Wednesday, August 3, 2011

Web Form Password Brute Force with FireForce

I spent many hours today playing around with DVWA – (Damn Vulnerable Web App), fromRandomstorm, brushing up on my web app pentesting skills, to be honest its been a long time and I really need to get back on top of this.
Anyways, after going through all the usual SQL injection, XSS stuff I thought I’d have a go at the brute forcing part of the app.
Well after what seemed like days I gave up, with little or no success – I’d tried the usual suspect for ‘bruting’ the password – Hydra.
Until I Googled around and found a Firefox addon called ‘Fireforce’ the article that I found is here Dark Reading
The website for the tool is here SCRT ,there is a manual in english too.
What the extension does is finds out the fields for the brute force attack in the web page source code, an automated way rather than reading through it manually, and then tries to brute force using your wordlists.
You can view the source code for the webpage by right clicking on the page and selecting View page source.
Here you can pick out the form action ‘GET’ and the password, username  and submit info.
This is what you would normally feed into Hydra, as shown here:-
hydra -l admin -P wordlist.txt -f -v http-get-form “/vulnerabilities/brute/:username=^USER^&password=^PASS^&submit=Login:Username and/or Password incorrect.”
So to Fireforce, best read the manual for all options, but really all you have to do once its installed is right click in the fields for username and password and load up your wordlists for usernames and passwords and let it rip.
Et Viola

After a bit more reading after publishing this post, I found out that Hydra falls a little short when dealing with web forms, an article I found on the excellent Attack Vector blog, Mat also had issues with Hydra and web forms.

1 comment:

  1. i wonder if this will work with the new 2wire i3812v ? the ones that use a password printed on the ac adapter.