Web Penetration Testing-Testing Authentication and Session Management

Article directory

**1. Burp Suite performs dictionary attack on login page**
- (1) Overview of Burp Suite
- (2) Summary of dictionary attack on login page by Burp Suite
- (3) Practical drills
- (4) Principle analysis
**Second, Hydra forces a violent attack**
- (1)Hydra overview
- (2) Summary of Hydra’s forced brute force attack
- (3) Environmental preparation
- (4) Practical drills
- (5) Principle analysis
**Third, use Metasploit to crack Tomcat password**
- (1) Metasploit overview
- (2) Use Metasploit to crack the Tomcat password summary
- (3) Environmental preparation
- (4) Practical drills
- (5) Principle analysis

1. Dictionary attack on login page by Burp Suite

(1) Burp Suite Overview

Burp Suite is an integrated penetration testing tool that integrates a variety of penetration testing components, allowing us to better complete penetration testing and attacks on web applications automatically or manually. It contains many Burp tools. These different Burp tools work together to effectively share information and support launching attacks based on the information in one tool for use by another tool. These tools are designed with many interfaces to facilitate expediting the process of attacking an application. All tools share a powerful and extensible framework for processing and displaying HTTP messages, persistence, authentication, proxies, logging, and alerting.

(2) Summary of dictionary attack on login page by Burp Suite

Once we have a list of valid usernames for the target application, we can attempt a brute force attack, which will try all possible character combinations until a valid password is found. But with the large number of character combinations and the response time between client and server, brute force attacks are not feasible in web applications.
A more realistic solution is a dictionary attack, which takes a simplified list of high-likelihood passwords and tries them with valid usernames.

(3) Practical drill

1. First, we set Burp Suite as the browser’s proxy. (Download the FoxyProxy plug-in in the browser and set the proxy)

2. Browse to http://192.168.104.129/WackoPicko/admin/index.php?page=login

3. We will see a login form. Let’s try testing the username and password.

4. Now, look in the Proxy’s history for the POST request we just made with the login attempt and send it to the Intruder.

5. Click the [Clear] button to clear the pre-selected insertion position.

6. Now, we place the position on the value of the two POST parameters (adminname and password) by highlighting the value of the parameter and clicking the [Add$] button.

7. Since our password list targets all users, we choose Cluster bomb as the attack type:

8. The next step is to select our input test values in Intruder. Go to the Payloads tab.

9.In the text box in the Payloads Options [Simple list] section, add the following names:

10. Now, select List 2 from the Payload Set box. This list will be our password list and we will use the 25 most common passwords of 2017 for this exercise (http://time.com/5071176/worst-passwords-2017/):

11. Starting the attack: We can see that all responses appear to be of the same length, but there is an admin/admin combination that has status 303 (redirect) and a minor length. If we inspect it, we can see that it is redirecting to the admin’s homepage:

(4) Principle analysis

As for the results, we can see that all failed login attempts get the same response, but one with a status of 200 (OK), which in this case is 813 bytes long, so we assume that the successful one must be different, in Minimum length (because it must redirect or send the user to their homepage). If we find that successful and failed requests are of the same length, we can also check the status code or use the search box to find a specific pattern in the response.

Second, Hydra forces a violent attack

(1) Hydra Overview

Hydra is the world’s top password cracking tool. It supports online password cracking of almost all protocols. It is very powerful. As I said before, the success of brute force cracking mainly depends on the size of the dictionary. Having a A comprehensive and powerful dictionary has a great impact on the success of brute force cracking.

(2) Summary of Hydra’s forced brute force attack

THCHydra (Hydra for short) is a tool that can perform online login verification; this means that it can use brute force to try login passwords. Among the many services supported by Hydra we can find HTTP login forms and HTTP basic authentication.
In HTTP basic authentication, the browser sends the username and data packet using base64 encoding in the authentication header. For example, if the username is admin and the password is password, the browser will encode admin:password to get the string YWRtaW46UGFze3dvcmQ=, and the request header will have such a line. Authorization: Basic YWRtaW46UGFzc3dvcmQ=
hint:
Almost every time we see a seemingly random string that ends with an equal sign (=) or two, that character is base64 encoded. We can easily decode it using Burp Suite’s decoder or the base64 command in Kali linux. The = symbol can be url encoded, i.e. replaced by = in some requests and responses. In the previous subsection, we used Burp Suite to truncate the attacker. A form request initiated; in this section, we will use THCHydra to attack HTTP Basic Authentication.

