topic Re: How to run a brute force attack test on application username and password? in Security

How to run a brute force attack test on application username and password?

amoldesai — Wed, 04 May 2016 17:06:30 GMT

Hi,

We have a requirement from our security team to test the brute force attack scenario against user name and password of our application using THC Hydra password cracking tool

We are using https ( default port 443) . Application url is of the form : https://hostname.com/en-US/app/appname.
Basically hydra tool takes a list of users and passwords from the input file and validate it against the application. We will also pass null user and passwords and see the behavior.

Issue is I am not able to pass (use) the right url of the application containing user/password, hence the hydra tool always results in http "401" response even when I provide correct user name and password.

To simply and debug the issue, I used the Chrome REST Client(Postman,PostIT) and I get the same "http 401" response. Following url was tried with REST Client tool. When we access the application, splunk prompts for user/password. Submitting the form uses the below url:

1) URL : https://hostname.com/en-US/account/login
Method: POST
Params in body :username="xyz" and password="xyz"

Response:Http 401

My questions :

a) Does Splunk require anything to successfully authorize the url:https://hostname.com/en-US/account/login? Please let me know.

b) Any other suggestion to run this test against our application url with user name and password.

Thanks.

Re: How to run a brute force attack test on application username and password?

richgalloway — Wed, 04 May 2016 18:17:04 GMT

According to my notes, the correct login URL for the REST API is https://hostname.com:8089/services/auth/login

Re: How to run a brute force attack test on application username and password?

amoldesai — Thu, 05 May 2016 02:44:07 GMT

Thanks for your answer. I need to do brute force test against all the tcp service with open ports. There are two ports open when splunk runs (used nmap tool):

1) splunk web server port (443 in my case)
2) Management port (8089).

The url that you provided(with port 8089) will help me in testing the second case by passing along user name and password .

Similarly, I am looking for a url for the first case wherein I can pass user name and password.

Request your help here.

Thanks

Re: How to run a brute force attack test on application username and password?

richgalloway — Thu, 05 May 2016 13:25:04 GMT

Port 443 is the normal login port. I suggest using your browser's debug feature to see what is sent when you login manually and then replicate that with your tester.

Re: How to run a brute force attack test on application username and password?

amoldesai — Thu, 05 May 2016 14:32:10 GMT

Here is the http traffic flow :

1)https://app-dev-001:443/
2)https://app-dev-001:443/en-US/
3)https://app-dev-001:443/en-US/account/login?return_to=%2Fen-US%2F
4)https://app-dev-001:443/en-US/account/login (This is POST request)
5)https://app-dev-001:443/en-US/app/launcher/
6)https://app-dev-001:443/en-US/app/launcher/home

Can you please provide any pointers/links about the "4)" request call : https://app-dev-001:443/en-US/account/login

Thanks

Re: How to run a brute force attack test on application username and password?

amoldesai — Thu, 05 May 2016 14:32:10 GMT

Here is the http traffic flow :

Can you please provide any pointers/links about the "4)" request call : https://app-dev-001:443/en-US/account/login

Thanks

Re: How to run a brute force attack test on application username and password?

richgalloway — Fri, 06 May 2016 12:22:45 GMT

I believe the username and password arguments to the POST call have to be submitted in a form.

We're beyond the scope of the Splunk forums now. Perhaps THC has a forum that can be helpful on this topic.