Summary
A critical area of web enumeration is looking for users who use weak or common passwords and attempt to guess their passwords through brute force. Though brute-forcing is always a last resort, gaining access through brute force is still very common, as most users tend to use weak or common passwords.
In the Login Brute Forcing
module, you will learn how to brute force for users who use common or weak passwords and use their credentials to log in.
You will learn the following topics:
- Brute forcing basic HTTP authentication
- Brute forcing website login forms
- Creating personalized wordlists based on personal details
- Brute-forcing service logins, like FTP, SSH, and others
CREST CPSA/CRT
-related Sections:
- All sections
CREST CCT APP
-related Sections:
- All sections
This module is broken down into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts introduced in each section. You can do this in the Pwnbox provided in the interactive sections, Windows machines in a lab environment as directed, or your own virtual machine.
You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
The module is classified as "Easy" but assumes a working knowledge of the Linux command line and an understanding of information security fundamentals.
A firm grasp of the following modules can be considered prerequisites for successful completion of this module:
- Introduction to Networking
- Linux Fundamentals
- Web Requests
Introduction to Brute Forcing
A Brute Force attack is a method of attempting to guess passwords or keys by automated probing. An example of a brute-force attack is password cracking. Passwords are usually not stored in clear text on the systems but as hash values.
Here is a small list of files that can contain hashed passwords:
Windows |
Linux |
---|---|
unattend.xml | shadow |
sysprep.inf | shadow.bak |
SAM | password |
Since the password cannot be calculated backward from the hash value, the brute force method determines the hash values belonging to the randomly selected passwords until a hash value matches the stored hash value. In this case, the password is found. This method is also called offline brute-forcing. This module will focus on online brute-forcing and explicitly deal with the websites' login forms.
On most websites, there is always a login area for administrators, authors, and users somewhere. Furthermore, usernames are often recognizable on the web pages, and complex passwords are rarely used because they are difficult to remember. Therefore it is worth using the online brute forcing method after a proper enumeration if we could not identify any initial foothold.
There are many tools and methods to utilize for login brute-forcing, like:
-
Ncrack
-
wfuzz
-
medusa
-
patator
-
hydra
- and others.
In this module, we will be mainly using hydra
, as it is one of the most common and reliable tools available.
The following topics will be discussed:
- Brute forcing basic HTTP auth
- Brute force for default passwords
- Brute forcing login forms
- Brute force usernames
- Creating personalized username and password wordlists based on our target
- Brute forcing service logins, such as FTP and SSH