Foreword
This is the first article of the Pikachu Vulnerability Shooting Range series~~ (should be serialized)~~, first briefly introduce the Pikachu shooting range. The shooting range is developed by Chinese people, pure Chinese, and you can check the tips when you encounter difficulties during practice, and there are also supporting learning videos. Under Windows, it can be installed directly in integrated environments such as Wamp
/phpStudy
. In contrast, DVWA, which is recommended by many people, is very unfriendly to beginners due to its pure English environment, and it may be easy to persuade them to quit after they don’t know where to start after deployment. Therefore, the Pikachu recommended here is more suitable for those who are just getting started with Web penetration and are looking for a shooting range.
Overview
There has never been an era when hackers are as keen on guessing passwords as they are today – Ostrovsky
“Brute force cracking” is an attack method. In web attacks, this method is generally used to obtain the authentication information of the application system. The process is to use a large amount of authentication information to try to log in on the authentication interface until the correct result is obtained. In order to improve efficiency, brute force cracking generally uses tools with dictionaries for automated operations.
Theoretically speaking, most systems can be cracked by brute force, as long as the attacker has enough computing power and time, so it is not absolute to determine whether a system has a brute force cracking vulnerability. When we say that a web application system has a brute force cracking vulnerability, it generally means that the web application system does not adopt or adopts a relatively weak authentication security policy, resulting in a higher “possibility” of its being cracked by violence. The authentication security policy here includes:
- Whether to require users to set complex passwords;
- Do you use a secure verification code for each authentication (think about the verification code you input when buying a train ticket~) or mobile phone otp;
- Whether to judge and restrict attempts to log in (such as: 5 consecutive wrong logins, account lock or IP address lock, etc.);
- Whether two-factor authentication is used;
Don’t underestimate the brute force cracking vulnerability, often the effect of this simple and crude attack method is beyond expectations!
Preliminary preparation
- Capture tool:
Burp Suite
- Browser proxy plug-in:
SwitchOmega
orFoxyProxy
- Dictionary:
users.txt
andpwd.txt
. Since it is an experimental environment, the dictionary can be filled in at will. Note that it needs to contain any set of correct account passwords:admin/123456
,pikachu/000000
,test/abc123
# users.txt test root admin #pwd.txt 88888888 password 123456
copy
Form-based brute force
There is no verification code here, just grab the packet and blast it directly.
- Fill in the form and submit it, use Burp to capture the data packet, and send the data packet to the
Intruder
module - Select
Clusterbomb
for the blasting type, clear redundant variables, and only select the account password - Select
Runtime file
for Payload type, and select the corresponding dictionary below to start the attack
Verification code bypass (on server)
After filling out the form and the correct verification code, submit and capture the packet, and send the data packet to the Repeater
module. After sending the packet multiple times, it only prompts username or password is not exists
instead of Prompt that the verification code is wrong, and learn that the verification code can be reused. Therefore, you only need to manually fill in the correct verification code to blast
- To manually fill out the form once, you need to enter the correct verification code, and the account password can be arbitrary
- Capture packets, set variables and
Payload
, and start attacking
Verification code bypass (on client)
Here the verification code is only verified locally, just manually enter the correct verification code and capture the packet as above.
token explosion-proof
token
is a string of strings generated by the server as an identifier for the client to request from the server. Use the user name/password on the front end to send a request for authentication to the server. If the server authentication is successful, the server will return the token to the front end. The front end will bring the token sent by the server to prove its legitimacy in each request. .
This level is a bit more difficult than the previous one
- The previous steps are similar to the previous ones, first manually fill in the form to submit and capture the package, and then send it to the
Intruder
module - Set variables. Here, in order to reduce the number of attacks, you can change the account to
admin
, only set the password andtoken
as variables, and selectPitchfork
for the attack type, because every The second password andtoken
need to be replaced at the same time, and cannot be used in combination.
- Set the macro definition. Click the
option
option, pull down to find theGrep Extract
column, clickAdd
, and clickRefetch response
in the pop-up window to send Once package and get the returned data, entertoken
in the input field below to find the returnedtoken
value
- Select the
token
value and copy it, and click OK when it is selected. Then set the number of threads to1
, and in the bottomRedirections
redirection column, selectAlways
- Finally, set
Payload
, where the firstPayload
is still the same as before and select the corresponding dictionary. For the secondtoken
variable, selectRecursive grep
for recursive search, and finally paste the previously copiedtoken
value in the text box below
- Finally, start the attack, and judge whether the blasting is successful according to the returned length
Summary
Burp blasting type
Brute force cracking generally uses the Intruder module in BurpSuite, which can customize parameters in the form of variables for HTTP Request packets, and then automatically replay according to the corresponding strategy.
