Professional Documents
Culture Documents
All information contained in here are for academic research, web application exploitation research, bug
hunting research, laboratory test bed uses, and for educational purposes only. The techniques shown
he e a e t desig ed to o p o ise li e a hi es, e appli atio s o a host. These te h i ues a e
laid down on purpose for awareness and research, thereby the authors are not responsible for the
actions conducted by individuals in any form. Neither this document is transmissible or re-useable,
itte pe issio f o the autho s is a ust, faili g to hi h e tai legal a tio s ight e p o oked.
Contents
Hack............................................................................................................................................................... 4
Method 1: Using Hydra to Brute Force Web Logins: .................................................................................... 8
Method 2: Using Burp Suite Intruder to Brute Force Web Logins: ............................................................. 13
Method 3: Using Python to break Web-Form Login: .................................................................................. 32
Method 4: Using WebSlayer to Brute Force Web Logins: .......................................................................... 38
Method 5: Nmap Script Code to break web form: ..................................................................................... 48
Contact Information.................................................................................................................................... 58
Hack
Hack: So, the usernames are jack and admin for the challenge which were provided to us as a hint. We
have to create files for the users. Could be done on Linux by issuing the following commands:
#echo -e admin@pentesteracademy.com \\nnick@pentesteracademy.com > users.txt
usto
What we have is a list of users and the list of password set. Look at the URL and see if the parameters
a e ei g passed at the UL, if it is, it s a GET ased e uest. B default if the page sou e does t
des i e a
ethod, it s take as a GET ethod. To de o st ate this, input any dummy characters in
the input fields:
s it s a GET e uest hi h
Now, if this is verified from the source, after we try to login, we will see there is no method described at
the source page, which means again that the default (if not specified by the source), the method would
be GET request:
The username hints and the domain given were jack and admin as users and domain as
pentesteracademy.com so possible username sets would be:
jack@penesteracademy.com
admin@penetsteracademy.com
Now, that we have the valid usernames (before we used nick and admin to generate the username files
as an example which were invalid), we need to go and brute force the login with these set of characters
of use a es a d the ge e ated list fo pass o d taki g , a d z ith i i u
ha a te s a d
maximum 5 characters as our password list. For this, there are four methods we can accomplish the
brute force on web applications:
1.)
2.)
3.)
4.)
5.)
It s a GET
The UL o
fields situated i
/la / e ap/
as ell.
i this ase.
With the form fields been set, append the email (users for authentication) and the passwords
with the appropriate user and password lists and note that this would be done in continuation
of the form fields in order to complete the form itself. The form fields declaration in hydra
ould e e losed i dou le uotes: /la / e app/ :e ail=^UE^&pass o d=^PA^
We use e ail a d pass o d as ou pa a ete s he e e ause the source code has the email
and the password as its entry, if it were a different application, this might change!
Anything in-between ^_____^ specifies that hydra needs a feed into these places which turns
out to be username files and the password files respectively. Notice that there are more
10
ute fo e e logi fo
The parameters are separated by colons (:) and the next step is to let hydra know when the
login goes success, for an instance while login, if a user fails to get authenticated, Hydra takes a
la klist st i g like Failed o Authe ti atio Failu e as the st i g a d dete ts if these la klist
o ds do ot appea , the it s a su essful logi , so e d ha e to appe d that as ell alo g ith
the /la / e app/ :e ail=^UE^&pass o d=^PA^; hi h ould e do e e appe di g et
another colon, for an example /lab/webapp/1:email=^USER^&password=^PASS^: la klist
st i g
So for now, our whole query for hydra would be: hydra pentesteracademylab.appspot.com httpform-get la / e app/ :e ail=^UE^&pass o d=^PA^:Failed
Notice that the query ends now with the doubles quotes in place, we also mentioned the black
list st i g to e Failed because in this web login, any failed login attempts generates the string
Failed! Please T Agai ! hi h ould e see elo :
Alte ati el e ould also p o ide hitelist strings in case we know the successful attempts
would look like, and the application never throws any strings on unsuccessful logins on web
forms. Now, if we are running Hydra from the directory where our users and password files
which were generated are stored, we could provide the users and the passwords list as it or
show the directory path for login users using the L switch and password list using the P switch,
which is: -L users.txt P passwords.txt
11
Next, we would also add threading because hydra supports parallel brute force power and 20 is
the maximum allowed integer for this with the t switch
At last, we include o s it h to sa e the esults i a te t file alled esults.t t
Final Query for Hydra: hydra pentesteracademylab.appspot.com http-form-get
"/lab/webapp/1:email=^USER^&password=^PASS^:Failed" -L users.txt -P passwords.txt -t 20 -o
results.txt
This will fetch the valid logins and the passwords, if found using a blacklist string and store the results to
a te t file alled esults.t t .
