the ha ges i the ode.
52
Now that we have everything setup with the replaced code, we need to trigger Nmap from the
o
a d a d set up a afted N ap NE s ipt ith a gu e ts . The s ipt a gu e t is
something which most find tricky. Keeping everything aside, when you realize the way Nmap
scrip arguments are passed via the CLI, the true power lies there for quick exploitation as well as
quick tests. NSE provides a variety of lists for checks, exploitation, enumeration and a vast
data ase fo auto ati g tasks. This do u e t agai does ot dis uss N ap i detail, I d athe
ju p o e to usi g NE fo utefo i g e appli atio fo s hi h ight e GET ased
HTTP request. A GET e uest is so ethi g hi h is i p i ted o the UL, hi h i this ase is:
https://pentesteracademylab.appspot.com/lab/webapp/1?email=test&password=test
Both, use a e hi h is e ail pa a ete a d the pass o d, hi h is pass o d pa a ete is
ei g passed i lea te t o the UL hi h ea s the e uest ethod is GET . This ould also
e e ified usi g the ie -sou e hi h as dis ussed ea lie in this document.
53
K o i g to t igge N ap ith -sC s it h a d usi g s ipt ith script-a gs . The e s a

diffe e e u i g the -sC s it h a d ta geti g a spe ifi appli atio usi g a spe ifi NE s ipt.
The ge e al -sC s it h ill do a default s ipt u o e , hi h ould e e ui ale t to
s ipt=default .
After application has been mapped, to use the power of the NSE script to our advantage, we
need a more specific script which we had developed earlier in the Lua code to be ran over by
N ap. I o de to a o plish this, e eed to t igge the s ipt ith s ipt= di e ti e a d
e tio i g the s ipt a e. N ap takes a e of the est a d auto ati all is s
d ith the
/usr/share/nmap/ scripts directory and hence would not requi e a . se e te sio s to e
p o ided he a i g the s ipt. Fi st, the ai ta get is spe ified alo g ith the po t to e
targeted, web-se e u s o 8
default a d ou ta get pe teste a ade la .appspot. o
have the same port open which serves web-content or which is running an HTTP server. Hence
we have more number of script arguments which are newly introduced from the script, these
are all the arguments one needs to pass to the script (http-brute-form.nse):
1.
2.
3.
4.
5.
6.
7.
http-form-brute.hostname Specifies the hostname.

http-form-brute.path Specifies the path URI.
http-form-brute.method pe ifies the e o
ethod .
http-form-brute.uservar pe ifies the a e of the fo field fo use a e .
http-form-brute.passvar Specifies the name of the fo field fo pass o d .
Userdb The database of line feed usernames for bruteforce.
Passdb The database of line feed passwords for bruteforce.
He e these a gu e ts a e supposed to e e tio ed i the afted ue fo N ap he

script=http-formute ith script-a gs is de la ed. All of the s ipt a gs a e u de .
Since we now understand the format to specify the Nmap arguments. I need to show some of
the common mistakes one could run when writing the query for Nmap. These are stated here so
54

these mistakes could be dealt with no time and when the audience writes the query for the first
time, he/she feels confident enough. Some of the mentionable while write the script argument
queries are the following:
1. The script=script-name-he e de la es the s ipt a atta ke is usi g. He e it s httpform-brute and hence this would be script=http-form-brute.
2. To specify specific arguments to the script which we require here, one needs to declare
the script-args= a gu e t.spe ifi s=
alue ,
a gu e t .spe ifi s =
alue
hi h the takes all the a gu e ts u de
(single quotes) and within this singles quotes are the argument names like http.formbrute.method, http-form-brute.path, http-form-brute.hostname and everything else. All
the argument names are separated by , (comma).
3. The alues of the des i ed a gu e t a es ould e u de
dou le uotes as
shown above in point [2]. Apart from this, the userdb and the passdb in this scenario
takes the i put f o a file a d he e the e is o
dou le uotes . Although double
quotes could be provided.
4. Usi g - s it h efo e sta ti g the s ipt a al sis
do a dns scan and hence stands same for no-dns.
ea s the atta ke does t a t to
5. The -p s it h e tio s the po t to e s a ed. I a ted to s a po t 8

