About brute force some study notes (pikachu)

These days are too lazy to send blog notes are written locally, and to revel onto

 

What is the brute force

 

That is, the attacker does not know, common sense landed on the target system under the target account password case

 

Usually using some of the tools + special dictionary to achieve efficient continuous attempts of landing

 

A valid dictionary, can greatly improve the efficiency of brute force

à common account password (weak passwords), such as common user name / password like top 500

à social workers library

à use the tool to generate the specified dictionary

 

If a site does not implement measures to prevent brute force of the landing interface, or unreasonable measures implemented. Said the presence of the brute vulnerability of the site.

Whether à requires the user to set up complex passwords

à whether each authentication using a secure verification code

à whether to attempt the landing judgment and behavior restrictions

à whether to adopt two-factor authentication, if necessary

à ... etc.

 

Brute vulnerability testing process

1. Vulnerability to confirm the landing interface, try landing --- --- observation capture and verify the information returned element to determine whether there may be cracked violence, for example, to test whether there is a continuous landed several times over a period of time necessary to wind landing control rules. Or view an error is returned "account or password error" or return "password" to determine whether your username guessed right.
2. The optimization of the dictionary, according to the actual situation of the dictionary is optimized, you can register yourself an account to see if the site needs to account password, and then select the best password dictionary made to improve the efficiency of blasting
3. Automation tools, automation configuration tool, such as thread, time-out time, number of retries, automated operation

 

For forms-based violence pikachu range of crack

 

 

 

Casually pass a value capture

 

Sent to the blasting module

 

Select Cluster bomb attack

 

Select the username and password two parameters

 

Configure the payload

 

You can start blasting,

 

 

 

 

There is a place worthy of attention

 

 

 

 

 

Here you can determine whether the requested page is returned to this list the contents inside

 

So that we can put the wrong login ID or password when prompted to put it inside

 

So we have a large number of retransmissions when he can not have returned to this error to determine whether the account password blasting success

 

E.g

 

 

 

 

 

When we output the wrong password will pop up this error message

 

We can put this information into the error which Grep-Match

 

 

 

 

 

We try again blasting

 

 

 

 

 

There will be more of a return to determine whether the information you have set, is this a trick bar

 

Of course length can be determined

 

Prevention and brute force to bypass

 

Certification process verification code:

 

1. Open the landing page, send a request, when the background after the request is received, it will call a function code generation to generate a verification code, return to the front end into a picture you get back to the background, while the value of the function generator to keep session.
2. Enter the user account password verification code to submit when comparing the background to validate code and submit session in

 

1. If verification is successful it will prompt you to succeed, if the validation fails to prompt fails, then the background will now destroy verification code, verification code must be a one-time use.

 

1. General background also set a timeout for a verification code, if exceed the prescribed such a minute, did not get the verification code from the front to the information, it would need to obtain a verification code.

 

 

Bypass the server-side CAPTCHA

 

First, check out the location first

 

 

 

When all is wrong

 

Enter the code returns an error

 

 

 

 

 

When you enter the correct verification code, it will return the user name or password is incorrect

 

Ethereal

 

 

 

In our landing page refreshes a new verification code

 

The new code to replace our grasp bag

 

 

 

Found that the server returns the wrong user name or password, which shows that our code worked, then you can put blasting blasting module

 

 

 

This blasting a success

 

 

 

Behind the source line should be a guarantee codes with a principle

 

Bypass CAPTCHA client

 

 

 

Codes generated directly in the front end of the js

 

Then we can get verified in the front, then the back-end contract bp, so that you can bypass the front-end verification js

 

 

 

After capture packets into the repeater, the changed account password Zaifayici,

 

 

 

We found only here in the front did not re-verified and validated at the back end to do it again, so that they can blasting, and blasting process is not demonstrated. .

 

 

 

 

token it can prevent explosion

 

The answer is not in

 

In the front we see the token

 

 

 

We just write a script to get a token each time you refresh the page, and then re-issued, this token would be empty