#cat results.txt
A d ou ll p o a l fi d the use a es a d pass o ds. Try them all in-case hydra goes wrong. For me,
the results looks like the following after Hydra went ahead and brute forced the web-login and hence
one of the username and corresponding password worked in the scenario:
12
That was for Hydra, but as we look here that Hydra is efficient and could get number of results and could
go wrong several times without any hints, there are some other ways we could accomplish this same
task, e ll use ethod
hi h i ludes usi g a lient side proxy with Intruder attacks using these same
files ge e ated ith C u h at ou disposal. Befo e e egi ith Bu p, e ll go th ough so e of the
basics for Burp which an attacker might need to now beforehand. If you are looking for a detailed
discussion on Burp Suite, refer to my other papers which goes deep into using Burp Suite as a Web
Application Swiss Knife, or use the compiled book delivered by me which has a section on Burp Suite and
using the tool to make most of the benefits.
13
Launching Burp Suite JAR file with good known configuration allotting 2 GB of VRAM on Java
Memory Settings on Linux:
14
15
The Intruder Tab is lo ated afte the a e Ta , hi h e d use fo ute fo i g the e form, this will make use of the generated previous usernames and the password list via crunch. But
efo e a thi g else, e d e ui e to setup the u p liste e to liste o p o ided HTTP port and
forward out HTTP packets through Burp Suite Proxy. This requires configuration on the browser
because the HTTP packets requires to be forwarded to Burp via the browser, for this; go to:
Firefox/Iceweasel Preferences > Select Advanced Tab a d fi d the P o etti g , he this is do e,
the next step is to configure the browser to the below specified ports for Burp to intercept traffic:
After this has been done, anything that you browse via the browser will forward HTTP packets
(requests and responses, if responses are set to be intercepted) via the Burp Proxy which is newly
o figu ed. To ake su e of this, o Bu p uite, go to the P o Ta a d ake su e I te eptio is
set to O .
16
Click on forward and let the request be sent to the web-server and until the request is not
forwarded, the browser will wait for the response from the web-server. In-case Burp is configured to
i te ept the espo ses as ell, it d go ahead a d i te ept the esponses before forwarding it to
the browser for web-page presentation. Now, that everything is ready, and the browser has the
response, we will use a junk values on this target to capture the HTTP request and send it to
Intruder when the proxy tab blinks next, for this enter any junk values in the web-login form fields
and hit sign in to start sending the HTTP request:
17
18
Burp Auto-detects the form fields where the usernames and the password might be possibly
injected, we can change this to our liking but the default payload set by the special characters in
burp such as anything enclosed in $ an $ in this case is the suita le s e a io; e ll he k the
luste o
atta k t pe e ause e ha e t o fields hi h e eed to atta k, fi st o e ei g
e ail he e ou use a e pa load ould fit a d the se o d ei g the pass o d he e ou
generated password file from crunch will fit; the Sniper attack type is for one payload at one
field at a time, which is false in this case:
19
Remember, we have two payloads, one for usernames and another for passwords. From here,
e ill go to the Pa loads se tio of I t ude ta a d use i ple List as the Pa load T pe
a d use Load f o the Pa load Optio s to load ou use ge e ated list file:
20
21
22
As fo
23
Next is detecting the successful logins, if any. By default any credentials you throw at this
pa ti ula e appli atio ill fet h ou a
OK espo se ith the espo se Code ei g
, a d the easo
ei g OK look at HTTP FC s fo o e details a d at the gi e HTTP
document by me). Now, unsuccessful logins will e gi e
OK espo se, ut if e ould
so eho eli i ate
f o the olu
ta , hat ould e left is the status ode i ludi g
3xx which would be redirect responses, 4xx which would be bad client side errors, 5xx which
would be any server side errors. Beyond that 2xx are informational, which in this case needs to
e eli i ated, e he k ith this app oa h fi st; to do this, e ho e o e the Filte
hi h
u e tl sa s ho All , left li k a d de-sele t
espo ses, a d o
e d e left ith 3xx,
4xx and 5xx responses only:
i fo
a d
What else could be possible scenarios to look for a successful login? This could be the received
content-length header. Now, the next tactical concept is, we receive 2xx for all successful logins
as well as unsuccessful logins, nothing is being redirected which is the reason there were no 3xx
status codes on completion of brute force; but we see that the content-length for all the
espo ses hi h e e se t e e sa e, this is p o ided the Bu p I t ude usi g the Le gth
olu
o I t ude upo sta ti g the atta k :
24
The length remains constant and for a better focus, we remove all other columns which could
potentiall dist a t us ight o . This ould e do e
a igati g to the u e t I t ude
menu- a , hoosi g olu s a d de-selecting all the un-required columns for analysis and
evaluation purposes:
Note: The column tab consists these: Cookies, Comments, Length, Error, Timeout, Request,
Status and the payloads that were made for the original intercepted request. Additionally
espo se e ei ed a d espo se Co pleted p o ides additio al i fo atio hi h ould e
later used at different attack scenarios which might be useful.
