Brute Force Web Logins

What Is a Brute Force Attack? | Kaspersky
https://www.kaspersky.com/resource-center/definitions/brute-force-attack

If you have a login page which is reachable over the internet, at some point it’s going to get attacked. The reason why is because it can be extremely easy for attackers to do so.

Let’s run through an example. Let’s use one of the many techniques attackers use to find your login page. Here is a simple Dork that searches for admin login pages on the internet.

If you ran this yourself, you would see several pages of accessible admin login pages. If we click a random one, we would see something like this:

This looks very simple and if MFA isn’t enabled in the background, it could most likely be brute forced and allow entry. To find out, you can a tool called Burp Suite and review the traffic.

Instead of getting in trouble by brute forcing someones login page, let’s use a safer site. https://hackthissite.org give us a perfect example.

If we review the POST request, you can see in the bottom right, that the username and password are passed to the server as: username=test&password=test

Now we know this, we can actually use Burp Suit to brute force this site using Intruder. Let’s run through an example. Say I knew test was the username but was unsure of the password. I could have Burp Suite try several passwords for me until it finds the right one. Simple but effective.

Once, you’ve sent the traffic to Intruder, you can highlight the original password sent, which in this case is test and click the Add$ button.

This tells Burp that this is the value that I want changing. We now need to give Burp the passwords we want to run through under the Payloads tab. In this example, we will use a simple list.

Here we add the values “Password1-3”. Now if I go back to the Positions page and click Start Attack, Burp will run through the passwords and return the HTTP status codes. I can then use these codes to see if the attack has been successful. Again, I won’t actually run this attack, but if you want to learn more, Burp has a lot of really useful information on it’s site.

If like me, you don’t have the professional version, this method can be slow. If this is the case, there are more tools available such as Hydra. Hydra is probably one of the most common tools used for Brute forcing web applications and is preinstalled within Kali/Parrot OS.

GitHub: https://github.com/vanhauser-thc/thc-hydra

Hydra has multiple uses but the one we will cover, is a simple brute force attack.
Below is the command in which you can modify to make it happen:

hydra -L ./user.txt -P ./wordlist.txt mysite.com https-post-form “/admin/login:username=^USER^&password=^PASS^:F=fail”

Let’s break this down. The first section is to set the location of the user and password wordlist. The reason we are using both is because we are unsure of any users.
-L ./user.txt -P ./wordlist.txt mysite.com

After the -L you need to but the location of the user list and after -P, the location of the password list. This is then followed by the URL we are attacking.

The next bit is if it’s passing on port 80 (http), or 443 (https). depending on which, change the value to either: https-post-form / http-post-form

Then comes the Referer address. In the example I gave above, it would be: /user/login:

Next is how the POST request is passing the values we are attacking with. In this case, it’s the username and password. You will need to replace the original values with ^USER^ and ^PASS^ so that Hydra can replace these with values from your wordlists.

username=^USER^&password=^PASS^:

Now comes the error message: F=fail”
Hydra needs to know how to determine if it’s been successful or not. To do so, it needs to know when it’s failed. Normally, when you enter your password incorrectly, the site tells you by showing some text on the page such as “Failed, Wrong Password”. This is what we are after. As shown below, we can use the word Invalid.

Now we know the fail message, we can use F=Invalid” and we are done.

Once you have pieced this all together, simple run the command and Hydra will start the brute force attack. Hydra is extremely fast, and can run through 100s in seconds. If it successful, you will see the username and password appear in green text.

These are just a few of the techniques used in the wild. Remember, even if you enforce certain restrictions such as account lockouts, there is still a chance they could get it right. It also means, a majority of your accounts may lock out which could be troubling. Instead, look to enable controls such as MFA. This may not stop the brute force attack, as attackers can use HTML codes against you. If they are challenged by MFA, they can be sure that the username and password is correct. What MFA does prevent is, after that success brute force, they can’t login.

Here are some other methods that can help:

  • Increase password length and complexity
  • Limit login attempts (before lockout)
  • Implement Captcha, or some sort of manual input to prevent scripting.

*no brute force attack was conducted on the sites above. Traffic was dropped, and the screenshots are only for educational purposes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s