2011 and still bruteforcing - OWASP Spain
0 likes864 views
The document discusses brute-force attacks, methods, and countermeasures pertaining to web applications, focusing on credential guessing, session identifiers, and resource locations. It details various attack methods, including dictionary attacks and automated scanning tools, and introduces the Webslayer tool designed for customized brute-force testing. Additionally, it outlines a range of common passwords and effectively highlights ongoing vulnerabilities as of 2010.
![Advanced uses
Sweep an entire range with a common dictionary
HTTP://192.168.1.FUZZ/FUZ2Z
FUZZ: RANGE [1-254]
FUZ2Z: common.txt](https://image.slidesharecdn.com/bruteforce2010-130227145416-phpapp01/85/2011-and-still-bruteforcing-OWASP-Spain-42-320.jpg)
2011 and still bruteforcing - OWASP Spain
- 1. 2010: and still bruteforcing OWASP Webslayer Christian Martorella July 18th 2010 Barcelona
- 2. Who am I Manager Auditoria CISSP, CISA, CISM, OPST, OPSA,CEH OWASP WebSlayer Project Leader FIST Conference, Presidente Edge-Security.com
- 3. Brute force attack Is a method to determine an unknown value by using an automated process to try a large number of possible values.
- 7. What can be bruteforced? Credentials (HTML Forms and HTTP) Session identifiers (session id’s) Predictable resource location (directories and files) Variable values Cookies WebServices methods (rest)
- 8. Where? Headers Forms (POST) URL (GET) Authentication (Basic, NTML)
- 9. How? Dictionary attack Search attack (all possible combinations of a character set and a given length) Rule based search attack (use rules to generate candidates)
- 10. Why 2010 and still bruteforcing? In 2007 Gunter Ollmann proposed a series of countermeasures to stop automated attack tools.
- 11. Countermeasures Block HEAD requests Timeouts and thresholds Referer checks Tokens
- 12. Countermeasures Turing tests (captchas) Honeypot links One time links Custom messages Token resource metering (Hashcash)
- 13. Countermeasures
- 14. Workarounds
- 16. Workarounds Distributing scanning source traffic Proxy HTTP 1 Proxy Attacker Target HTTP ... Proxy HTTP N
- 17. Workarounds Distributing scanning on different targets Target-server-1 Attacker Target-server-2 Target-server-3
- 18. Workarounds Diagonal scanning (different username/password each round) Horizontal scanning (different usernames for common passwords) Three dimension ( Horizontal,Vertical or Diagonal + Distributing source IP) Four dimensions ( Horizontal, Vertical or Diagonal + time delay)
- 20. 2010... 114.000 emails https://dcp2.att.com/OEPClient/openPage?ICCID=NUMBER&IMEI=0
- 21. 2010... Access Any Users Photo Albums http://www.facebook.com/album.php?aid=-3&id=1508034566&l=aad9c aid=-3 (-3 for every public profile album) id=0123456789 l=? (all we know is its 5 characters from the 0123456789abcdef range)
- 22. 2010... •The 500 worst passwords list •Alyssa banned passwords list •Cain’s list of passwords •Conficker’s list •The English dictionary •Faithwriters banned passwords list •Hak5’s list •Hotmail’s banned passwords list •Myspace’s banned passwords list •PHPbb’s compromised list •RockYou’s compromised list •Twitter’s banned passwords list
- 23. 2010...
- 24. 2010... Webservices OK:0:username http://l33.login.scd.yahoo.com/ ERROR:101:Invalid config/isp_verify_user? Password l=USERNAME&p=PASSWORD ERROR:102:Invalid Login
- 25. 2010... Password bruteforce 946 tries python wfuzz.py -c -z file -f wordlists/common.txt --hc 200 - d"email=securik@gmail.com&input_password=FUZZ&timezone=1" "https://www.tuenti.com/? m=Login&func=do_login"
- 26. Tools Automated scanning tools are designed to take full advantage of the state-less nature of the HTTP protocol and insecure development techniques.
- 27. Tools Evolution of WFUZZ
- 28. Webslayer The main objective is to provide to the security tester a tool to perform highly customized brute force attacks on web applications, and a useful results analysis interface. It was designed thinking in the professional tester.
- 29. Webslayer
- 30. Webslayer Predictable credentials (HTML Forms and HTTP) Predictable sessions identifier (cookies,hidden fields, url) Predictable resource location (directories and files) Variables values and ranges Cookies WebServices methods Traversals, Injections, Overflows, etc
- 31. Webslayer Encodings: 15 encodings supported Authentication: supports Ntml and Basic (known or guess) Multiple payloads: you can use 2 payloads in different parts Proxy support (authentication supported) Multithreads Multiple filters for improving the performance and for producing cleaner results
- 32. Webslayer Predictable resource location: Recursion, common extensions, non standard code detection, (Huge collection of dictionaries) Advanced payload generation Live filters Session saving/restoring Integrated browser (webKit) Full page screenshot
- 33. Resource location prediction Based on the idea of Dirb (Darkraver) Custom dictionaries of know resources or common passwords Servers: Tomcat,Websphere,Weblogic,Vignette,etc Common words: common (950), big (3500), spanish CGIs (vulnerabilities) Webservices Injections (SQL, XSS, XML,Traversals)
- 38. Payload Generation Payload generator: Usernames Credit Card numbers Permutations Character blocks Ranges Files Pattern creator and regular expression (encoders)
- 41. Demo
- 42. Advanced uses Sweep an entire range with a common dictionary HTTP://192.168.1.FUZZ/FUZ2Z FUZZ: RANGE [1-254] FUZ2Z: common.txt
- 43. Advanced uses Scanning through proxies me ----> Server w/proxy ---->LAN wfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.FUZZ -x set proxy --hc is used to hide the XXX error code from the results, as machines w/o webserver will fail the request.
- 44. Future features Time delay between request Multiple proxies (distribute attack) Diagonal scanning (mix dictionaries)
- 45. ?