25
26
Now, closely looking at it, and scrolling down from the numerous requests made by Burp, we get
a e eptio al Le gth alue hi h has a diffe e t alue f o the othe ide ti al o es.
The le gth alue is diffe e t, a d the pa loads hi h e e the ede tials fo e ail and
pass o d e e ad i @pe teste a ade . o a d zzz
espe ti el . Upo i spe tio o
the espo se ta , a d looki g at the e de ta , the Bu p B o se E gi e ill e de , a d e
can be presented with how would it look if an user submitted those credentials:
27
And that meant the challenge was cracked and we could use those credentials to verify that
use a e as e ail e e ad i @pe etste a ade . o a d pass o d used fo this
pa ti ula e ail as zzz as pass o d as pe the GET request parameter).
Go to B o se p efe e es, use the o-p o so ou ould o all
o se all sites a d p ess
OK fo Bu p ot to i te ept, o alte ati el , go to Bu p uite P o Ta , a d li k
I te eptio Off to disa le i te eptio of any traffic. Another alternative method is using an
addo alled s ap-p o a d othe addo s si ila :
28
Alternative to using Crunch: If Crunch is too much pain and making dictionaries automated is the
goal, Burp Suite as a framework could be used to make dictionary files automatically using the
I t ude ta , he e s ho o e ould go ahead a d auto ate the di tio ge e atio usi g ,
a d z as ha a te s a d pass o d o ple it set to
i i u a d
a i u fo these
characters:
O the pa load ta , set pa load t pe t si ple list a d a uall add the use a es hi h
he e as a e a ple ould e ad i @pe teste a ade . o a d
ja k@pe teste a ade . o :
29
a d sele t Pa load
30
We ll use the ha a te set as z i this de o st atio e ause that s the set of pass o d
characters being used, make sure in any other scenario, you need to determine this and add
these characte s to the likel s e a io, o if that s ee set, set the Mi . Le gth to a d the
Ma . Le gth to e ause that s the pass o d o ple it fo this de o st atio . E e thi g
happe s i the Pa load Optio s fo B ute Fo e set to the Pa load et
31
Afte e e thi g is set up a d do e, go to the I t ude o the e u-bar discussed before and
start the attack, the results would be the same. Check the content-length as discussed before
and look for the responses which renders the granted access.
The e de
ould o e de the ep ese tatio of the HTML as a o se e gi e ould a d
we can therefore determine that the password were indeed cracked via Burp Intruder. Now,
the e used to e a othe alte ati e ethod hi h u e tl is e pe i e tal a d does t o k
p ope l usi g the e e e sio s of o se s o Fi efo , p efe a l ade fo Fi efo as a . pi
addo , this addo as alled Fi eFo e li ked efe e ed at:
http://www.scrt.ch/en/attack/downloads/fireforce
Documentation for usage of Fireforce as a web-form login bruteforcer could be found here:
http://www.scrt.ch/outils/fireforce/fireforce_en_manual.pdf
An added reference for Fireforce and how it does, what it is supposed to be doing could be
found here: http://www.securityaegis.com/easy-breezy-beautiful-password-attacking/
The ethod fo this as ot i luded i this do u e t e ause Fi efo e f eezes o a ge
operations on newer firefox web-browsers. As soon as Fireforce releases a stable version for
e e e sio s of Fi efo , it d likel e i luded in this document. Next, we will look at
developing a python script to break the password, using python libraries. For python, first step
would be to learn python, because without knowing python libraries and how python works,
o e ould t e a le to automate all of this developing his/her own scripts. To be able to
auto ate e tai e appli atio e ploitatio , pe et atio teste s use p tho s ipts hi h
they develop out of their own expense of free time. This would be shown in the next method,
but it is recommended, people learn python to be able to understand whole of it.
