Mutillidae - Lesson 4 - Brute Force Using Burp Suite and Crack - Web - Form PDF

12/4/2016 Mutillidae: Lesson 4: Brute Force Using Burp Suite and crack_web_form.
pl
ComputerSecurityStudent (CSS) [Login] [Join Now]
HOME UNIX WINDOWS SECURITY TOOLS FORENSICS SHOPPING GET STARTED CONTACT US
|SECURITY TOOLS >> Mutillidae Project >> Mutillidae 2.5.11 >> Current Page |Views:
5941

(Mutillidae: Lesson 4)

{ Brute Force Using Burp Suite and crack_web_form.pl } Help
ComputerSecurityStudent
pay for continued
research,
Section 0. Background Information resources & bandwidth

What Mutillidae?
OWASP Mutillidae II is a free, open source, deliberately vulnerable web
application providing a target for websecurity enthusiast.
What is Burp Suite?
Burp Suite is a Java application that can be used to secure or crack web
applications. The suite consists of different tools, such as a proxy
server, a web spider, an intruder and a socalled repeater, with which
requests can be automated.
When Burp suite is used as a proxy server and a web browser uses this
proxy server, it is possible to have control of all traffic that is
exchanged between the web browser and web servers. Burp makes it
possible to manipulate data before it is sent to the web server.
What is Brute Force?
A Brute Force attack is a type of password guessing attack and it
consists of trying every possible code, combination, or password until
you find the correct one. This type of attack may take long time to
complete. A complex password can make the time for identifying the
password by brute force long.
Dictionary Attack:
A dictionary attack is another type of password guessing attack which
uses a dictionary of common words to identify the user's password.
What is crack_web_form.pl
crack_web_form.pl is a very basic perl script/tool written by
computersecuritystudent.com that uses a combination of (1) httppost
data, (2)a password list, and (3) error messages to test passwords for
specific usernames.
PreRequisite Lab
1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedora 14
Note: Remote database access has been turned on to provide an
additional vulnerability.
2. BackTrack: Lesson 1: Installing BackTrack 5 R1
Note: This is not absolutely necessary, but if you are a computer
security student or professional, you should have a BackTrack VM.
Lab Notes
In this lab we will do the following:
1. Test the Login.php script for wrong passwords and display an error
message.
2. Configure Firefox Proxy to use Burp Suite.
3. Capture HTTPPOSTDATA with Burp Suite
4. Download and Run crack_web_form.pl (Version 2.0).
5. Test the Login.php script with cracked password.
Legal Disclaimer
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson4/index.html 1/31
12/4/2016 Mutillidae: Lesson 4: Brute Force Using Burp Suite and crack_web_form.pl
As a condition of your use of this Web site, you warrant to
computersecuritystudent.com that you will not use this Web site for any
purpose that is unlawful or that is prohibited by these terms,
conditions, and notices.
In accordance with UCC § 2316, this product is provided with "no
warranties, either express or implied." The information contained is
provided "asis", with "no guarantee of merchantability."
In addition, this is a teaching website that does not condone malicious
behavior of any kind.
Your are on notice, that continuing and/or using this lab outside your
"own" test environment is considered malicious and is against the law.
© 2013 No content replication of any kind is allowed without express
written permission.
Section 1: Configure Fedora14 Virtual Machine Settings
1. Start VMware Player
Instructions
1. For Windows 7
1. Click Start Button
2. Search for "vmware player"
3. Click VMware Player
2. For Windows XP
Starts > Programs > VMware Player
2. Edit Fedora Mutillidae Virtual Machine Settings
Instructions:
1. Highlight Fedora14 Mutillidae
2. Click Edit virtual machine settings
3. Edit Network Adapter
Instructions:
1. Highlight Network Adapter
2. Select Bridged
3. Click the OK Button
Section 2: Login to Fedora14 Mutillidae
1. Start Fedora14 VM Instance
Instructions:
1. Start Up VMWare Player
2. Select Fedora14 Mutillidae
3. Play virtual machine
2. Login to Fedora14 Mutillidae
Instructions:
1. Login: student
2. Password: <whatever you set it to>.
Section 3: Open Console Terminal and Retrieve IP Address
1. Start a Terminal Console
Instructions:
1. Applications > Terminal
2. Switch user to root
Instructions:
1. su root
2. <Whatever you set the root password to>

