HTTP Brute-Forcing Tools

HTTP Brute-Forcing Tools

As we mentioned earlier, of the many tools available tools for brute forcing HTTP authentication, our two favorites are Brutus and WebCracker. Both are incredibly fast, using multiple threads for simultaneously trying a number of username and password combinations on a Web site. Recall that HTTP is one of the easiest protocols to break with brute force because most popular Web servers are designed to handle a large volume of HTTP requests. Brutus and WebCracker can exhaust a long list of usernames and passwords in a matter of hours or even minutes.

Brutus

Available from http://www.hoobie.net/brutus/, Brutus runs on Windows. Actually, it is a multiprotocol brute forcer, not restricted to HTTP. Among other protocols, Brutus can perform FTP, telnet, POP3, and SMB brute forcing.

Figure 9-15 shows Brutus's main screen. Parameters such as the number of simultaneous connections, time-out values, HTTP methods, and HTTP port number can be configured by the user.

Figure 9-15. Brutus

graphics/09fig15.gif

However, Brutus, cannot perform HTTP brute forcing via an HTTP proxy server. The Use Proxy check box actually enables the use of Brutus through a SOCKS proxy, not an HTTP proxy.

An interesting feature of Brutus is its ability to permute password strings, based on a few simple permutation rules, to generate commonly used password combinations. Figure 9-16 shows Brutus's word list generation dialog box.

Figure 9-16. Brutus's word list generation features

graphics/09fig16.gif

WebCracker 4.0

WebCracker 4.0 is available at http://packetstormsecurity.org/Crackers/WebCrack40.zip. It is exclusively an HTTP brute forcer and allows brute forcing over an HTTP proxy server.

Figures 9-17 and 9-18 show WebCracker configured for performing the same brute force attack that Mallory used against Acme Travel, Inc. brute forcing the Web server running on http://10.3.2.1/, using http://10.3.2.1:8001/ as the proxy server.

Figure 9-17. WebCracker brute forcing over an HTTP proxy server

graphics/09fig17.gif

Figure 9-18. Configuring HTTP proxy server settings in WebCracker

graphics/09fig18.gif

When WebCracker is started, it shows a list of threads and the usernames and passwords being tried. Upon finding a successful combination, WebCracker halts and displays the result, as shown in Figure 9-19.

Figure 9-19. WebCracker cracking an account successfully

graphics/09fig19.gif

 



Web Hacking(c) Attacks and Defense
Web Hacking: Attacks and Defense
ISBN: 0201761769
EAN: 2147483647
Year: 2005
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net