Building our first BruteForcer 

In this section, we're going to build a script that will help us to discover resources using a dictionary. We're going to create a basic BruteForcer. We'll start by defining the objective of the tool and then go over the code for the basic structure of the BruteForcer.

Finally, we'll run it against our test web application using the following steps:

  1. Go back to our editor and open the project folder for section 4 by selecting File | Add Project Folder... | Desktop | Examples | Section-4 | OK.
  2. Then, open the file for forzabruta.py.
  3. In this script, we have the basic structure for our BruteForcer. We have our typical import, and then we have the banner function, which will print the name of the script. The usage function opens to provide help on how to use the script.
  4. Now, let's jump to the start function, which is invoked when we run our program:
def start(argv):
    banner()
    if len(sys.argv) < 5:
           usage()
           sys.exit()
    try :
        opts, args = getopt.getopt(argv,"w:f:t:")
    except getopt.GetoptError:
               print "Error en arguments"
               sys.exit()

    for opt,arg in opts :
           if opt == '-w' :
                   url=arg
           elif opt == '-f':
                   dict= arg
           elif opt == '-t':
                   threads=arg
    try:
           f = open(dict, "r")
           words = f.readlines()
    except:
           print"Failed opening file: "+ dict+"
"
           sys.exit()
    launcher_thread(words,threads,url)

Print the banner and then check the parameters used to invoke our program. Then, pass the parameters and assign the URL dictionary and number of threads. Open the dictionary and read all the lines, and finally, call the launcher_thread with the words, threads, and url.

As we want our application to perform several tasks at once, we can use threads. Otherwise, our BruteForcer will be sequential, and for big dictionaries, it will be slow. By using threads, we can speed up this attack. We can reuse this script's skeleton whenever we want to implement threading in other tools, as threading is usually tricky to implement.
  1. The launcher_thread function will basically manage the threads and will instantiate the class request performer for each thread with one word from the dictionary and the target URL, and then it will start the thread. This will be done for each word that is loaded in the dictionary:
def launcher_thread(names,th,url):
    global i
    i=[]
    resultlist=[]
    i.append(0)
    while len(names):
        try:
            if i[0]<th:
                n = names.pop(0)
                i[0]=i[0]+1
                thread=request_performer(n,url)
                thread.start()

        except KeyboardInterrupt:
            print "ForzaBruta interrupted by user. Finishing attack.."
            sys.exit()
        thread.join()
    return

if __name__ == "__main__":
    try:
        start(sys.argv[1:])
    except KeyboardInterrupt:
        print "ForzaBruta interrupted by user, killing all threads..!!"
  1. The thread instantiates the class request_performer. This class has the init method which is used to set up the object after it is created, which is basically the constructor. In this case, we basically create the attributes self.word and self.urly, which will replace the FUZZ tag with a dictionary word.

Then, we have the method run, which will perform the request and print the requested URL and the status code:

class request_performer(Thread):
    def __init__( self,word,url):
        Thread.__init__(self)
        try:
            self.word = word.split("
")[0]
            self.urly = url.replace('FUZZ',self.word)
            self.url = self.urly
        except Exception, e:
            print e

    def run(self):
        try:
            r = requests.get(self.url)
            print self.url + " - " + str(r.status_code)
            i[0]=i[0]-1 #Here we remove one thread from the counter
        except Exception, e:
                print e

Finally, update the thread counter. When the words from the dictionary are consumed, the program will be completed.

The preceding steps show the basic structure for a BruteForcer.

Let's look at an example with our vulnerable test application:

  1. Go to the Terminal and type python forzabruta.py.
  2. We now have the first option that is the target URL with the word FUZZ, which is the token that will be replaced by every word in the dictionary. It is the position that we want to test, which in this case is dictionaries and files in the root directory in the test application. Then, we have the option -t 5, which is the number of threads we want to use, and finally -f comment.text, which is the dictionary file created for this exercise. It is pretty simple, but remember that in a real test you need to use FUZZDB dictionaries.
  1. Once we run this, we should see the results shown in the following screenshot:

We have one result per word in the dictionary. We have some valid 200 status codes, and a 401, which means authentication is needed, and many 404 not found codes.

Let's see some examples in the browser. We are particularly interested in the /Admin directory. When we request /Admin, an authentication form pops up needing User Name and Password; we'll come back to this later:

Now, let's see if robots.txt has anything interesting. There are three entries in the robots.txt:

One is /admin and the other is the /includes/ directory. We knew about admin already, but /backoffice looks interesting. robot.txt often produces some interesting findings for our testing purposes.

Wow, congratulations. You wrote a basic HTTP BruteForcer. The coined script is pretty basic and the results are not that great, but we're going to improve them in the upcoming sections.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.19.27.178