32
Python terminal:
#python
33
E ough of the asi s, it s ti e to de elop a s ipt hi h alls the p tho e e uta le f o the
Linux and loads up for the script we develop before it could do anything with the script. For this,
e use the shebang to ake su e efo e e e uti g ou ode s ipt, the Li u e i o e t
i po ts the p tho e e uta le f o /us / i
hi h has a file alled p tho , e d he k hat
this file is and learn to locate or find where python is issuing the following commands, but first
e eate a file alled e -form- ute.p usi g the tou h o
a d, so late e a sta t
writing our code here:
The lo ate o
a d ould ge e ate u h o e esults, ut fo e e uta les, e d use the
he eis o
a d to fi d he e p tho ould e so that late e ould use this di e to to
all the p tho e e uta le usi g she a g efo e the lo ated file a d the o ti ue iti g
our code:
34
At this point, we have many versions of python i stalled, the default e d pi k up is the o e at
/us / i /p tho . No to use the she a g hi h is ep ese ted
#! , e ould ha e to fi st
use a text editor to first open the file which we had created:
We use a o , a te t edito hi h is GNU ased in Linux. Other options on Linux are pico, vim,
gedit, leafpad and emac. There are ton of text editors available, once loaded, the screen
p o pts us to ite te t i to the edito s ee , he e e egi ith ou she a g to i lude the
python executable:
35
The code:
#! /usr/bin/python
from urllib import urlopen
import itertools, sys
def gen_passwords(universe,l):
# use itertools to create a list of all password permutations
wl = []
for i in itertools.product(universe,repeat=l):
wl.append("".join(i))
return wl
def brute(username):
root_url =
"http://www.pentesteracademylab.appspot.com/lab/webapp/1?email="+username+"@pentestera
cademy.com&password="
# want to be able to enter a password on the command line and only send that
one test
if len(sys.argv) < 2:
wl = gen_passwords("xyz",5)
else:
wl = [sys.argv[1]]
for pw in wl:
full_url = root_url+pw
p = urlopen(full_url).read()
if not "Failed!" in p:
# success
print "Username: ",username," Password: ",pw
break
else:
print "Password: %s failed"%pw
brute("admin")
brute("jack")
36
oot_u i ould e the hole GET UL hi h ould the take use a e from the defined
use a es hi h a e ja k a d ad i fo this de o st atio , the def fu tio
ute does this
jo . Also e use ite tools as ou li a to ite ate. The defi ed fu tio alled ge _pass o ds
takes care of the loop which generates a pe uta le list of , a d z fo i i u
to
a i u
ha a te list a d the he ks the uted pass o ds hi h did ot ge e ate Failed
string and he e t igge s the su ess appe ded to the uted list of pass o ds. Befo e o i g
fu the h od + the p tho ode file to e e ute:
37
The s ipts egi s the utefo i g a d u til e see the su ess st i g appe ded to the
generated password of password complexity 5 minimum and 5 maximum, we have to keep
looking at the results. Once Bruteforce gets over and the script has been executed, check
through the logs generated (for this once could had redirected the output to something like:
./web-form-brute > results_brute.t t f o the e e utio poi t a d look fo the su ess st i g;
ho e e , e do get the su ess st i g he e hi h ould e useful fo a su essful logi :
38
About WebSlayer:
Enhancements to wfuzz with front-end GUI and added selected modules for web application
penetration testing, enumeration along with discovery.
Could be used for login form Bruteforce, session Bruteforce, parameter Bruteforce.
Could also be used for parameter fuzzing, and fuzzing for injections such as SQL Injection and
Cross Site Scripting attacks provided payloads are strong and massive.
This tool besides from Metasploit and others, could also break NTLM and Digest based
authentication. Basic Authentication could be also be broken using this same tool.
In short notice: WebSlayer is a tool designed for brute forcing Web Applications, it can be used
for finding resources not linked (directories, servlets, scripts, files, etc.), brute force GET and
POST parameters, Bruteforce Forms parameters (User/Password), Fuzzing, etc. The tools has a
payload generator and an easy and powerful results analyzer. The POST parameters would
require some extend of using LiveHTTP Headers add-on on Mozilla Firefox demonstrated in this
video. The demonstration is very through while using WebSlayer as a project tool for web
application penetration testing projects.