3. Get IP Address
Instructions:
1. ifconfig a
Notes (FYI):
As indicated below, my IP address is 192.168.1.111.
Please record your IP address.
Section 4: Configure BackTrack Virtual Machine Settings
1. Start VMware Player
Instructions
1. For Windows 7
1. Click Start Button
2. Search for "vmware player"
3. Click VMware Player
2. For Windows XP
Starts > Programs > VMware Player
2. Edit the BackTrack5R1 VM
Instructions:
1. Select BackTrack5R1 VM
2. Click Edit virtual machine settings
3. Edit Virtual Machine Settings
Instructions:
1. Click on Network Adapter
2. Click on the Bridged Radio button
3. Click on the OK Button
Section 5: Play and Login to BackTrack
1. Play the BackTrack5R1 VM
Instructions:
1. Click on the BackTrack5R1 VM
2. Click on Play virtual machine
2. Login to BackTrack
Instructions:
1. Login: root
2. Password: toor or <whatever you changed it to>.
3. Bring up the GNOME
Instructions:
1. Type startx
Section 6: Open Console Terminal and Retrieve IP Address
1. On BackTrack, Start up a terminal window
Instructions:
1. Click on the Terminal Window
2. Obtain the IP Address
Instructions:
1. ifconfig a
Note(FYI):
My IP address 192.168.1.109.
In your case, it will probably be different.
This is the machine that will be use to attack the victim machine
(Metasploitable).
Section 7: Start Web Browser Session to Mutillidae
1. On BackTrack, Open Firefox
Instructions:
1. Click on the Firefox Icon
Notes (FYI):
If FireFox Icon does not exist in the Menu Bar Tray, then go to
Applications > Internet > Firefox Web Browser
2. Open Mutillidae
Notes (FYI):
Replace 192.168.1.111 in the following URL >
http://192.168.1.111/mutillidae, with your Mutillidae's IP Address
obtained from (Section 3, Step 3)
Instructions:
1. http://192.168.1.111/mutillidae
Section 8: Blog Reconnaissance
1. Select View Someones Blog
Instructions:
1. OWASP Top 10 > A1 SQL Injection > SQLMAP Practice > View
Someones Blog
2. Possible Usernames
Instructions:
1. Click on Please Choose Author
Note(FYI):
Without even logging in, you are able to view logs of other users.
This is normally not a big deal.
However, the below list box will contain the value or the database
username of each displayed username.
3. View Source Code for View Someones Blog
Instructions:
1. Right Click on white background
2. Click on View Page Source
4. Search Source Code for Username
Instructions:
1. Press the <Ctrl> and <f> keys to search the source code
2. Type "admin" and press enter
Include the quotes
Note(FYI):
Notice for every username in this line, there will be a tag called
<option value="USERNAME">.
<option value="admin">admin</option>
<option value="admin" This is the database value
>admin</option> This is the display name of the user
