Brute Force - TairinySimeonato/WebAuditing GitHub Wiki

Brute Force and Enumeration

  • The end goal is to gain access to a site or server that is protected by a password by trying characters combinations until the correct password is found
  • These attacks are usually sent via GET and POST requests to the server
  • When a webpage has no password policy, an attacker can use lists of common username and passwords to brute forc until successful authentication

Prevention

Password Length and Complexity

The longer and the more complex a password (which means, using a variation of special chars, numbers and upper and lowercase letters), the longer is the delay for an attacker to discover the password.

Limit Login Attempts

If a web app receives a certain amount of failed login attempts, it should block that IP for a period of time to stop further attempts being made. The goal here is also delay the time to attacker to find the password.

Using Captcha

Prevent bots from executing automated scripts

Two Factor Authentication

2FA is a verification process that adds one more layer of credential confirmation to a login process. 2FA requires a second piece of information that can only be provided by the authorized individual (despite the username + password)

Cloudfare

The Cloudflare Firewall contains a Protect Your Login button that creates a rule that protecting login pages against brute force attacks. Clients trying to log in more than 5 times in 5 minutes will be blocked for 15 minutes.

For users, there are some more ways to prevent brute force:

  • Unique password for each account
  • Frequent password change
  • Avoid sharing credentials through insecure channels

Typical threats related with Brute-force attacks

  • Attacker script can beat a password-based authentication system
    • Disclosure of private/personal information
    • Administration panels - admins can modify, delete, add web application content, manage user provisioning, assign different privileges to the users, etc
    • Availability of further attack vectors - web page can contain hidden pages with functionalities not public to users and contain vulnerabilities
  • DoS - Risk of flood on your site with unnecessary traffic.

Testing

First of all, it is important to find out the type of authentication method used by the application.

The two most commonly seen methods are:

  • HTTP Authentication;
    • Basic Access Authentication
    • Digest Access Authentication
  • HTML Form-based Authentication;

HTTP Authentication

There are two ways of HTTP Access Authentication: Basic and Digest.

  • Basic Access Authentication

This assumes clients will use a username/password to be authenticated in the webpage.

Steps:

  1. Client sends a request to a server
  2. Server states that the page should only be allowed to authenticated users
  3. Server sends response with HTTP 401 Authorization Required message and a “WWW-Authenticate” header, containing a value of “Basic” and the name of the protected page.
  4. Browser shows username/password input fields to the client
  5. Client resubmits HTTP Request with credentials included. The request contains an “Authorization” header, with the value “Basic” and the base64-encoded concatenation of the login name, a colon, and the password
  6. Server compares the information provided by users with its database
  7. If credentials are right, client is able to access page content
  8. If credentials fail, servers resends the HTTP 401 Authorization Required response

The attacker can either get the credentials by sniffing the connection and then simply base64 decoding the value of Authorization header or using Brute force attacks, if intercepting the connection isn't possible.

  • Digest Access Authentication

Digest has some extra security layers compared to Basic Access Authentication. It uses MS5 (one-way cryptographic hashing algorithm) to encrypt authentication data and adds a "single use" nonce value set by the web server. Nonce is used to avoid replay attacks. The password is encrypted and has a nonce added to it and the username is sent in clear text.

HTML Form-Based Authentication

User supply username and password in an HTML form, and submit them to login to a page. Using HTML form-based authentication, HTTP authentication features such as HTTP Basic or HTTP Digest are not used. Instead, the user name and password are typically sent as HTML

data in an HTTP POST over SSL. 
<form method="POST" action="login">
 <input type="text" name="username">
 <input type="password" name="password">
</form>
  1. A client requests access to a password protected website.
  2. Server redirects the client to a login page.
  3. Client submits the login form to the server.
  4. Server attempts to authenticate the user.
  5. If authentication succeeds, user is checked to ensure user is authorized to access the page. If the user is authorized, server redirects the user to the page.
  6. If authentication fails, the client is forwarded or redirected to an error page.

Brute Force Attacks

Dictionary Attack

Automated scripts and tools try to guess usernames and passwords from a dictionary file. Example:dirb

Search Attack

Try to cover all possible combinations of a given character set and a given password length range. Very slow duw to the amount of possible combinations.

Rule-based Search Attack

Attacker knows which rules the passwords in a website are based on. Example: Jhon the ripper and PasswordsPro

Bruteforcing Techniques

Hydra

https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/

Burp Suite

https://support.portswigger.net/customer/portal/articles/1964020-using-burp-to-brute-force-a-login-page

Defensive Tools

  • Brute force tools - WFuzz, OWASP DirBuster and
  • Vulnerability scanners - Nessus, Nikto, Acunetix,etc

Sources

⚠️ **GitHub.com Fallback** ⚠️