Linux Kali which is Debian based, has WebSlayer into its loaded set of penetration test tool-set.
He e s ho ou a lau h We la e :
39
Capture the request by LiveHTTP Headers which just gives an easy way to input right headers
which would be thrown this fuzze . The addo e d e usi g he e is Li e HTTP Heade s
which is available in Firefox or any other tool-set which has the same functionality like Burp,
Fiddler, Charles Proxy and many more. If Live HTTP Headers is installed in Firefix (or Iceweasel),
bring it up from the menubar, goto tools and click on Live HTTP Heaaders.
40
When done, the page refreshed and all the packets along with the headers went through the
Live HTTP headers and hence Live HTTP Headers captured the HTTP headers because it was set
to Captu e , ou e t o e is to op all these e a t heade s hi h e e sent by the original
browser client to Webslayer to pretend to be an original client as an original browser client
41
42
43
. o
44
Notice the changes made to the URL for WebSlayer to be configured so that it could take
ad i @pe etste a ade . o as the use a e a d the pa loads e ge e ate o the
pass o d pa a ete . The alue of the e ail pa a ete e ai s i ta t.
After this initial set-up, e d eed to ge e ate a pass o d list, sele t the Pa load T pe as
Di tio a as shown here:
45
I this atta k, e a e usi g the Di tio a pass o ds file p e iousl eated e ause afte a
tho ough i estigatio , I fou d that e a ot use the pa load optio si e the pa load fails at
generati g the i i u a d a i u
ha a te s usi g o i atio , it o l suppo ts
pe utatio
ith a fi ed idth t pe alo g ith the gi e ha a te s hi h a e
, a d z.
o, o e e the Di tio a atta k t pe is sele ted, e ould ge e ate the list via crunch; here
e ll use the p e iousl ge e ated list. Load up the list
li ki g o the optio a d sele t
the list file. The list file he e is a ed as pass o ds.t t :
46
Belo
of the
a d
47
Use the sa e Pa load e t a ted at this point to login via the original browser, and same results
ould e a hie ed. Ho e e , the e a e ple t u h o e optio s i We la e in the
Pa load Ge e ato ta , he e apa t f o doi g o i atio a d pe utatio ge e atio , a
variety of possible payload generation could be done which includes Block payload generation,
credit card payload generation, username generation which could be taken for the
e u e atio pa t a d u e i al pa load ge e atio :
48
49
N ap a s a fo ope po ts. Ca dete t host ope ati g s ste e otel . It also a dete t
application versions, and has signatures preset for recognizing application, OS and other
daemon versions. It does host discovery, operating system enumeration, and report generation
using XML standards and firewall evasion on the go. It has both CLI and GUI versions. The GUI
e sio of N ap is k o as )e ap . Whe it s s a i g a d et o k e u e atio ,
fingerprinting, Nmap is the first favorite choice of any dedicated red team using this tool as an
army Swiss knife (same goes for Netcat!).
Nmap has an engine called Nmap Scripting Engine (NSE). The engine is documented here and is
written in Lua language. Apart from Nmap itself, NSE provides the flexibility to separate
additional tasks like automating an exploit, actually exploiting a target and provides a range of
capabilities such as enumeration, vulnerability detection and much more. Read the
documentation. Also, in kali Linux, which has been an operating system based out of Debian, the
Nmap scripts resides in /usr/share/nmap/scripts directory:
Before we go into opting NSE engine to bruteforce web based form logins, there are certain
thi gs hi h ou d eed to k o :
1. The NSE is completely community based and written in Lua.
2. As of 2014, August, there were no such scripts written in Nmap which assisted
utefo i g e ased logi s usi g GET ethod.
50
Backing up the original script is easy, you would require to copy the existing original script and
store it in the same directory for later use:
51
Now one would require to update the original script with the following code provided here. A
raw version could be found here. Since we had backed up our original script code for http-formbrute.nse, we can go ahead and replace the original script code with the scrip code which has
been provided here because this new script provides new functionality including choice of
POT o a GET as a HTTP e uest.
Copy the code from the raw version of the ASCII text code in Lua provided here and paste in to
the edito of hoi e. Make su e the a e sta s the sa e that is http-form- ute. se . Afte
pasti g this e ode, CTL+O to sa e the ode i
a o a d hit a aige- etu i.e: E te ,
and then again CRTL+X to exit the editor. The following screenshot shows the demonstration of
the ode hi h has ee de eloped usi g a o as the te t edito of hoi e. Fo e use s,
leafpad which comes Along with Kali user would be great, or gedit which could be installed via
apt-get i stall gedit o o
a d li e.