hi h is a
spe ifi ta get po t hi h se es the e appli atio a d is ope . o a p80 will be
sufficient for the NSE script to go ahead and bruteforce that port and none else. I could
spe if othe po ts ia -p 8
a d o e.
6. As usual with Nmap, before everything else, the attacker must specify the target host if
not the whole URI. That is in this case before writing everything, mention the target host
pentesteracademylab.appspot.com fo N ap to sta t, the the po t, the the o-dns
e tio a le a d the the s ipt o e eeds to use hi h i this ase is http-formute a d the the s ipt a gu e ts.
7. Last but not the least, the attacker also for the convenience specifies the vvv switch at
the last hi h sta ds fo e t a e osit . i gle
ould had ee less e ose,
ould e less e ose o pa ed to
, a d he e I spe ified he a i u le el of
verbosity which we can attain to go through the results while Nmap would be already
bruteforcing.
55
T igge i g the N ap ith the afted ue fo the odified http-formute . I ha e

mentioned which needed attention to go ahead and craft the query. After everything has been
clear, I go ahead and craft this following query for our modified version of the Nmap NSE script:
nmap pentesteracademylab.appspot.com -n -p80 --script=http-form-brute --script-args='httpform-brute.path="/lab/webapp/1", http-formbrute.hostname="pentesteracademylab.appspot.com", http-form-brute.method="GET",
passdb="/root/Desktop/pentesteracademy/challenge1/passwords.txt",
userdb="/root/Desktop/pentesteracademy/challenge1/users.txt", http-formbrute.passvar=password, http-form-brute.uservar=email' vvv
The crafted query is simple unless one looks at its length. The Nmap takes the target host as
pe teste a ade .appspot. o a d ith a - s it h I spe ified that e eed ot e-do dns
queries and hence no-dns follows; next I mention the target po t hi h is 8 a d the I
e tio the script=http-formute hi h is the odified s ipt u de
/us /sha e/ ap/s ipts/ di e to . I the
e tio the script-a gs= p o i g the s ipt the
arguments which are required for the target separated by a comma and enclosed in single
quotes as discussed above. The values of these arguments are enclosed in double quotes. And I
then specify a verbose result while Nmap would be running, this is optional and is not required. I
however like to maintain the dignity of the results for a quicker look during a penetration test.
Everything would look like the following:
The o igi al ue is atta hed a o e. If ou eed t u de sta d hat it s doi g, I suggest

eadi g this se tio agai a d agai . It s ette than copying the query and pasting it over the
terminal for results. That would hamper everything which is being documented here. Apart from
it, when Nmap finishes, the results would be like the following:
1.
2.
3.
4.
5.
6.
7.
8.
9.
It will go ahead and target the specified port.

It will load the Nmap script specified.
It will attempt to recognize the specified URI which the script mentions.
The usernames will be taken from userdb.
The passwords will be taken from pasdb.
The fo
a ia les ill e take f o use a fo use a e
The fo
a ia les ill e take f o pass a fo pass o d
It ill adjust the e dpoi ts a d GET ill e used to utefo e these e dpoi ts.
Optionally one could also store the results in xml format.
56
The
utefo e ill e taki g ti e si e its
utefo e :
Depending on the network, it would take time to bring the results back, the results are varied
and hence may require trial and error. This happens due to packets being send either too low or
due to the time lags. False positives are common using the modified script.
57
As the audience sees the result, these are false positives which were caught in hook by the
modified Lua script, with some trial and error; one should be able to get the right credentials. As
this is getting documented here, Nmap developers are working on the current Lua script for
better detection. With a speed connection, the false positives are however minimized. This
happens due to the TCP packets being sent at low rate and therefore the response from the
web-server getting alfo ed. It s due to et o k ottle e ks.
That marks the conclusion of this document and I hope the audience gets the vision how to
carry out different attacks via the same attack vector but with different approaches. The point
of this document is not to show how things are exploited and you get credentials; that could be
done either way. But the point is to show how many ways a pentester could go ahead and break
the web application to suit his/her objectives. This is a series of documents to follow.
58
Contact Information
LinkedIn: Contact me on LinkedIn here.
Facebook: Contact me on Facebook here.
Reach me at: Shritam.bhowmick@gmail.com

