August 20, 2015

If you ever find yourself doing a security assessment, you might run into a situation where you will want to brute-force the credentials to a web-based application. While initiating brute-force attacks against protocols like Telnet or FTP are fairly simple to setup, web-based logins can be a bit finicky. This is due to the fact that not all web logins accept credentials in the same manner, which will require a bit more work on your end. Let's go through an example to better understand this.

Standard web-based login page.

The first thing you will need to do is take a look at the source code of the login page itself. While you don't have to be a web designer in order to perform this task, it does help if you at least have a basic understanding of web code. It may vary from application to application, but you essentially need to find the code snippet that is responsible for actually submitting the credentials you have provided to the system itself. One of the easiest ways to do this is to search the source code for words like "password."

In the above example, you can see that line 139 contains exactly what we are looking for, and shows the URL that is used in order to submit the credentials to the system. Breaking it down to a more easily understood format, we end up with the following URL:


Now that we have the URL that is being used to submit the credentials that we provide in the login page, we can perform a manual test with our web browser. We need to do this for two reasons. One being to verify that the URL we have obtained is correct, and the other is to discover what return string we will receive from the system in the event of a bad password. This is required to have prior to performing the brute-force with Hydra.

As you can see from the above image, the URL appears to be correct as we did not receive any "Page Cannot Be Found" or similar errors. We were also able to obtain the return string for a failed password, which is "Bad User or Password." Now that we have all of this information, we can begin using Hydra.

Assuming that you are utilizing Windows, you will need to download a compiled version for your OS. For this example, I used this one. You should also download a wordlist to be used with Hydra, preferably one that contains both usernames and passwords within it. There are far too many options available on the Internet for me to list just one, so you will need to search around until you find one that you like.

Now that you have Hydra installed, and have a wordlist to use, you can begin your brute-force attack against the web-based login. For this attack, we will be specifying Hydra to use the http-form-get service, due to our research earlier into how this login page submits credentials. We will also configure Hydra to use the URL that we discovered, and to pull the USERNAME and PASSWORD from the wordlist used. Knowing that an incorrect password returns the string "Bad User or Password," we will also add that into Hydra. Failing to do so will prevent Hydra from being able to determine a successful password from a failed one. With all of this information, our Hydra command should look something like the following:

     hydra -C Credentials.txt -t 1 -w 30 [Target IP] http-form-get "/cs57eb2e1b/config/System.xml?action=login&:user=^USER^&password=^PASS^:Bad User or Password"

Hydra should now begin its brute-force of the login page, going through each of the credentials within your wordlist. Looking at the packets with Wireshark confirms that Hydra is functioning correctly.

You can see that Hydra is going through each of the credentials in the wordlist correctly.

Depending on the size of your wordlist, this could take some time to complete. If you are lucky, however, you should eventually receive a response from Hydra showing that it has been able to determine the correct credentials for the application. Now you can login and move forward with your security assessment.


Post a Comment

Subscribe to RSS Feed Follow me on Twitter!