0
2010: and still bruteforcingOWASP WebslayerChristian MartorellaJuly 18th 2010Barcelona
Who am IManager AuditoriaCISSP, CISA, CISM, OPST, OPSA,CEHOWASP WebSlayer Project LeaderFIST Conference, PresidenteEdge-Se...
Brute force attack Is a method to determine an unknown value by using an automated process to try a large number of possib...
What can be bruteforced? Credentials (HTML Forms and HTTP) Session identifiers (session id’s) Predictable resource location...
Where?HeadersForms (POST)URL (GET)Authentication (Basic, NTML)
How?Dictionary attackSearch attack (all possible combinations of acharacter set and a given length)Rule based search attac...
Why 2010 and still bruteforcing? In 2007 Gunter Ollmann proposed a series of countermeasures to stop automated attack tools.
CountermeasuresBlock HEAD requestsTimeouts and thresholdsReferer checksTokens
CountermeasuresTuring tests (captchas)Honeypot linksOne time linksCustom messagesToken resource metering (Hashcash)
Countermeasures
Workarounds
WorkaroundsCaptcha breakers
WorkaroundsDistributing scanning source traffic                        Proxy                        HTTP                   ...
WorkaroundsDistributing scanning on different targets                           Target-server-1     Attacker              ...
WorkaroundsDiagonal scanning (different username/passwordeach round)Horizontal scanning (different usernames forcommon pas...
2010...114.000 emailshttps://dcp2.att.com/OEPClient/openPage?ICCID=NUMBER&IMEI=0
2010...                 Access Any Users Photo Albumshttp://www.facebook.com/album.php?aid=-3&id=1508034566&l=aad9caid=-3 ...
2010...•The 500 worst passwords list•Alyssa banned passwords list•Cain’s list of passwords•Conficker’s list•The English dic...
2010...
2010...                                   Webservices                                                 OK:0:username http:/...
2010...                             Password bruteforce                                                       946 triespyt...
ToolsAutomated scanning tools are designed to take fulladvantage of the state-less nature of the HTTPprotocol and insecure...
Tools  Evolution of WFUZZ
WebslayerThe main objective is to provide to the security testera tool to perform highly customized brute forceattacks on ...
Webslayer
WebslayerPredictable credentials (HTML Forms and HTTP)Predictable sessions identifier (cookies,hidden fields, url)Predictabl...
Webslayer Encodings: 15 encodings supported Authentication: supports Ntml and Basic (known or guess) Multiple payloads: yo...
WebslayerPredictable resource location: Recursion, common extensions, non standardcode detection, (Huge collection of dict...
Resource location prediction Based on the idea of Dirb (Darkraver) Custom dictionaries of know resources or common passwor...
Payload GenerationPayload generator: Usernames Credit Card numbers Permutations Character blocks Ranges Files Pattern crea...
Demo
Advanced usesSweep an entire range with a common dictionaryHTTP://192.168.1.FUZZ/FUZ2ZFUZZ: RANGE [1-254]FUZ2Z: common.txt
Advanced usesScanning through proxies                          me ----> Server w/proxy ---->LANwfuzz -x serverip:53 -c -z ...
Future features Time delay between request Multiple proxies (distribute attack) Diagonal scanning (mix dictionaries)
?
Contactcmartorella _at_s21sec.comcmartorella_at_edge-security.comhttp://twitter.com/laramieshttp://laramies.blogspot.comht...
Referenceshttp://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004)http://projects.webappsec.org/Predictable-R...
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
Upcoming SlideShare
Loading in...5
×

2011 and still bruteforcing - OWASP Spain

364

Published on

Presentation that shows how bruteforcing is still being used for exploiting web application vulnerabilities.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
364
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "2011 and still bruteforcing - OWASP Spain"

