Brute force cracking of Pikachu loophole shooting range series

Foreword

This is the first article of the Pikachu Vulnerability Shooting Range series~~ (should be serialized)~~, first briefly introduce the Pikachu shooting range. The shooting range is developed by Chinese people, pure Chinese, and you can check the tips when you encounter difficulties during practice, and there are also supporting learning videos. Under Windows, it can be installed directly in integrated environments such as Wamp/phpStudy. In contrast, DVWA, which is recommended by many people, is very unfriendly to beginners due to its pure English environment, and it may be easy to persuade them to quit after they don’t know where to start after deployment. Therefore, the Pikachu recommended here is more suitable for those who are just getting started with Web penetration and are looking for a shooting range.

Overview

There has never been an era when hackers are as keen on guessing passwords as they are today – Ostrovsky

“Brute force cracking” is an attack method. In web attacks, this method is generally used to obtain the authentication information of the application system. The process is to use a large amount of authentication information to try to log in on the authentication interface until the correct result is obtained. In order to improve efficiency, brute force cracking generally uses tools with dictionaries for automated operations.

Theoretically speaking, most systems can be cracked by brute force, as long as the attacker has enough computing power and time, so it is not absolute to determine whether a system has a brute force cracking vulnerability. When we say that a web application system has a brute force cracking vulnerability, it generally means that the web application system does not adopt or adopts a relatively weak authentication security policy, resulting in a higher “possibility” of its being cracked by violence. The authentication security policy here includes:

1. Whether to require users to set complex passwords;
2. Do you use a secure verification code for each authentication (think about the verification code you input when buying a train ticket~) or mobile phone otp;
3. Whether to judge and restrict attempts to log in (such as: 5 consecutive wrong logins, account lock or IP address lock, etc.);
4. Whether two-factor authentication is used;

Don’t underestimate the brute force cracking vulnerability, often the effect of this simple and crude attack method is beyond expectations!

Preliminary preparation

• Capture tool: Burp Suite
• Browser proxy plug-in: SwitchOmega or FoxyProxy
• Dictionary: users.txt and pwd.txt. Since it is an experimental environment, the dictionary can be filled in at will. Note that it needs to contain any set of correct account passwords: admin/123456, pikachu/000000, test/abc123

# users.txt
test
root
admin

#pwd.txt
88888888
password
123456

copy

Form-based brute force

There is no verification code here, just grab the packet and blast it directly.

• Fill in the form and submit it, use Burp to capture the data packet, and send the data packet to the Intruder module
• Select Clusterbomb for the blasting type, clear redundant variables, and only select the account password
• Select Runtime file for Payload type, and select the corresponding dictionary below to start the attack

Verification code bypass (on server)

After filling out the form and the correct verification code, submit and capture the packet, and send the data packet to the Repeater module. After sending the packet multiple times, it only prompts username or password is not exists instead of Prompt that the verification code is wrong, and learn that the verification code can be reused. Therefore, you only need to manually fill in the correct verification code to blast

• To manually fill out the form once, you need to enter the correct verification code, and the account password can be arbitrary
• Capture packets, set variables and Payload, and start attacking

Verification code bypass (on client)

Here the verification code is only verified locally, just manually enter the correct verification code and capture the packet as above.

token explosion-proof

token is a string of strings generated by the server as an identifier for the client to request from the server. Use the user name/password on the front end to send a request for authentication to the server. If the server authentication is successful, the server will return the token to the front end. The front end will bring the token sent by the server to prove its legitimacy in each request. .

This level is a bit more difficult than the previous one

• The previous steps are similar to the previous ones, first manually fill in the form to submit and capture the package, and then send it to the Intruder module
• Set variables. Here, in order to reduce the number of attacks, you can change the account to admin, only set the password and token as variables, and select Pitchfork for the attack type, because every The second password and token need to be replaced at the same time, and cannot be used in combination.

• Set the macro definition. Click the option option, pull down to find the Grep Extract column, click Add, and click Refetch response in the pop-up window to send Once package and get the returned data, enter token in the input field below to find the returned token value

• Select the token value and copy it, and click OK when it is selected. Then set the number of threads to 1, and in the bottom Redirections redirection column, select Always

• Finally, set Payload, where the first Payload is still the same as before and select the corresponding dictionary. For the second token variable, select Recursive grep for recursive search, and finally paste the previously copied token value in the text box below

• Finally, start the attack, and judge whether the blasting is successful according to the returned length

Summary

Burp blasting type

Brute force cracking generally uses the Intruder module in BurpSuite, which can customize parameters in the form of variables for HTTP Request packets, and then automatically replay according to the corresponding strategy.

