未加星标

HTTP Form Password Brute Forcing - The Need for Speed

字体大小 | |
[开发(php) 所属分类 开发(php) | 发布者 店小二05 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

HTTP Form password brute forcing is not rocket science, you try multiple username/password combinations until you get a correct answer (or non-negative answer).

Password brute forcing, especially over a network, takes time and while your software is attempting to find a correct username/password combination it is taking up your and the remote system's resources. While the brute force is being carried out you might not want to run an automated scan, for example, as the remote server may not be able to cope with the amount of connections or the rapid succession of connections. At the same time, your network bandwidth and system memory are also limited. It makes sense that when you conduct a weak password brute force it is done as fast as possible so that your time and resources are restored for other tasks.

And of course not forgetting that you're always going to be limited by time on a pentest/web app assessment as the client's budget is never unlimited.

So what is the fastest way to brute force a HTTP form today? I use Burp Suite for my Web Application Security Assessments and I would normally use Burp's Intruder, but is this the fastest tool to do it with?

Of course, there are other limiting factors when brute forcing remotely such as your Internet/Network speed, CPU speed, RAM and the remote system's response times, as well as other factors. For this experiment we'll only be focusing on the software used to carry out the password brute force attack. This is far from being a perfect in-depth study but it should hopefully give an idea which tool out of my small collection (Burp Intruder Spider Vs Hydra http-post-form) is fastest.

The Setup

On both tools I set one user to brute force, admin, and used the rockyou-75.txt wordlist (19963 lines), which has one addition which is the correct password which was added to the last line of the file. Both the same username and password list was used for Burp's Intruder (Sniper) and Hydra. Each tool was run one after the other, not at the same time.

Burp Suite Professional Intruder (Sniper) Version: 1.5.11

Hydra (http-post-form) Version: 7.4.2

A "Local" test was carried out on a localhost Apache 2 web server as well as a "Remote" test against the www.ethicalhack3r.co.uk Nginx web server.

The Test Form that I created to test against (both locally and remotely) does not make a database call which is what would normally be expected on a real HTTP login form. I'd expect my test login form to reply quicker than if it had to make a database call. The 'Local' and 'Remote' columns represent the time it took the tool to find the correct password which was at the end of the wordlist.

The Results

The first test was done with Hydra's and Burp's default thread/task settings, by default Hydra sets '16 tasks' and by default Burp's Intruder sets '5 threads'.


HTTP Form Password Brute Forcing - The Need for Speed

As you can see from the above table, Hydra vastly outperforms Burp when using the default settings both locally and remotely.

The second test was done with Burp's threads set to 16, to match Hydra's default tasks setting.


HTTP Form Password Brute Forcing - The Need for Speed

The above table gives some unexpected results. Locally Hydra vastly outperforms Burp, but remotely Burp vastly outperforms Hydra.

It looks as though to get the most out of my remote HTTP Form password brute forcing I should be using Burp's Intruder and changing the default 5 threads to something higher, like 16 (depending on how the remote server handles the attack). Of course, this is not conclusive evidence of which tool is faster than the other due to the many variables involved. If you get different results let me know! As Hydra is a dedicated password brute forcing tool I did expect it to outperform Burp's Intruder as Burp is an all round Web Application Security Assessment tool. This doesn't mean I won't be using Hydra to brute force other services, like FTP for example. They have done a comparison themselves using FTP and SSH which shows them as being the fastest for these services out of a few different tools, the comparison can be found at the bottom of this page.

WordPress

Recently there was a spike in WordPress brute force attacks , here is a table comparing Hydra, Burp's Intruder and WPScan's bruter against local and remote WordPress installs.


HTTP Form Password Brute Forcing - The Need for Speed

WPScan came in behind Burp's Intruder but in front of Hydra's http-post-form module in both local and remote tests. If you're going to brute force WordPress and you are determined (using a large list) you may want to use Burp Suite Professional's Intruder tool, otherwise use WPScan. ;)

If you compare this table against the brute force against the Test Form table, you can see the difference the login form itself makes on the time a brute force takes to complete. In Hydra's case, this is significant.

Hydra Commands Used in Testing

Local at default tasks:

$ hydra -l admin -P ~/Tools/wordlists/rockyou-75.txt 127.0.0.1 http-post-form "/login.php:username=^USER^&password=^PASS^&submit=Submit:Incorrect"

Remote at default tasks:

$ hydra -l admin -P ~/Tools/wordlists/rockyou-75.txt www.ethicalhack3r.co.uk http-post-form "/files/misc/login.php:username=^USER^&password=^PASS^&submit=Submit:Incorrect"

Local WordPress (this did not output that it had found the valid pass due to what looks like a WP infinite redirect bug, it did actually authenticate though):

hydra -l admin -P ~/Tools/wordlists/rockyou-75.txt 127.0.0.1 http-post-form "/wordpress/wordpress-351/wp-login.php:log=^USER^&pwd=^PASS^:login_error"

WPScan Commands Used in Testing

WPScan command used (local):

$ ./wpscan.rb -u http://127.0.0.1/wordpress/wordpress-351/ -U admin -w ~/Tools/wordlists/rockyou-75.txt -t 16

WPScan command used (remote):

$ ./wpscan.rb -u www.REDACTED.com -U admin -w ~/Tools/wordlists/rockyou-75.txt -t 16

本文开发(php)相关术语:php代码审计工具 php开发工程师 移动开发者大会 移动互联网开发 web开发工程师 软件开发流程 软件开发工程师

主题: NginxCPUWord
分页:12
转载请注明
本文标题:HTTP Form Password Brute Forcing - The Need for Speed
本站链接:http://www.codesec.net/view/482839.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 开发(php) | 评论(0) | 阅读(31)