First, the form-based brute
Second, bypassing the verification code (on server)
Third, bypassing the verification code (on client)
four, token anti-blast
Outline
An effective brute force dictionary can greatly improve the efficiency of
- For example, common username / password TOP500
- Account password (social workers library) after Tuoku
- According to a specific object (such as a mobile phone, date of birth and bank card number, etc.) in accordance with specified rules to generate passwords
Brute force process
- Vulnerability to confirm login interface
- Try to log - Ethereal - observe and verify the response information element to determine whether there is likely to brute force
- To optimize the dictionary
- The dictionary is optimized according to actual situation, improve the efficiency of brute force
- Automation tools
Dictionary Optimization Tips
- According to the registered password prompt optimization, such as to require a password when registering eight or more, we will get rid of less than 8
- Blasting management background, the account is likely to be relatively high admin / administrator / root, you can use these three account for blasting
First, the form-based brute force
When an input error, the following tips
There is no other verification code and other authentication mechanisms, capture and see
Intruder sent to brute force
Set Payload
Then the "username or password is not exists ~" Copy to Grep Match in. Which can be followed using Grep Match request which distinguish between the string
Then you can start attack, matching the username or password is not exists failed attacks are, additionally, can be seen from the response length attack success
Second, bypassing verification code (on server)
Code can be used to prevent malicious registration, to prevent brute force. Server-side code FAQ:
- But in the background of the code, it can lead to long-term use
- Check verification code is not strict, logical problems
- Code design is too simple and regular, easy to guess
Let's look at a simple test, without entering the verification code will be prompted to verify the code is empty, you are prompted to enter a verification code error in the case of an error code, only validation under the premise of correct code will prompt the account or password does not exist
The following capture by determining what the server has no verifying a verification code, is there found
Description of the back-end code is validated, we look at the validation logic code generation:
When we refresh the page, we will send a request to the background, the background receives the request and generates a verification code in the session in the preservation verification code.
Our Mr. into a new code, then enter the correct code in the BurpSuite
Tip account password does not exist
Let us send a password change
Found still account password prompt does not exist, it should prompt normal verification code error, indicating that long-term effective verification code , we send directly to the brute Intruder
Third, bypassing verification code (on client)
Here we need to enter a verification code, we can not crack the code on violence, through the discovery request packet capture inside just more than a verification code
By looking at the source, we found validation logic verification code is implemented in the client-side
This JavaScript will be from 0-9 and 26 capital letters five randomly selected as the authentication code, then validate () to verify
In addition, the source code can see, we have every point of this code, it will call createCode () to change the code
By BurpSuite found that the background does not validate input validation error code in the browser, enter the wrong code is suggested
Normally this will pop
DESCRIPTION distal codes provided as a dummy, the rear end of the codes is not validated. So we ignore this code, direct brute force on it
Four, token anti-blast
Developers can use tools found there is a hidden label
Inside the numbers is our token, every time I submitted a request, there will be a token value, the backend will validate the token value
But the token has been written to the html page, an attacker would need to write a tool that certification prior to submitting all together like this token
A simple python script test, as follows:
import requests import re url = "http://192.168.171.133/pikachu/vul/burteforce/bf_token.php" def get_token(url): response = requests.get(url) content = response.text pattern = '(?<=value=")\w+(?=")' token = re.search(pattern, content).group() return token users = ["admin", "root"] passwds = ["admin", "password", "123456"] data = {} for user in users: for passwd in passwds: data["submit"]= "Login" data["username"] = user data["password"] = passwd data["toekn"] = get_token(url) response = requests.post(url, data=data) content = response.text if "login success" in content: print("usernmae: ", user, "password: ", passwd)
Output