5. Parse Source Code for Username
Note(FYI):
Replace 192.168.1.111 with the Fedora(Mutillidae) IP Address
obtained from (Section 3, Step 3).
Below is just a small tutorial on using a little bit of elbow grease
(curl, grep, sed and awk) to do a lot of parsing.
Instructions:
1. curl L "http://192.168.1.111/mutillidae/index.php?page=viewsomeonesblog.php" 2>/dev/null | grep i
\"admin\" | sed 's/"//g' | awk 'BEGIN{FS=">"}{for (i=1; i<=NF; i++) print $i}' | grep v value | sed
s'/<\/option//g'
curl ‐L "Webpage", retrieves the source code of a webpage.
2>/dev/null, means do not view errors or curl status output.
grep ‐i \"admin\", display curl output that contains the string "\"admin\"".
sed 's/"//g', use sed to replace quotes with nothing
awk 'BEGIN{FS=">"}{for (i=1; i<=NF; i++) print $i}', use the ">" character as a delimiter or ﬁeld
separator and print each array element on a separate line
grep ‐v value, display array element output that only contains the string "value".
sed s'/<\/opĕon//g', use sed to replace the string "</opĕon" with nothing.
Section 9: Viewing Login.php Error Message
1. Test Login.php
Instructions:
1. Click Login/Register
2. Name: admin
3. Password: admin
4. Click the Login Button
2. Copy the Login.php Error Message
Instructions:
1. Highlight "Authentication Error", and Right Click
2. Select Copy
3. Open gedit
Instructions:
1. gedit &
2. Press Enter
4. Paste Message
Instructions:
1. Press the <Ctrl> and <v> keys to paste message
Section 10: Viewing Login.php Source Code
1. View Login.php Source
Instructions:
1. Click on Login/Register
2. Right Click on the white screen background, select View Page Source.
2. Analyze Login.php Source
Instructions:
1. Press the <Ctrl> and <f> keys at the same time
2. Type form action in the find box and press enter.
Notes (FYI):
Notice the naming convention of the username and password textboxes.
Notice the naming convention and value of the submit button.
Section 11: Configure Firefox Proxy Settings
1. View Preferences
Instructions:
1. Click on Firefox
2. Select Preferences > Preferences
2. Advanced Settings...
Instructions:
1. Click on the Advanced Icon
2. Click on the Network Tab
3. Click on the Setting... button
3. Connection Settings
Instructions:
1. Click on Manual proxy configurations
2. Type "127.0.0.1" in the HTTP Proxy Text Box
3. Type "8080" in the Port Text Box
4. Check Use the proxy server for all protocols
5. Click OK
6. Click Close
Section 12: Configure Burp Suite
1. Start Burp Suite
Instructions:
1. Applications > BackTrack > Vulnerability Assessment > Web
Application Assessment > Web Vulnerability Scanner > burpsuite
2. JRE Message
Instructions:
1. Click OK

