top of page
Writer's pictureVlad

Azrel: The WebApp Password Killer

Updated: Mar 24, 2018

A dictionary of common password that could be used for exfiltration and compromised one's user account. Welcome to another blog, in this one I will be talking about my own bot to perform a dictionary attack on a web application.



On my last blogs, I have itemized some of my attack toolkit that will be collated on my next big project. Some of these toolkit are my SQL injector, AutoNmapper,Capt Hook Keylogger, DirTraversal Bruteforcer, just to name a few. I have successfully shown you the features and functionalities of these, and right now, I will provide you the walkthrough and see what Azrel can do.


As we delve in to hacking, one of the most common approach of a certain individual is that hacking is knowing and cracking someone else's credentials; whether it may be in facebook, gmail account or worst one's bank account. There are lots of ways that we can compromised one's account credentials, which can be just some of the identified below:


a. SPAM Emails - attacker will normally send a malicious email containing a link or a file attachment that will urge the user to input their credentials or create a trojan that will do the exploitation.


b. Good 'ol SQL injection - I have discussed some key thoughts regarding this attack(click on the link for the post) and how it operate and its capabilties. A site vulnerable to the mentioned attack can blurt out confidential account information, including user credentials depending on how the attacker wants it. Every web app, especially those that has 'data' make used of the database that store the user's informations including their credentials. Once the attacker realized that the certain web app is vulnerable to this ,the attacker can just manipulate the database and get every single infos and credentials on it.


c. Bruteforce Password Dictionary attack - this is a type of bruteforce attack that makes use of a certain list that contains the millions of common passwords. These passwords are normally the ones that does not meet the standard policy for the 'password complexity'. The attack is prone to those websites vulnerable for HTTP DOS POST and GET. These are sites that don't have a well complexed html form variables or does not contain web captcha for bot validation.


One highlighted in the concept I applied. Azrel will be busy creeping your credentials.



We will be going through some famous websites and find out if we can access to my test account. I created an account for each site that would serve as our test on this pentest activity.


#1. Anonymous Website A

Website A is one of the well known social media site. We check on this site if it has secure authentication for its user profile.


Looking at its login form, username has a a form of type text, and therefore be of type plaintext. Username has input name of 'session_key' that would be use as a parameter on our program.


Password, on the other hand has a type password form and therefore text is hidden/encrypted. Also, password has 'session_password' as its form name, which is also needed to fill in our GET variable. In terms of password complexity it's as a below average for character's minimum is set to 6 and must contain capital letter. Having that as parameter, I have set our password to be 'Hotdog'.



We then place these form names on our script and try to run our simulation. And see if we can break in onto our account , 4test.act@gmail.com.


*Note: Credentials has already been changed and modified for this account.





The exploit hasn't been successful because we are blocked by Website A security parameters. Why?


On the first image, loop has been terminated on the 10th request, and with this partial test, we can say that we've met their firewall's threshold, that is why we're denied.


With blocking on the 10th loop, we then modify our dictionary list and set our password to be in the first entry. So on the second image, as it automatically tried to authenticate on the first loop, our program is immediately blocked.


Website A has secure authentication process.


2. Website B - Anonymous

Website B is the best website I used for streaming movies. It has a lot of popular movies that you can't find on other website.


Doing our process of checking the web application form, let's jump into running our script.






From the image above, we can say that this website blocks our program that has tried to authenticate on its server.


3. Mr. Ecommerce

This third anonymous website, is an eCommerce website, known for its magnificent ways on providing good quality product.


Findings:

*What I noticed about this site by the time I created my test account is that it has a weak password complexity. Thus, it will just mainly concerned a 6 character-password, without requiring any alphanumeric or capital characters.

*It has no dynamic cookie validation, that will check every user login session. Without these, my program can easily perform its autologin without an added parameter from its cookie session for as long as my credentials are correct.


Run

Let's run another test shall we?


After making sure that my created account is in tact. I have set a 45-entry input on my 'weak' password lists, which I obviously included my weak password account.


Launching my program...



We have identified the form names that Azrel needed to fill in these pitiful fields. Time to input our username.


Then, viola! We have the below's test result.




This site is officially vulnerable to Dictionary attack and a potential DDOS target.


Additional features:


Common websites are target to this attack. We never know if our account is in good hands, site owners and organizations must take a big step securing their applications. Making sure their consumer's data is more safe won't hurt.


krontek>halt

144 views0 comments

Comments


LET'S TAKE IT TO THE NEXT LEVEL!

bottom of page