  1. 1. 2010: and still bruteforcingOWASP WebslayerChristian MartorellaJuly 18th 2010Barcelona
  2. 2. Who am IManager AuditoriaCISSP, CISA, CISM, OPST, OPSA,CEHOWASP WebSlayer Project LeaderFIST Conference, PresidenteEdge-Security.com
  3. 3. Brute force attack Is a method to determine an unknown value by using an automated process to try a large number of possible values.
  4. 4. What can be bruteforced? Credentials (HTML Forms and HTTP) Session identifiers (session id’s) Predictable resource location (directories and files) Variable values Cookies WebServices methods (rest)
  5. 5. Where?HeadersForms (POST)URL (GET)Authentication (Basic, NTML)
  6. 6. How?Dictionary attackSearch attack (all possible combinations of acharacter set and a given length)Rule based search attack (use rules to generatecandidates)
  7. 7. Why 2010 and still bruteforcing? In 2007 Gunter Ollmann proposed a series of countermeasures to stop automated attack tools.
  8. 8. CountermeasuresBlock HEAD requestsTimeouts and thresholdsReferer checksTokens
  9. 9. CountermeasuresTuring tests (captchas)Honeypot linksOne time linksCustom messagesToken resource metering (Hashcash)
  10. 10. Countermeasures
  11. 11. Workarounds
  12. 12. WorkaroundsCaptcha breakers
  13. 13. WorkaroundsDistributing scanning source traffic Proxy HTTP 1 Proxy Attacker Target HTTP ... Proxy HTTP N
  14. 14. WorkaroundsDistributing scanning on different targets Target-server-1 Attacker Target-server-2 Target-server-3
  15. 15. WorkaroundsDiagonal scanning (different username/passwordeach round)Horizontal scanning (different usernames forcommon passwords)Three dimension ( Horizontal,Vertical or Diagonal +Distributing source IP)Four dimensions ( Horizontal, Vertical or Diagonal +time delay)
  16. 16. 2010...114.000 emailshttps://dcp2.att.com/OEPClient/openPage?ICCID=NUMBER&IMEI=0
  17. 17. 2010... Access Any Users Photo Albumshttp://www.facebook.com/album.php?aid=-3&id=1508034566&l=aad9caid=-3 (-3 for every public profile album)id=0123456789l=? (all we know is its 5 characters from the 0123456789abcdef range)
  18. 18. 2010...•The 500 worst passwords list•Alyssa banned passwords list•Cain’s list of passwords•Conficker’s list•The English dictionary•Faithwriters banned passwords list•Hak5’s list•Hotmail’s banned passwords list•Myspace’s banned passwords list•PHPbb’s compromised list•RockYou’s compromised list•Twitter’s banned passwords list
  19. 19. 2010...
  20. 20. 2010... Webservices OK:0:username http://l33.login.scd.yahoo.com/ ERROR:101:Invalidconfig/isp_verify_user? Passwordl=USERNAME&p=PASSWORD ERROR:102:Invalid Login
  21. 21. 2010... Password bruteforce 946 triespython wfuzz.py -c -z file -f wordlists/common.txt --hc 200 -d"email=securik@gmail.com&input_password=FUZZ&timezone=1" "https://www.tuenti.com/?m=Login&func=do_login"
  22. 22. ToolsAutomated scanning tools are designed to take fulladvantage of the state-less nature of the HTTPprotocol and insecure development techniques.
  23. 23. Tools Evolution of WFUZZ
  24. 24. WebslayerThe main objective is to provide to the security testera tool to perform highly customized brute forceattacks on web applications, and a useful resultsanalysis interface. It was designed thinking in theprofessional tester.
  25. 25. Webslayer
  26. 26. WebslayerPredictable credentials (HTML Forms and HTTP)Predictable sessions identifier (cookies,hidden fields, url)Predictable resource location (directories and files)Variables values and rangesCookiesWebServices methodsTraversals, Injections, Overflows, etc
  27. 27. Webslayer Encodings: 15 encodings supported Authentication: supports Ntml and Basic (known or guess) Multiple payloads: you can use 2 payloads in different parts Proxy support (authentication supported) Multithreads Multiple filters for improving the performance and for producing cleaner results
  28. 28. WebslayerPredictable resource location: Recursion, common extensions, non standardcode detection, (Huge collection of dictionaries)Advanced payload generationLive filtersSession saving/restoringIntegrated browser (webKit)Full page screenshot
  29. 29. Resource location prediction Based on the idea of Dirb (Darkraver) Custom dictionaries of know resources or common passwords Servers: Tomcat,Websphere,Weblogic,Vignette,etc Common words: common (950), big (3500), spanish CGIs (vulnerabilities) Webservices Injections (SQL, XSS, XML,Traversals)
  30. 30. Payload GenerationPayload generator: Usernames Credit Card numbers Permutations Character blocks Ranges Files Pattern creator and regular expression (encoders)
  31. 31. Demo
  32. 32. Advanced usesSweep an entire range with a common dictionaryHTTP://192.168.1.FUZZ/FUZ2ZFUZZ: RANGE [1-254]FUZ2Z: common.txt
  33. 33. Advanced usesScanning through proxies me ----> Server w/proxy ---->LANwfuzz -x serverip:53 -c -z range -r 1-254 --hc XXX -t 5 http://10.10.1.FUZZ-x set proxy--hc is used to hide the XXX error code from the results, as machines w/o webserverwill fail the request.
  34. 34. Future features Time delay between request Multiple proxies (distribute attack) Diagonal scanning (mix dictionaries)
  35. 35. ?
  36. 36. Contactcmartorella _at_s21sec.comcmartorella_at_edge-security.comhttp://twitter.com/laramieshttp://laramies.blogspot.comhttp://www.edge-security.com
  37. 37. Referenceshttp://www.owasp.org/index.php/Testing_for_Brute_Force_(OWASP-AT-004)http://projects.webappsec.org/Predictable-Resource-Locationhttp://projects.webappsec.org/Credential-and-Session-Predictionhttp://projects.webappsec.org/Brute-Forcehttp://www.technicalinfo.net/papers/StoppingAutomatedAttackTools.htmlhttp://gawker.com/5559346/http://tacticalwebappsec.blogspot.com/2009/09/distributed-brute-force-attacks-against.htmlhttp://praetorianprefect.com/archives/2010/06/114000-ipad-owners-the-script-that-harvested-their-e-mail-addresses/http://www.securitybydefault.com/2009/07/no-no-uses-captchas-ni-ningun-otro.htmlhttp://nukeit.org/facebook-hack-access-any-users-photo-albums/
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×