How to run a brute force attack test on applicatio...

amoldesai · ‎05-04-2016

Hi,

We have a requirement from our security team to test the brute force attack scenario against user name and password of our application using THC Hydra password cracking tool

We are using https ( default port 443) . Application url is of the form : https://hostname.com/en-US/app/appname.
Basically hydra tool takes a list of users and passwords from the input file and validate it against the application. We will also pass null user and passwords and see the behavior.

Issue is I am not able to pass (use) the right url of the application containing user/password, hence the hydra tool always results in http "401" response even when I provide correct user name and password.

To simply and debug the issue, I used the Chrome REST Client(Postman,PostIT) and I get the same "http 401" response. Following url was tried with REST Client tool. When we access the application, splunk prompts for user/password. Submitting the form uses the below url:

1) URL : https://hostname.com/en-US/account/login
Method: POST
Params in body :username="xyz" and password="xyz"

Response:Http 401

My questions :

a) Does Splunk require anything to successfully authorize the url:https://hostname.com/en-US/account/login? Please let me know.

b) Any other suggestion to run this test against our application url with user name and password.

Thanks.

richgalloway · ‎05-04-2016

According to my notes, the correct login URL for the REST API is https://hostname.com:8089/services/auth/login

---
If this reply helps you, Karma would be appreciated.

amoldesai · ‎05-05-2016

Here is the http traffic flow :

1)https://app-dev-001:443/
2)https://app-dev-001:443/en-US/
3)https://app-dev-001:443/en-US/account/login?return_to=%2Fen-US%2F
4)https://app-dev-001:443/en-US/account/login (This is POST request)
5)https://app-dev-001:443/en-US/app/launcher/
6)https://app-dev-001:443/en-US/app/launcher/home

Can you please provide any pointers/links about the "4)" request call : https://app-dev-001:443/en-US/account/login

Thanks

amoldesai · ‎05-05-2016

Here is the http traffic flow :

1)https://app-dev-001:443/
2)https://app-dev-001:443/en-US/
3)https://app-dev-001:443/en-US/account/login?return_to=%2Fen-US%2F
4)https://app-dev-001:443/en-US/account/login (This is POST request)
5)https://app-dev-001:443/en-US/app/launcher/
6)https://app-dev-001:443/en-US/app/launcher/home

Can you please provide any pointers/links about the "4)" request call : https://app-dev-001:443/en-US/account/login

Thanks

richgalloway · ‎05-06-2016

I believe the username and password arguments to the POST call have to be submitted in a form.

We're beyond the scope of the Splunk forums now. Perhaps THC has a forum that can be helpful on this topic.

---
If this reply helps you, Karma would be appreciated.

amoldesai · ‎05-04-2016

Thanks for your answer. I need to do brute force test against all the tcp service with open ports. There are two ports open when splunk runs (used nmap tool):

1) splunk web server port (443 in my case)
2) Management port (8089).

The url that you provided(with port 8089) will help me in testing the second case by passing along user name and password .

Similarly, I am looking for a url for the first case wherein I can pass user name and password.

Request your help here.

Thanks

richgalloway · ‎05-05-2016

Port 443 is the normal login port. I suggest using your browser's debug feature to see what is sent when you login manually and then replicate that with your tester.

---
If this reply helps you, Karma would be appreciated.

How to run a brute force attack test on application username and password?

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform