(A) Have permission to attack in the first place
(B) Know you won't affect the client's environment in a negative fashion including:
(1) Lock out users
(2) Knock over servers
(3) Clog the network
Brute forcing is the kind of the thing that, if you know you aren't going to hurt stuff, makes sense to do while you are away getting lunch or otherwise have it going in the background. After all, you never know what you might find.
Choosing a good password list is a topic all to itself, and one I may cover at a later date. But for now let's assume that you have a list of users and some passwords. Cluster bombing always makes sense even if some of the passwords go with a specific user. For example, let's say that Joe has a password of Seahawks for his ssh login, but not for the web application in question. Let's also say that Susan has a password of Orioles for her FTP login but not for the web application.
What if Susan's password for the web application is Seahawks?
This might seem far fetched, but it happens, and if you include all the passwords that you have (or think as likely) and run them against all the user names that you have (or think as likely) and you are using Burp Suite, then you want to run a cluster bomb attack on the application.
So how to do it? First we need to set up our proxy for burp with the browser we are using so that we can capture login information...
Then we ensure that intercept is on for burp and enter our data on the web page. Notice that our username of 'foo' and password of 'bar' are captured. This information is held by burp and will be used over and over again in the attack.
Specifically, the parameters indicated will be replaced by contents of files - a list of user names and a list of passwords. The next step is to right click this screen and send it to intruder. Notice that, with the intruder tab selected, the sub tabs of Target, Positions, Payload and Options present themselves. Target won't have to be altered as we are using http or port 80, but our Positions will need to be specified. Remove the unwanted foo and bar - we only put them there so that were could easily identify where they were on the form.
On the next tab, Payloads, we will indicate what usernames and passwords will be plugged in for the attack. As we are using a cluster bomb attack every username will be tried with every password, which is what we want.
Then on the options tab you want to make certain that you handle redirections and start the attack.
Lastly, as you watch the attack in the background you can sort by length of results to see if you have any hits. For very little set up time these kinds of attacks may give you some level of additional access that you can leverage from information that you may already have.
No comments:
Post a Comment