(3) Environment preparation

After preparing the list of passwords to use, in order to conduct a dictionary attack, a list of usernames is also needed. We assume that information gathering has been carried out to obtain several valid usernames. Create a text file user_list.txt and enter the following content in it:

Password:

Account:

(4) Practical drill

1. Open a terminal and run hydra, or use the Applications menu in the Kali Linux application [05 – Password Attack | Online Attack [hydra.
2. When no parameters are entered, basic help information will be displayed:

Open the terminal to enter management mode
hydra

Here we can see some useful help information. With the – option we can use a username dictionary file. -Р allows us to use a password dictionary. We also need to follow ://server, along with the port number and service options.
3. In the terminal: write the following command to launch the attack:

# hydra -L pull in the prepared account document -p pull in the prepared password document -u -e ns http-get://192,68.104.129/webGoat/

Hydra found three different username/password combinations and successfully logged into the server.

(5) Principle Analysis

Unlike other authentication methods, such as forms-based authentication, Basic authentication is standard in what is sent to the server, how it is sent, and what response is expected from the server. This allows attackers and penetration testers to save valuable analysis time on the parameters involved in usernames and passwords, how to handle them, send them, and how to differentiate between successful and unsuccessful responses. This is one of the many reasons why Basic Authentication is not considered a security mechanism.

Three, use Metasploit to crack Tomcat password

(1) Metasploit summary

Short for The Metasploit Framework. MSF is highly modular, that is, the framework is composed of multiple modules, and is the most popular tool in the world.
It is an open source security vulnerability exploitation and testing tool that integrates common overflow vulnerabilities and popular shellcodes on various platforms and is continuously updated.
Metasploit covers the entire process of penetration testing. You can use existing payloads to conduct a series of penetration tests under this framework.
Metasploit is essentially a robust and versatile penetration testing framework. It can perform all the tasks involved in the penetration testing life cycle. With Metasploit, you only need to focus on the core goals, and supporting actions will be performed through the various components and modules of the framework. Furthermore, since it is a complete framework and not just an application, it can be customized and extended according to our needs.

(2) Summary of Tomcat password blasting using Metasploit

Apache tomcat is one of the most widely used java web application servers in the world, and most people use the default configuration of tomcat. However, the default configuration will have a web application manager open to the external network, which administrators can use to start, stop, add, and delete applications in the server.
In this tutorial, we will use a metasploit module to perform a password brute force attack on the tomcat management interface to gain access to a manager.

(3) Environment preparation

Start postgreSQL

service postgresql start

Create and initialize the database:

 msfdb init

Then you can start msf:

msfconsole

(4) Practical drill

1. Target machine VM_1 has a tomcat service running on port 8080, and the browser accesses http://192.168.104.129:8080/manager/html:
2. You can see that an authentication interface pops up, requiring you to enter your account password.

3. Open the terminal and enter msfconsole to start msf

4. After starting, we need to load the tomcat blasting module and enter after msf>

use auxiliary/scanner/http/tomcat_mgr_login

5. We can use this command to see what parameters are required:

show options

6. Now you can set the target host IP! Enter the following:

set rhosts 192.168.104.129

7. In order to make the running speed faster (not too fast!), you can use this command to set the thread:

set threads 5

8. In order to prevent our server from crashing due to too many requests, we will reduce the cracking speed a little:

set bruteforce_speed 3

9. Use the default values for the remaining parameters. After the settings are completed, enter run to start the attack!

run

10. After some failed results, we found a valid password! (green result)

(5) Principle Analysis

By default, the tomcat service is opened on port 8080, and the management interface directory is /manager/html. The application uses basic http authentication. The tomcat_mgr_login module has some parameters that need to be understood:
BLANK_PAsSWORDS: Provide a blank password test for each account
PAsswORD: Set this up to test multiple users with one password
PASS_FILE: Enter the password dictionary path you want to use
Proxies: In order to avoid the source address being detected, you can use this proxy function
RHOSTS: Fill in the host to be tested (can be multiple, separated by spaces. It can also be a manifest file)
RPORT: Set the target tomcat running port
STOP_ON_SUCCESS: Stop the attack when the crack is successful
TARGERURI: Directory path of the management interface
USERNAME: Define the username to be tested (can be a single one or a dictionary file)
USER_PASS_FILE: Dictionary file using “username/password” format
USER_AS_PASS: Try to use the username from the test as password