It s e o
e ded fo e pe ie ed Lua ode s to go th ough the ode a d odif if a
ha ges
are needed. This belongs in accordance to the needs of the pentester. Also mail me if there is
so ethi g ou odif , si e I d e i te ested to keep t a k of the ha ges i the ode.
52
Now that we have everything setup with the replaced code, we need to trigger Nmap from the
o
a d a d set up a afted N ap NE s ipt ith a gu e ts . The s ipt a gu e t is
something which most find tricky. Keeping everything aside, when you realize the way Nmap
scrip arguments are passed via the CLI, the true power lies there for quick exploitation as well as
quick tests. NSE provides a variety of lists for checks, exploitation, enumeration and a vast
data ase fo auto ati g tasks. This do u e t agai does ot dis uss N ap i detail, I d athe
ju p o e to usi g NE fo utefo i g e appli atio fo s hi h ight e GET ased
HTTP request. A GET e uest is so ethi g hi h is i p i ted o the UL, hi h i this ase is:
https://pentesteracademylab.appspot.com/lab/webapp/1?email=test&password=test
Both, use a e hi h is e ail pa a ete a d the pass o d, hi h is pass o d pa a ete is
ei g passed i lea te t o the UL hi h ea s the e uest ethod is GET . This ould also
e e ified usi g the ie -sou e hi h as dis ussed ea lie in this document.
53
After application has been mapped, to use the power of the NSE script to our advantage, we
need a more specific script which we had developed earlier in the Lua code to be ran over by
N ap. I o de to a o plish this, e eed to t igge the s ipt ith s ipt= di e ti e a d
e tio i g the s ipt a e. N ap takes a e of the est a d auto ati all is s
d ith the
/usr/share/nmap/ scripts directory and hence would not requi e a . se e te sio s to e
p o ided he a i g the s ipt. Fi st, the ai ta get is spe ified alo g ith the po t to e
targeted, web-se e u s o 8
default a d ou ta get pe teste a ade la .appspot. o
have the same port open which serves web-content or which is running an HTTP server. Hence
we have more number of script arguments which are newly introduced from the script, these
are all the arguments one needs to pass to the script (http-brute-form.nse):
1.
2.
3.
4.
5.
6.
7.
Since we now understand the format to specify the Nmap arguments. I need to show some of
the common mistakes one could run when writing the query for Nmap. These are stated here so
54
55
The crafted query is simple unless one looks at its length. The Nmap takes the target host as
pe teste a ade .appspot. o a d ith a - s it h I spe ified that e eed ot e-do dns
queries and hence no-dns follows; next I mention the target po t hi h is 8 a d the I
e tio the script=http-form- ute hi h is the odified s ipt u de
/us /sha e/ ap/s ipts/ di e to . I the
e tio the script-a gs= p o i g the s ipt the
arguments which are required for the target separated by a comma and enclosed in single
quotes as discussed above. The values of these arguments are enclosed in double quotes. And I
then specify a verbose result while Nmap would be running, this is optional and is not required. I
however like to maintain the dignity of the results for a quicker look during a penetration test.
Everything would look like the following:
56
The
utefo e :
Depending on the network, it would take time to bring the results back, the results are varied
and hence may require trial and error. This happens due to packets being send either too low or
due to the time lags. False positives are common using the modified script.
57
As the audience sees the result, these are false positives which were caught in hook by the
modified Lua script, with some trial and error; one should be able to get the right credentials. As
this is getting documented here, Nmap developers are working on the current Lua script for
better detection. With a speed connection, the false positives are however minimized. This
happens due to the TCP packets being sent at low rate and therefore the response from the
web-server getting alfo ed. It s due to et o k ottle e ks.
That marks the conclusion of this document and I hope the audience gets the vision how to
carry out different attacks via the same attack vector but with different approaches. The point
of this document is not to show how things are exploited and you get credentials; that could be
done either way. But the point is to show how many ways a pentester could go ahead and break
the web application to suit his/her objectives. This is a series of documents to follow.
58
Contact Information
LinkedIn: Contact me on LinkedIn here.
Facebook: Contact me on Facebook here.
Reach me at: Shritam.bhowmick@gmail.com