• Sniper: Only one Payload is set, and each variable is tested with Payload in turn. Assuming that two variables are set, test the first variable with Payload first, and then test the second variable with Payload after all tests are completed.

username=user & amp; password=222 & amp; submit=Login
username=root & amp; password=222 & amp; submit=Login
username=admin & amp; password=222 & amp; submit=Login

username=111 & amp; password=user & amp; submit=Login
username=111 & amp; password=root & amp; submit=Login
username=111 & amp; password=admin & amp; submit=Login

copy

• Battering ram: Only set one Payload, all variables are replaced by Payload at the same time, and then try together

username=user & amp; password=user & amp; submit=Login
username=root & amp; password=root & amp; submit=Login
username=admin & amp; password=admin & amp; submit=Login

copy

• Pickfork: Set a Payload for each variable, and use the Payload to replace the variables at the same time

username=user &password=111111&submit=Login
username=root & amp; password=888888 & amp; submit=Login
username=admin & amp; password=123456 & amp; submit=Login

copy

• Clusterbomb: Set a Payload for each variable, and use the Payload combination to replace the variables

username=user &password=111111&submit=Login
username=root & amp; password=111111 & amp; submit=Login
username=admin & amp; password=111111 & amp; submit=Login

username=user & amp; password=888888 & amp; submit=Login
username=root & amp; password=888888 & amp; submit=Login
username=admin & amp; password=888888 & amp; submit=Login

username=user & amp; password=123456 & amp; submit=Login
username=root & amp; password=123456 & amp; submit=Login
username=admin & amp; password=123456 & amp; submit=Login

copy

Verification code bypass

• Verification code authentication process
  • The client Request login page, and the verification code is generated in the background
    • The background uses an algorithm to generate pictures, and sends the picture Response to the client
    • At the same time, globally copy the value generated by the algorithm to the Session
  • Verify verification code
    • The client submits the authentication information and verification code together
    • The background compares the submitted verification code with the value in the Session
  • The client refreshes the page and generates the verification code again
    • The verification code algorithm generally contains a random function, which changes every time it is refreshed
• Client Authentication FAQ
  • Use the front-end JS to implement the verification code. If there is no secondary verification in the background, you can directly change the package in Burp to bypass
  • The verification code is stored in the cookie. can be obtained
  • The verification code is stored in the front-end source code. can be obtained
• Frequently Asked Questions about Server Verification
  • The verification code does not expire in the background. Can be reused, should be used once
  • The verification code design is too simple and regular, and it is easy to be guessed
  • The verification code verification is not strict, and there is a logic problem

About explosion protection

• Design a secure captcha: Secure process + complex and usable graphics
• Count and limit the submission of authentication errors, such as 5 consecutive password errors, lock the IP for a certain period of time
• Use two-factor authentication when necessary
  Not expired. Can be reused, should be used once
  • The verification code design is too simple and regular, and it is easy to be guessed
  • The verification code verification is not strict, and there is a logic problem

About explosion protection

• Design a secure captcha: Secure process + complex and usable graphics
• Count and limit the submission of authentication errors, such as 5 consecutive password errors, lock the IP for a certain period of time
• Use two-factor authentication when necessary
• Token explosion prevention: the general method is to output the token in the form in the form of type="hidden", submit it together when submitting the authentication, and verify it in the background. However, since the token value is output in the front-end source code, it is easy to be obtained, so it loses the meaning of preventing brute force cracking.
• Next, I will teach you a zero-based entry, a quick start, and a quick start to get started with network security.

Should I learn programming first or computer basics first for getting started with network security? This is a relatively controversial issue. Some people will suggest learning programming first, while others will suggest learning computer basics first. In fact, this is what you need to learn. And these are very important for learning network security. But for people with zero foundation or those who are eager to change careers, learning programming or computer foundation is difficult for them, and it takes too long.

Phase 1: Basic preparation 4~6 weeks

This stage is a must-learn part for all those who are preparing to enter the security industry. As the saying goes: if the foundation is not worked, the ground will shake

Second stage: web penetration

Learning basic time: 1 week to 2 weeks:

① Understand the basic concepts: (SQL injection, XSS, upload, CSRF, one-sentence Trojan horse, etc.) to lay the foundation for subsequent WEB penetration testing.
② Check some web penetrations in some forums, and learn the idea of a case study. Every site is different, so the idea is the main one.
③ Learn the art of asking questions, and be good at asking questions if you don’t understand.

Configure the penetration environment time: 3 weeks to 4 weeks:

① Understand the commonly used tools for penetration testing, such as (AWVS, SQLMAP, NMAP, BURP, Chinese kitchen knife, etc.).
② Download the backdoor-free versions of these tools and install them on your computer.
③ Understand the usage scenarios of these tools and know the basic usage. It is recommended to search on Google.

Practical penetration operation time: about 6 weeks:

① Search for actual penetration cases on the Internet, and gain an in-depth understanding of the use of SQL injection, file upload, and parsing vulnerabilities in actual combat.
② Build a vulnerability environment test by yourself, recommend DWVA, SQLi-labs, Upload-labs, bWAPP.
③ Understand the stages of penetration testing, and what actions need to be done in each stage: such as PTES penetration testing implementation standards.
④ In-depth study of manual SQL injection, find ways to bypass waf, and make your own scripts.
⑤ Study the principle of file upload, how to truncate, double suffix spoofing (IIS, PHP), parsing exploits (IIS, Nignix, Apache), etc., refer to: upload attack framework.
⑥ Understand the principles and types of XSS formation, practice in DWVA, use a cms with XSS vulnerabilities, install security dogs, etc. for testing.
⑦ Understand a sentence Trojan horse, and try to write a dog sentence.
⑧ Research on privilege escalation under Windows and Linux, Google keywords: privilege escalation

This is the introductory stage

Stage 3: Advanced

How can I advance after I have already started and found a job? See the picture below for details

Suggestions for beginners:
It is better for beginners to learn from the video. The easy-to-understand video is easier to absorb than the obscure text. Here I have prepared a set of video learning materials package from entry to mastery of network security for free. oh!