Brute force guessing overview
暴力猜解简单来说就是将密码进行逐个推算,直到找出真正的密码为止
Violence cracking considerations
Before cracking, there must be a dictionary with a suburb (Top100 TOP2000 csdn QQ 163 and other passwords); determine whether the user has set a complex password, whether there is a verification code on the website, whether there are restrictions on the attempt to log in, and whether the website has two-factor authentication Baozhong's requirements for the administrator background, such as only allowing certain IP access, through the bastion machine, mobile phone SMS, etc., Token value, etc.
Register the target website and find out some restrictions on the account password. For example, the target site requires that the password must be more than 8 digits. The combination of letters and numbers can optimize the dictionary according to this, such as removing the password that does not meet the requirements. (But you can also try a password that does not meet the requirements, because the old user may not be forced to change the password)
If you are cracking the administrative background password, you can use the admin / administrator / root account to have a higher probability. You can use these three accounts + any password dictionary to brute force crack. It is necessary to pay attention to observation prompts during the cracking process, such as "user name or Relevant prompts such as "password error", "password error", "user name does not exist".
Sometimes there are some passwords on the company's intranet that need to be used by a large number of employees. To save trouble, set a unified default password for employees and let them change it by themselves. Vulnerabilities may also occur
It is not allowed to change the password of the user name. The old and new passwords are not the same, and vulnerabilities may occur.
There are several ways to find the correct user name to
open a website. At the bottom there are some email addresses (or emails for recruitment complaints), as well as notification messages from relevant administrators, etc., or in the domain name registration, you can check the mailbox of the person who registered the domain name Address, this information may become useful information
Brute force classification
(1), brute force cracking based on forms
(2) Brute force cracking based on verification code
Common problems on client: insecure front-end js implementation verification code; insecure leak verification code in cookie; insecure leak verification code in front-end source code
Common problems on server: verification code does not expire in the background, resulting in long-term use (php default session is expired in 24 minutes); verification code verification is not strict, logic problems; verification code design is too simple and regularly guessed
(3), based on Token cracking (refer to the token cracking document)
Because the token value is output in the front-end source code, it is easy to obtain, so it loses the meaning of preventing brute force cracking. Generally, the Token will have a better effect in preventing CSRF.
Note: The number of threads is set to 1; Grep-Extract is set to start the token "value =" and ends at "/>; the suburban load is set to recursive search
" token "value ="
(4), based on third-party services such as systems, databases, middleware, etc.
System vulnerability scanner comes with brute force cracking, Bruter tool, hydra
