These days are too lazy to send blog notes are written locally, and to revel onto
What is the brute force
That is, the attacker does not know, common sense landed on the target system under the target account password case
Usually using some of the tools + special dictionary to achieve efficient continuous attempts of landing
A valid dictionary, can greatly improve the efficiency of brute force
à common account password (weak passwords), such as common user name / password like top 500
à social workers library
à use the tool to generate the specified dictionary
If a site does not implement measures to prevent brute force of the landing interface, or unreasonable measures implemented. Said the presence of the brute vulnerability of the site.
Whether à requires the user to set up complex passwords
à whether each authentication using a secure verification code
à whether to attempt the landing judgment and behavior restrictions
à whether to adopt two-factor authentication, if necessary
à ... etc.
Brute vulnerability testing process
- Vulnerability to confirm the landing interface, try landing --- --- observation capture and verify the information returned element to determine whether there may be cracked violence, for example, to test whether there is a continuous landed several times over a period of time necessary to wind landing control rules. Or view an error is returned "account or password error" or return "password" to determine whether your username guessed right.
- The optimization of the dictionary, according to the actual situation of the dictionary is optimized, you can register yourself an account to see if the site needs to account password, and then select the best password dictionary made to improve the efficiency of blasting
- Automation tools, automation configuration tool, such as thread, time-out time, number of retries, automated operation
For forms-based violence pikachu range of crack
Casually pass a value capture
Sent to the blasting module
Select Cluster bomb attack
Select the username and password two parameters
Configure the payload
You can start blasting,
There is a place worthy of attention
Here you can determine whether the requested page is returned to this list the contents inside
So that we can put the wrong login ID or password when prompted to put it inside
So we have a large number of retransmissions when he can not have returned to this error to determine whether the account password blasting success
E.g
When we output the wrong password will pop up this error message
We can put this information into the error which Grep-Match
We try again blasting
There will be more of a return to determine whether the information you have set, is this a trick bar
Of course length can be determined
Prevention and brute force to bypass
Certification process verification code:
- Open the landing page, send a request, when the background after the request is received, it will call a function code generation to generate a verification code, return to the front end into a picture you get back to the background, while the value of the function generator to keep session.
- Enter the user account password verification code to submit when comparing the background to validate code and submit session in
- If verification is successful it will prompt you to succeed, if the validation fails to prompt fails, then the background will now destroy verification code, verification code must be a one-time use.
- General background also set a timeout for a verification code, if exceed the prescribed such a minute, did not get the verification code from the front to the information, it would need to obtain a verification code.
Bypass the server-side CAPTCHA
First, check out the location first
When all is wrong
Enter the code returns an error
When you enter the correct verification code, it will return the user name or password is incorrect
Ethereal
In our landing page refreshes a new verification code
The new code to replace our grasp bag
Found that the server returns the wrong user name or password, which shows that our code worked, then you can put blasting blasting module
This blasting a success
Behind the source line should be a guarantee codes with a principle
Bypass CAPTCHA client
Codes generated directly in the front end of the js
Then we can get verified in the front, then the back-end contract bp, so that you can bypass the front-end verification js
After capture packets into the repeater, the changed account password Zaifayici,
We found only here in the front did not re-verified and validated at the back end to do it again, so that they can blasting, and blasting process is not demonstrated. .
token it can prevent explosion
The answer is not in
In the front we see the token
We just write a script to get a token each time you refresh the page, and then re-issued, this token would be empty