How to determine whether a web presence brute force it?
Whether to require the user to set a complex password;
whether each authentication using a secure verification code
if trying to judge the behavior of the landing and restrict
whether to adopt two-factor authentication, if necessary
Brute vulnerability testing process
1. Confirm that the login interface of vulnerability
to confirm whether there are brute target vulnerabilities. (Confirm the possibility of brute force)
for example: try to log - Ethereal - observe and verify the response information element to determine whether there may be cracked violence. You can also apply for an account, log in multiple times to try to see the error will not be locked out, and you can get some account rules at the time of registration.
2. The optimization of the dictionary
of the dictionary optimized according to actual situation and improve the efficiency of the blasting process
3. The tool automation
configuration tool automation (such as thread, time-out time, number of retries, etc.), automated operation.
Brute force dictionary Optimization Tips
A technique:
optimized based on registration message
to the target site to register to figure out some of the limitations account password. For example, the target site requires a password must be six or more alphanumeric combinations, you can follow this optimization dictionaries, such as removing the password does not meet the requirements.
Skills II:
If blasting is to manage the background, often the administrator of such a system is admin / administrator / root of probability is relatively high, you can use these three accounts + just a password, try to log on, watch the results returned, determine the user name If returned user name or password error or an error return code, it is possible to determine the user name, password so only for blasting can be.
Burpsuit proxy module
Under normal circumstances, simply open the burpsuit, proxy is in a listening state, then he is listening on which port it, we can look through the options, default is 127.0.0.1:8080.
Intruder module via http request data packets in a variable manner custom parameters, and then automate the reproduction according to the corresponding policy. Commonly used in automation guess / brute force process.
When we send the packet to the Intruder, you need to configure several options to achieve our objective, target tab, set the target, it can be sent by proxy. Pasitions tab, specify the required parameters and brute force into a variable, and select attack mode:
Sniper setting a payload, the first variable using a dictionary first test, then the second test variables using the dictionary
Intercept tab to modify the intercepted package. This is inside a Intercept is on, the default is to open, that is, if Burpsuit proxy, then simply visit the page you requested can not, will be blocked off proxy module. For convenience, here we put this off, do not make changes, just do forward and throw it away.
All HTTP History request will be recorded
open Firefox -> Preferences -> Settings -> Manual proxy configuration (HTTP proxy, following all protocols use the same proxy server also hook): 127.0.0.1 8080
This time we go pikachu access at the platform, it has been found recorded in burpsuit inside.
Into the form-based brute force, just enter a user password, I found to be wrong, this time back to burpsuit, find the package that you just sent containing user names and passwords in HTTP history, found that only the account password and no verification code, it is possible do brute force, and then select the request, send to Intruder, Intruder in the Positions tab to see the raw data packets, attack type is the type of attack, there are four kinds. May click to the right of the variable clear cleared, then we need to do is select the option to test, then Add to variables.
Then payloads inside, payload type default is simple list, in the following Payload Options inside Add, you can manually add the dictionary, but this is too much trouble, we use more of payload type is Runtime file, so you can select the dictionary file. Here is a Payload Encoding, or need to ask you some URL-encoded characters, by default you can.
Then the Options tab, there are some options are grayed, this is because we are using a free version, Number of thread is the number of concurrent, do brute force, concurrency is more able to raise a matter efficiency, can he set up a little higher, number of retries on network failure, the failed request retry number of times, Pause before retry request an interval of how many times. Then we start attack tap the top right corner, attack it and see. Sniper found this type of attack, can only replace a variable, according to the dictionary order of the first variable after replacement, and then replaced by the second variable, and the variable is not replaced at the same time another variable tube.
Then we go back inside the payload type, replaced Battering ram, then to the payload sent to the same payload set only a payload, I began to attack two variables at the same time found that he would be replaced by the same. Then go back and look at this type of Pitchfork, this time you will find inside the payload set, you set several variables there are several payload, then the two variables are set, then attack, have found two variables the replacement file settings, respectively. Then we look at the last type of attack, Cluster bomb, after the variables are set to attack, he will find that cross, he would use the first password dictionary to match the user name dictionary again, and then put the second while re-match, and so on.
So, how much are you sure you send a request to which it is successful, we will use Grep Mach this feature, we can see form page, an error will be prompted to enter a string to copy him, emptied Grep Match , add this sentence, this time we'll attack after attack, we tap length behind that option, so he sort of on top of not marked with √ other is not the same be successful. When no way be judged by a string, we can be judged by length.
