Saturday, November 5, 2011

Brute forcing html login forms

Lately, i been really busy at work and havent researched or read any books in the past two weeks. Already i felt like my brain was slipping away. So i decided to fire up a DVL (Damn Vulnerable linux), which is a live distribution that has many vulnerabilities for one to practice their security skills. I haven't used it before so i didn't know what i was getting into. I did a port scan and found two open ports (631 and 3306/mysql). Initially, i tried to identify the MySQL version using metasploit but that didn't work. I then tried using the metasploit mysql bruteforcer, to do a dictionary attack on the service, but metasploit complained that the attack will only work on older versions of MySQL. I was clueless. I began looking around the DVL and then started apache (isn't running by default) from the desktop shortcuts. I went back to my attacking backtrack 5 machine and fired up Firefox then went to the relevant webpage URL for the DVL machine. Interesting enough, it gave me a directory listing. I saw phpmyadmin listed so i decided to go in their. I was presented with the login page. I tried some random stuff i thought might work and had no success. I was failing miserably. What i needed to do at that point was automate the password guessing process. This is where hydra comes in.

This is the code i used.
# hydra -l admin -P passwords.lst -e ns -vV http-post-form "/phpmyadmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1:denied"

After a few minutes, i had a smile on my face. Hydra found two usable passwords for the username admin. Just to avoid any spoilers, i wouldn't post the relevant passwords. Out of curiosuty, i decided to run hydra again for the user root.

# hydra -l root -P passwords.lst -f -e ns -vV http-post-form "/phpmyadmin/index.php:pma_username=^USER^&pma_password=^PASS^&server=1:denied"

I decided to use the "-f" switch so hydra would quit immediately when a matching password is found. Indeed, after a few seconds, i had a usable password. In reality, there is nothing to fancy about this as the accounts and their passwords seem to be at their defaults and if you knew what mysql accounts default credentials are, then you know that bruteforcing here was a dead waste of time :). Either way, i had a foot in the door and the point of this was to demonstrate how you can bruteforce html login forms with hydra.

BTW, adding the "-U" switch would give you usage information when using the "http-post-form" service.

Update: It turns out that you can use any username with the password of "0" for some reason :). Now that you have access, to the mysql database, you can snoop around to get information and user logins for web apps like wordpress and joomla.

Resources/Good Reading:

No comments:

Post a Comment