Shulou(Shulou.com)05/31 Report--

This article mainly introduces how to use brute force attacks to break into the target Web server, the article is very detailed, has a certain reference value, interested friends must read it!

Words written in the front

In many real attack cases, most attackers invade the target system by means of brute force cracking. at this time, the attackers mainly take advantage of weak passwords and password management security problems. Web applications and Web services are particularly vulnerable to password brute force attacks because they are relatively easy to access remotely and are rich in number and variety. In this article, we will introduce several different types of brute force attacks against Web applications from the attacker's point of view.

Note: we will use open source Web security tools readily available online, such as AppBandit Attack Proxy and Fuzzer from the OnlineSuite, to demonstrate the attack path.

Basic authentication

In the early days of the development of the Internet, basic authentication (such as summary authentication and NTLM, etc.) is a widely used authentication standard. There is no doubt that the security of this method is not enough to meet our needs, but many developers are still using this authentication scheme to protect key nodes such as router management interfaces and Web services. This authentication method is widely used mainly because it is very simple to implement (based on a specially constructed Header that contains usernames and passwords encoded in base64 format).

Next, we will develop a brute force attack against basic authentication. Open the Fuzzer or Fuzzer from the online suite of AppBandit and configure some related parameters. First, we need to set up the authorization Header and then add the basic authentication option:

We will select user names from known accounts, and then select common dictionaries from some well-known databases:

AppBandit and Fuzzer do not have their own dictionary files, but they can both use external dictionaries. We can drag the dictionary file directly into the tool window, and then you can use a list of various types of commonly used dictionaries:

Make sure you set the maximum number of parallel requests to more than 60, and reduce the timeout to about 5 seconds, which can improve the efficiency of the attack. Next, we only need to observe the response code in the console to see how the password is cracked.

Authentication based on PIN code

Many applications, especially mobile App, use PIN-based authentication, even with 4-6-bit digital codes. The method of sending authentication tokens based on e-mail or SMS SMS to implement 2FA also belongs to this kind of attack. There is no doubt that the entropy of the security of PIN codes is actually very low, and it is not difficult to implement brute force cracking, whether you are going to crack it in numerical order or randomly.

Next, we will attack a virtual JSON service. First, we need to configure a valid service request. Then in the request body, we also need to correctly encode the PIN code generator. Therefore, we need an JSON encoder to reference these values. In addition, we also need to fill the PIN code length to the correct length.

The pad object used to populate the data contains a simple loop counter (0-9999). Because the valid PIN code here is 4 digits, we need to fill in an extra'0' in front of the number to make 4-digit PIN code. we can also use the same technique to make 6-digit or 8-digit PIN codes.

You can configure the number of requests and reduce timeout according to your needs. Unlike brute force cracking attacks against basic authentication, this type of attack needs to be designed according to the characteristics of the target application.

Form-based authentication

Form-based authentication mechanism is the most common authentication scheme in Web at present. In fact, almost any PHP application implements this kind of authentication, but most of them are not secure. In order to launch a brute force attack against form authentication, we need to set the parameters required by the target application. We can use AppBandit Proxy or a tool like HTTPView to capture information.

Here we can change our thinking a little bit. For example, we don't need to test an account with many passwords, we can test a large number of accounts with a small number of commonly used passwords. Next, we need to set up a user list generator. First, we need to define some variables and improve the configurability of the attack.

We now use some dictionaries (mostly from seclists), and we can generate e-mail addresses dynamically. In fact, we can attack multiple domain names at the same time.

Now, we are going to add a hundred commonly used passwords (using another seclists dictionary), and the result is as follows:

In a real attack scenario, you may also need to observe the response request in the console, because in many cases we can find out whether the attack was successful by analyzing the valid cookie.

Summary

At present, no security system can completely resist this type of attack, because attackers can achieve password blasting attacks in a variety of ways. Frankly speaking, as long as we are still using passwords, we are not safe. Although the two-factor authentication mechanism is currently a relatively secure scheme, it appears as an option as above, and in some cases 2FA can also be bypassed.

The above is all the contents of the article "how to use brute force attacks to break into the target Web server". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.