3. Configure proxy
Instructions:
1. Click on the proxy tab
2. Click on the options tab
3. Verify the port is set to 8080
4. Turn on intercept
Instructions:
1. Click on the proxy tab
2. Click on the intercept tab
3. Verify the intercept button shows "intercept is on"

5. Try Logging in
Note(FYI):
You should already be on the Login Page.
Replace 192.168.1.111 with the Fedora(Mutillidae) IP Address
obtained from (Section 3, Step 3).
Instructions:
1. The following URI should already be in the address box
http://192.168.1.111/mutillidae/index.php?page=login.php.
2. Name: admin
3. Password: admin
Note: The Webpage will not refresh, because it is waiting on
Burp Suite.
5. Continue to Next Step
6. Verifying Burp Suite Results
Instructions:
Highlight username=admin&password=admin&loginphpsubmit
button=Login and right click
Click Copy
Note(FYI):
1. On the first line, you can see POST has occurred for login.php
2. username=admin, username is the name of the textbox and admin is
its' value.
3. password=admin, password is the name of the textbox and admin is
its' value.
4. loginphpsubmitbutton=Login, loginphpsubmitbutton is the name
of the button and Login is its' value.
7. Paste Message
Instructions:
1. Press the <Ctrl> and <v> keys to paste message
Note(FYI):
After this step, you should see following two messages:
1. Authentication Error
2. username=admin&password=admin&loginphpsubmitbutton=Login
Section 13: Crack Web Form
1. Download and Prepare Crack Web Form
Instructions:
1. mkdir p /pentest/passwords/cwf
2. cd /pentest/passwords/cwf
3. wget
http://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson4/cwf.v2.tar.gz
4. ls l cwf.v2.tar.gz
5. tar zxovf cwf.v2.tar.gz
2. Crack Web Form Functionality
Instructions:
1. ./crack_web_form.pl help | more
3. Using Crack Web Form
Note(FYI):
Replace 192.168.1.111 with the IP Address obtained (Section 3, Step
3).
Instructions:
1. ./crack_web_form.pl ‐U admin ‐h酀�p "h酀�p://192.168.1.111/mu㚁�llidae/index.php?page=login.php"
‐data "username=USERNAME&password=PASSWORD&login‐php‐submit‐bu酀�on=Login" ‐F
"Authen㚁�ca㚁�on Error"
U, Is an optional parameter. It allows you to specify a
username. If the username is not supplied, then the username
will default to admin.
P, Is an optional parameter. It allows you to specify the
location of the password file. The default password file is
set to the password.txt file located in the same directory as
crack_web_form.pl.
http, Is a required parameter. It allows to specify the login
page. Supply the login page you used in (Section 12, Step 5).
h酀�p://192.168.1.111/mu㚁�llidae/index.php?page=login.php
data, Is a required parameter. It allows you to specify the
HTTP POST DATA.
username= USERNAME, where USERNAME is either the default "admin" or
replaced by the user supplied parameter.
password= PASSWORD, where PASSWORD is replaced by values in the password
file.
"username=USERNAME&password=PASSWORD&login‐php‐submit‐bu酀�on=Login", this
is the string we obtain from Burp Suite in (Secĕon 12, Step 7).
F, Is an optional parameter. It allows you to specify the
authentication failure message. Supply the failure message you
obtained in (Section 9, Step 11). The default failure message
is set to "fail|invalid|error", where the message is case
insensitive
"Authen㚁�ca㚁�on Error", this is the string we obtain from (Secĕon 9, Step 4).
4. Crack Web Form Results
Instructions:
1. crack_web_form.pl found the password (adminpass) for username
(admin).
Section 14: Remove Firefox Manual Proxy Configuration
1. View Preferences
Instructions:
1. Click on Firefox
2. Select Preferences > Preferences
2. Advanced Settings...
Instructions:
1. Click on the Advanced Icon
2. Click on the Network Tab
3. Click on the Setting... button
3. Connection Settings
Instructions:
1. Click on the No proxy Radio Button
2. Click on the OK Button
3. Click on the Close Button
Section 15: Test Admin Password
1. Test Login.php
Instructions:
1. Click Login/Register
2. Name: admin
3. Password: adminpass
The password was obtained from (Section 13, Step 4).
2. Verify Login Message
Note(FYI):
1. Notice that message "Logged In Admin: admin (root)".

Section 16: Proof of Lab
1. Proof of Lab
Instructions:
1. cd /pentest/passwords/cwf
2. cat crack_cookies.txt
3. date
4. echo "Your Name"
Replace the string "Your Name" with your actual name.
e.g., echo "John Gray"
Proof of Lab Instructions
1. Press both the <Ctrl> and <Alt> keys at the same time.
2. Do a <PrtScn>
3. Paste into a word document
4. Upload to Moodle

Mutillidae - Lesson 4 - Brute Force Using Burp Suite and Crack - Web - Form PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Mutillidae - Lesson 4 - Brute Force Using Burp Suite and Crack - Web - Form PDF

Загружено:

Авторское право:

Доступные форматы

12/4/2016 Mutillidae: Lesson 4: Brute Force Using Burp Suite and crack_web_form.

ComputerSecurityStudent (CSS) [Login] [Join Now]

HOME UNIX WINDOWS SECURITY TOOLS FORENSICS SHOPPING GET STARTED CONTACT US

Вам также может понравиться