Security

How to run a brute force attack test on application username and password?

amoldesai
Explorer

Hi,

We have a requirement from our security team to test the brute force attack scenario against user name and password of our application using THC Hydra password cracking tool

We are using https ( default port 443) . Application url is of the form : https://hostname.com/en-US/app/appname.
Basically hydra tool takes a list of users and passwords from the input file and validate it against the application. We will also pass null user and passwords and see the behavior.

Issue is I am not able to pass (use) the right url of the application containing user/password, hence the hydra tool always results in http "401" response even when I provide correct user name and password.

To simply and debug the issue, I used the Chrome REST Client(Postman,PostIT) and I get the same "http 401" response. Following url was tried with REST Client tool. When we access the application, splunk prompts for user/password. Submitting the form uses the below url:

1) URL : https://hostname.com/en-US/account/login
Method: POST
Params in body :username="xyz" and password="xyz"

Response:Http 401

My questions :

a) Does Splunk require anything to successfully authorize the url:https://hostname.com/en-US/account/login? Please let me know.

b) Any other suggestion to run this test against our application url with user name and password.

Thanks.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

According to my notes, the correct login URL for the REST API is https://hostname.com:8089/services/auth/login

---
If this reply helps you, Karma would be appreciated.
0 Karma

amoldesai
Explorer
0 Karma

amoldesai
Explorer
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I believe the username and password arguments to the POST call have to be submitted in a form.

We're beyond the scope of the Splunk forums now. Perhaps THC has a forum that can be helpful on this topic.

---
If this reply helps you, Karma would be appreciated.
0 Karma

amoldesai
Explorer

Thanks for your answer. I need to do brute force test against all the tcp service with open ports. There are two ports open when splunk runs (used nmap tool):

1) splunk web server port (443 in my case)
2) Management port (8089).

The url that you provided(with port 8089) will help me in testing the second case by passing along user name and password .

Similarly, I am looking for a url for the first case wherein I can pass user name and password.

Request your help here.

Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Port 443 is the normal login port. I suggest using your browser's debug feature to see what is sent when you login manually and then replicate that with your tester.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...