Pikachu- brute force (Burt Force) principle and testing process

Others 2020-03-30 14:55:57 views: null

Brute Overview:

  • Continuity try + Dictionary + automation (tentative attacker to log in without knowing the target account number and password, in the course of this attempt, will use some automation tools and a specific dictionary, such as a password bank account to achieve an efficient automated sequential tentative sign in order to get some valid account and password)
  • Dictionary: a valid dictionary can greatly improve the efficiency of brute force
  1. Commonly used account password (weak passwords)
  2. After being Tuoku account password (social workers library) on the Internet
  3. A tool using the specified character permutations and combinations algorithm generates a password in accordance with specified rules

Brute vulnerability Overview:

  • If a site does not implement measures for prevention of violence against logon interface to crack, or unreasonable measures implemented. The website vulnerability exists brute force.
  • Measures to prevent brute force: whether to require the user to set a complex password; whether each authentication using a secure verification code; whether to try to log on to judge the behavior and limitations; whether to take a two-factor authentication, where necessary, etc. .

Brute vulnerability testing process:

  1. Vulnerability to confirm login interface

    Confirm the existence of brute target vulnerabilities. (Confirming the possibility of brute force)

    For example: try to log - Ethereal --- observation verification elements and response information to determine whether there may be cracked violence.

  2. optimize the dictionary

    According to the dictionary to optimize the actual situation, improve the efficiency of the blasting process.

  3. The tool automation

    Configuration automation tools (such as thread, time-out time, number of retries, etc.), automated operation.

Dictionary optimization tips:

  A technique: optimized according to the registration message. Some restrictions on the target site registration, find out the account password. For example, the target site requires a password must be six or more alphanumeric combinations, you can follow this optimization data dictionary, for example, to the point of non-compliant password.

  Skills II: If blasting is to manage the background, often the administrator of such a system is admin / administrator / root probability is relatively high, you can use these three account + just a password, try to log on, watch the return results to determine the user name.

Guess you like

Origin www.cnblogs.com/mxm0117/p/12598202.html
Recommended
Ranking
Swapping case of a single alphabetical word
From PoS evolution SPoS: no energy consensus mechanism
Android developers in Eleven: RGB and Raw RGB What is the difference? camera shutter shutter
How to apply high-tech enterprises preferential tax policies
The first Hello World!
Local debugging applet embedded web-view
Summary of the leadership class on Monday morning [Chapter 2]
LeetCode:. 2 reports two numbers together and problem-solving algorithm optimization ideas
Two ways for VirtualBox to let the host connect to the VPN through the virtual machine
The newly released Meituan three-sided R&D post, see how I can successfully get an offer
Daily
More
2024-05-26(0)
2024-05-25(3)
2024-05-24(12)
2024-05-23(35)
2024-05-22(9)
2024-05-21(35)
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)

Code World

© 2018 codetd.com