RE: password cracking a web form, tried hydra and brutus

From: Rob Shein (shoten@starpower.net)
Date: Thu Feb 05 2004 - 16:49:38 EST


Since web forms can vary widely, there is no cut-and-dried program that will
do this for you. The closest thing is a scripting language called ELZA
(http://www.stoev.org/elza/) that is designed for this sort of thing. But
if you can't really code, you're out of luck.

> -----Original Message-----
> From: aRt dE vIvRe [mailto:bishan4u@yahoo.co.uk]
> Sent: Thursday, February 05, 2004 5:18 AM
> To: Rob Shein; pen-test@securityfocus.com
> Subject: RE: password cracking a web form, tried hydra and brutus
>
>
> Hi,
>
> > The problem is you're trying to use HTTP authentication, instead of
> > submitting the results to the form.
>
> Yes, you are right. I tried Accessdriver also, but that also
> works only for HTTP authentication and not for submitting form.
>
> > Your better bet is to work something
> > up,
> > in perl most likely (but any tcp-capable language will do),
> that will
> > submit requests just as would happen if you were to
> sequentially try
> > various login
> > attempts on their web page.
>
> Sorry, but I'm not so good at programming.
> Is there any open source program which does this? I'm looking
> for such a program over a week now, but no luck!
>
> > There are also other ways you could poke at it...have you tried SQL
> > injection attacks in either the password or login field?
>
> Can you please put some more light on it!
>
> Thanx and Regards,
> b'shan
>
>
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:47 EDT