Sniper
: Only one Payload is set, and each variable is tested with Payload in turn. Assuming that two variables are set, test the first variable with Payload first, and then test the second variable with Payload after all tests are completed.
username=user & amp; password=222 & amp; submit=Login username=root & amp; password=222 & amp; submit=Login username=admin & amp; password=222 & amp; submit=Login username=111 & amp; password=user & amp; submit=Login username=111 & amp; password=root & amp; submit=Login username=111 & amp; password=admin & amp; submit=Login
copy
Battering ram
: Only set one Payload, all variables are replaced by Payload at the same time, and then try together
username=user & amp; password=user & amp; submit=Login username=root & amp; password=root & amp; submit=Login username=admin & amp; password=admin & amp; submit=Login
copy
Pickfork
: Set a Payload for each variable, and use the Payload to replace the variables at the same time
username=user &password=111111&submit=Login username=root & amp; password=888888 & amp; submit=Login username=admin & amp; password=123456 & amp; submit=Login
copy
Clusterbomb
: Set a Payload for each variable, and use the Payload combination to replace the variables
username=user &password=111111&submit=Login username=root & amp; password=111111 & amp; submit=Login username=admin & amp; password=111111 & amp; submit=Login username=user & amp; password=888888 & amp; submit=Login username=root & amp; password=888888 & amp; submit=Login username=admin & amp; password=888888 & amp; submit=Login username=user & amp; password=123456 & amp; submit=Login username=root & amp; password=123456 & amp; submit=Login username=admin & amp; password=123456 & amp; submit=Login
copy
Verification code bypass
- Verification code authentication process
- The client Request login page, and the verification code is generated in the background
- The background uses an algorithm to generate pictures, and sends the picture Response to the client
- At the same time, globally copy the value generated by the algorithm to the Session
- Verify verification code
- The client submits the authentication information and verification code together
- The background compares the submitted verification code with the value in the Session
- The client refreshes the page and generates the verification code again
- The verification code algorithm generally contains a random function, which changes every time it is refreshed
- The client Request login page, and the verification code is generated in the background
- Client Authentication FAQ
- Use the front-end JS to implement the verification code. If there is no secondary verification in the background, you can directly change the package in Burp to bypass
- The verification code is stored in the cookie. can be obtained
- The verification code is stored in the front-end source code. can be obtained
- Frequently Asked Questions about Server Verification
- The verification code does not expire in the background. Can be reused, should be used once
- The verification code design is too simple and regular, and it is easy to be guessed
- The verification code verification is not strict, and there is a logic problem
About explosion protection
- Design a secure captcha: Secure process + complex and usable graphics
- Count and limit the submission of authentication errors, such as 5 consecutive password errors, lock the IP for a certain period of time
- Use two-factor authentication when necessary
Not expired. Can be reused, should be used once- The verification code design is too simple and regular, and it is easy to be guessed
- The verification code verification is not strict, and there is a logic problem
About explosion protection
- Design a secure captcha: Secure process + complex and usable graphics
- Count and limit the submission of authentication errors, such as 5 consecutive password errors, lock the IP for a certain period of time
- Use two-factor authentication when necessary
- Token explosion prevention: the general method is to output the token in the form in the form of
type="hidden"
, submit it together when submitting the authentication, and verify it in the background. However, since the token value is output in the front-end source code, it is easy to be obtained, so it loses the meaning of preventing brute force cracking. - Next, I will teach you a zero-based entry, a quick start, and a quick start to get started with network security.
Should I learn programming first or computer basics first for getting started with network security? This is a relatively controversial issue. Some people will suggest learning programming first, while others will suggest learning computer basics first. In fact, this is what you need to learn. And these are very important for learning network security. But for people with zero foundation or those who are eager to change careers, learning programming or computer foundation is difficult for them, and it takes too long.
Phase 1: Basic preparation 4~6 weeks
This stage is a must-learn part for all those who are preparing to enter the security industry. As the saying goes: if the foundation is not worked, the ground will shake
Second stage: web penetration
Learning basic time: 1 week to 2 weeks:
① Understand the basic concepts: (SQL injection, XSS, upload, CSRF, one-sentence Trojan horse, etc.) to lay the foundation for subsequent WEB penetration testing.
② Check some web penetrations in some forums, and learn the idea of a case study. Every site is different, so the idea is the main one.
③ Learn the art of asking questions, and be good at asking questions if you don’t understand.
Configure the penetration environment time: 3 weeks to 4 weeks:
① Understand the commonly used tools for penetration testing, such as (AWVS, SQLMAP, NMAP, BURP, Chinese kitchen knife, etc.).
② Download the backdoor-free versions of these tools and install them on your computer.
③ Understand the usage scenarios of these tools and know the basic usage. It is recommended to search on Google.
Practical penetration operation time: about 6 weeks:
① Search for actual penetration cases on the Internet, and gain an in-depth understanding of the use of SQL injection, file upload, and parsing vulnerabilities in actual combat.
② Build a vulnerability environment test by yourself, recommend DWVA, SQLi-labs, Upload-labs, bWAPP.
③ Understand the stages of penetration testing, and what actions need to be done in each stage: such as PTES penetration testing implementation standards.
④ In-depth study of manual SQL injection, find ways to bypass waf, and make your own scripts.
⑤ Study the principle of file upload, how to truncate, double suffix spoofing (IIS, PHP), parsing exploits (IIS, Nignix, Apache), etc., refer to: upload attack framework.
⑥ Understand the principles and types of XSS formation, practice in DWVA, use a cms with XSS vulnerabilities, install security dogs, etc. for testing.
⑦ Understand a sentence Trojan horse, and try to write a dog sentence.
⑧ Research on privilege escalation under Windows and Linux, Google keywords: privilege escalation
This is the introductory stage
Stage 3: Advanced
How can I advance after I have already started and found a job? See the picture below for details
Suggestions for beginners:
It is better for beginners to learn from the video. The easy-to-understand video is easier to absorb than the obscure text. Here I have prepared a set of video learning materials package from entry to mastery of network security for free. oh!