.

Easy, breezy, beautiful, password attacking…

<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Mon Mar 15, 2010 5:05 pm

Easy, breezy, beautiful, password attacking…

Small post from my site =)

Bruting web forms usually is part of a web app assessment. We love to use Hydra, Medusa, or Wfuzz for this but we recently stumbled across a tool that makes it much easier.  It's called Fireforce. It's a Firefox extension that gives you point and click bruting.

We ran it in our labs with about a 74% success rate, meaning it mapped the parameters for web form logins correctly and gave us the correct password back (aka it didn't spaz out and kill our browser). So it isn't perfect, but we're willing to forgive that for it's ease of use.  It's dead simple. Give it a username, right click in the form password field, give it the text the login form gives on an unsuccessful login, and a bruteforce list. Make sure to read the documentation as you'll need to use a seperate firefox profile if you wish to  browse will while using the tool, (it's a mem/cpu hogger). *note* We haven't done a code analysis on the extension, use at your own risk in your lab.

Also, yesterday we tweeted about Ron Bowes of Skullsecurity.com's password analysis and password list collection which are much win. Ron has done some data analysis on some of the leaked password lists of the last few years like RockYou, MySpace, and PhpBB. He also stores the default password lists of many common industry tools, and even the passwords conficker used to spread. I'd grab these lists if you dont already have them, who knows how long they will stay up.

Remember, password bruteforcing is great as long as you don't DOS the application/server. Also remember just because it's a web form doesnt mean its not tied to another backend system (ldap, etc) so be aware you could lockout users.

Also you might wanna check out  our writeup a bit back on password attacks here.

Get Fireforce Here

Get Password Lists Here

Catch Ron on twitter: @iagox86
<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Mon Mar 15, 2010 5:15 pm

Re: Easy, breezy, beautiful, password attacking…

Sounds good, I'll try this out. Also found a couple of good password lists on the Skullsecurity blog. Thanks 8)
ZF
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Mar 16, 2010 3:57 am

Re: Easy, breezy, beautiful, password attacking…

Thanks for the write-up, Jhaddix. Currently playing around with Fireforce in my lab, works fine so far. :)
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Tue Mar 16, 2010 4:57 am

Re: Easy, breezy, beautiful, password attacking…

i guess the banned password list from twitter is already in there...i must say those lists are a gift from the devil himself  8)
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net

Return to Tools

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software