Brute Force Attack - OWASP
Click here to load reader
description
Transcript of Brute Force Attack - OWASP
-
5/12/2015 BruteforceattackOWASP
https://www.owasp.org/index.php/Brute_force_attack 1/4
BruteforceattackFromOWASP
ThisisanAttack.Toviewallattacks,pleaseseetheAttackCategorypage.
Lastrevision(mm/dd/yy):08/12/2013
RelatedSecurityActivities
HowtoTestforBruteForceVulnerabilities
SeetheOWASPTestingGuidearticleonhowtoTestforBruteForceVulnerabilities.
Lastrevision(mm/dd/yy):08/12/2013
Description
Abruteforceattackcanmanifestitselfinmanydifferentways,butprimarilyconsistsinanattackerconfiguringpredeterminedvalues,makingrequeststoaserverusingthosevalues,andthenanalyzingtheresponse.Forthesakeofefficiency,anattackermayuseadictionaryattack(withorwithoutmutations)oratraditionalbruteforceattack(withgivenclassesofcharacterse.g.:alphanumerical,special,case(in)sensitive).Consideringagivenmethod,numberoftries,efficiencyofthesystemwhichconductstheattack,andestimatedefficiencyofthesystemwhichisattackedtheattackerisabletocalculateapproximatelyhowlongitwilltaketosubmitallchosenpredeterminedvalues.
RiskFactors
Examples
Bruteforceattacksareoftenusedforattackingauthenticationanddiscoveringhiddencontent/pageswithinawebapplication.TheseattacksareusuallysentviaGETandPOSTrequeststotheserver.Inregardstoauthentication,bruteforceattacksareoftenmountedwhenanaccountlockoutpolicy(https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Account_Lockout)innotinplace.
Example1
-
5/12/2015 BruteforceattackOWASP
https://www.owasp.org/index.php/Brute_force_attack 2/4
Awebapplicationcanbeattackedviabruteforcebytakingawordlistofknownpages,forinstancefromapopularcontentmanagementsystem,andsimplyrequestingeachknownpagethenanalyzingtheHTTPresponsecodetodetermineifthepageexistsonthetargetserver.
DirBuster(https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project)isatoolthatdoesexactlythis.
Othertoolsforthistypeofattackareasfollows:
dirb(http://sourceforge.net/projects/dirb/)WebRoot(http://www.cirt.dk/tools/webroot/WebRoot.txt)
Dirbiscapableof:
setcookiesaddanyHTTPheaderusePROXYmutateobjectswhichwerefoundtesthttp(s)connectionsseekcataloguesand/orfilesusingdefineddictionariesandtemplatesandmuchmuchmore
Thesimplesttesttoperformis:
rezos@dojo~/d/owasp_tools/dirb$./dirbhttp://testsite.test/DIRBv1.9ByTheDarkRaverSTART_TIME:MonJul923:13:162007URL_BASE:http://testsite.test/WORDLIST_FILES:wordlists/common.txtSERVER_BANNER:lighttpd/1.4.15NOT_EXISTANT_CODE:404[NOTFOUND](Location:''Size:345)
GeneratingWordlist...GeneratedWords:839
ScanningURL:http://testsite.test/FOUND:http://testsite.test/phpmyadmin/(***)DIRECTORY(*)
Intheoutputtheattackerisinformedthatphpmyadmin/directorywasfound.Theattackerhasnowfoundapotentialdirectoryofinterestwithinthisapplication.Indirb'stemplatesthereare,amongothers,adictionarycontaininginformationaboutinvalidhttpdconfigurations.Thisdictionarywilldetectweaknessesofthiskind.
TheapplicationWebRoot.pl(http://www.cirt.dk/tools/webroot/WebRoot.txt),writtenbyCIRT.DK,hasembeddedmechanismsforparsingserverresponses,andbasedonthephrasespecifiedbytheattacker,measuresiftheserverresponseisexpected.
Forexample:
-
5/12/2015 BruteforceattackOWASP
https://www.owasp.org/index.php/Brute_force_attack 3/4
Np.
./WebRoot.plnoupdatehosttestsite.testport80verbosematch"test"url"/private/"incrementallowercaseminimum1maximum1
oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oWebserverBruteforcing1.8o0*************!!!WARNING!!!************00*******FORPENETRATIONUSEONLY*********00******************************************0o(c)2007byDennisRandCIRT.DKooo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00
[X]CheckingforupdatesNOCHECK[X]CheckingforFalsePositiveScanOK[X]UsingIncrementalOK[X]StartingScanOKGET/private/bHTTP/1.1GET/private/zHTTP/1.1
[X]ScancompleteOK[X]Totalattempts26[X]Sucessfullattempts1oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00oo00
WebRoot.plfoundonefile"/private/b"ontestsite.test,whichcontainsphrase"test".
Anotherexampleistoexaminerangesofthevariable'svalues:
./WebRoot.plnoupdatehosttestsite.testport80verbosediff"Error"url"/index.php?id="incrementalintegerminimum1maximum1
RoadBlocks
Oneofthemainissueswithtoolslikedirb/dirbusterconsistintheanalysisofserverresponses.Withmoreadvancedserverconfiguration(e.g.withmod_rewrite)automatictoolsaresometimesunabletodetermine"Filenotfound"errorsduetotheserverresponsebeinganHTTPresponsecode200butthepageitselfindicates"Filenotfound".ThiscanleadtofalsepositivesifthebruteforcetoolisonlyrelyingonHTTPresponsecodes.
Anadvancedapplicationassessmenttool,suchasBurpSuite(http://portswigger.net/),canbeusedtoparsespecificpartsofthepagereturned,lookingforcertainstringsinanefforttoreducefalsepositives.
Example2
Inregardstoauthentication,whennopasswordpolicyisinplaceanattackercanuselistsofcommonusernameandpasswordstobruteforceausernameand/orpasswordfielduntilsuccessfulauthentication.
-
5/12/2015 BruteforceattackOWASP
https://www.owasp.org/index.php/Brute_force_attack 4/4
DefensiveTools
PhpBruteForceAttackDetector
http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip
DetectyourwebserversbeingscannedbybruteforcetoolssuchasWFuzz,OWASPDirBusterandvulnerabilityscannerssuchasNessus,Nikto,Acunetix..etc.Thishelpsyouquicklyidentifyprobableprobingbybadguyswho'swannadigpossiblesecurityholes.
http://yehg.net/lab/pr0js/tools/phpbruteforcedetectorreadme.pdf
RelatedThreatAgents
Category:Authentication
RelatedAttacks
BlindSQLInjectionBlindXPathInjection
RelatedVulnerabilities
InsufficientSessionIDLength
RelatedControls
Authentication
References
https://www.owasp.org/index.php/Category:OWASP_DirBuster_ProjectDirBusterhttp://portswigger.net/
Retrievedfrom"https://www.owasp.org/index.php?title=Brute_force_attack&oldid=156720"Categories: OWASPASDRProject ProbabilisticTechniques Attack
Thispagewaslastmodifiedon12August2013,at22:20.Thispagehasbeenaccessed146,227times.ContentisavailableunderaCreativeCommons3.0Licenseunlessotherwisenoted.