Web-Form Brute Force Methods-Libre

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Web-Form Brute Force Methods-Libre

Uploaded by

Copyright:

Available Formats

Web Form Brute Force Methods

Demonstration by Shritam Bhowmick

Dated: 6th August, 2014, Springs, 4:00 PM IST

Web Application Exploitation with Shritam Bhowmick

This is web application penetration testing challenges hosted over pentesteracademylab.appspot.com, it

Web Application Exploitation with Shritam Bhowmick

Web Application Exploitation with Shritam Bhowmick

Challenge: Use Brute-force methods to hack into the login pages.

Note: e ho ith -e s it h is used to es ape the \

pass o d list, pass o ds ould e fet hed i

Web Application Exploitation with Shritam Bhowmick

Web Application Exploitation with Shritam Bhowmick

The pa a ete s as ell as thei alues a e efle ted o the UL hi h o fo

Web Application Exploitation with Shritam Bhowmick

Use Hydra for Brute Forcing

Web Application Exploitation with Shritam Bhowmick

Method 1: Using Hydra to Brute Force Web Logins:

Here consider the following:

Web Application Exploitation with Shritam Bhowmick

The host is penesteracademylab.appspot.com

ethod, so pi k up the http-form-get e ause it s e fo

Web Application Exploitation with Shritam Bhowmick

hi h is the easo , the dou les

Web Application Exploitation with Shritam Bhowmick

Web Application Exploitation with Shritam Bhowmick

Web Application Exploitation with Shritam Bhowmick

Method 2: Using Burp Suite Intruder to Brute Force Web Logins:

Locating Burp Suite on Linux if installed:

Web Application Exploitation with Shritam Bhowmick

Accepting the Burp Agreement and proceeding further:

Web Application Exploitation with Shritam Bhowmick

Web Application Exploitation with Shritam Bhowmick

B o se the ta get site, i this ase it s http://pentesteracademylab.appspot.com/lab/webapp/1,

Web Application Exploitation with Shritam Bhowmick

Once, the sign-i is hit, the p o ta ill ask fo a

Web Application Exploitation with Shritam Bhowmick

The I t ude Ta o li ks, a d e d eed to a igate to the Positio s se tio fo additio al

Web Application Exploitation with Shritam Bhowmick

Cli k ope a d Bu p ould set the use s.t t file fo pa load

Web Application Exploitation with Shritam Bhowmick

Web Application Exploitation with Shritam Bhowmick

All pa loads hi h fa e e t th ough e e i ple List , e ause the a e a iage-return

When everything is set-up, e ould e ui e to a igate to the I t ude optio f o the

Web Application Exploitation with Shritam Bhowmick

o , e ould see that the I t ude had sta ted a d is

ute fo i g the e -form.

Web Application Exploitation with Shritam Bhowmick

No , I t ude sho s, it s hidi g a

atio al espo ses, a d sho i g us

But, e ha e t ade still e ause e see the e e e o espo ses hi h i luded a

Web Application Exploitation with Shritam Bhowmick

Web Application Exploitation with Shritam Bhowmick

We de-sele t the o es e do ot eed, p efe a l , pe so all I d de-sele t e uest , e o ,

Web Application Exploitation with Shritam Bhowmick

This is where we need to stop and inspect:

Web Application Exploitation with Shritam Bhowmick

Render the original target page at http://pentesteracademylab.appspot.com/lab/webapp/1 and

Web Application Exploitation with Shritam Bhowmick

A d, ou ll get the o g atulatio s hi h ea t, the ede tials e e a ked a d su essfull

Web Application Exploitation with Shritam Bhowmick

Cli k add a d o ti ue addi g the use a es to ou o fo t, the e t o e shall e

Noti e that p e ious use a es e e added, o sele t Pa load et to