Crack a login page : the easy way

Jan 24, 2023 by Thibault Debatty | 4585 views

Offensive Security Cylab Play

https://cylab.be/blog/254/crack-a-login-page-the-easy-way

In this blog post, we will show that a login page from a web application can be easily cracked if the application does not implement specific protections against this kind of attack.

The tools that we use a publicly available, so you can easily reproduce yourself. However, you must always ask for owner’s consent before testing a web application!

Dokos installation

Dokos is a simple login cracker written in Python. You can install it with:

python3 -m pip install dokos

dokos-install.png

After installation, dokos will be available in your path, so you can simply test with:

dokos

On Windows, you can run Dokos with:

python -m dokos

dokos-help.png

The victim

For this demo, the victim will be Brute Force app from Cylab Play, our collection of vulnerable containers.

cylab-play.png

I deployed the app using Play with Docker. It is a very simple app, with a login form.

brute-force-failed.png

Running the attack

Login cracker tools, like Dokos, typically need 6 information to run:

  1. a list of passwords to try;
  2. the username or email to use when we try to login;
  3. a way to detect a successful (or failed) authentication;
  4. the URL of the login page;
  5. the name of the field that must be used to send the username or email;
  6. the name of the field that must be used to send the password;

You can easily find lists of known passwords online, for example on https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-Credentials

For this demo, I will use the top 1000:

wget https://github.com/danielmiessler/SecLists/raw/master/Passwords/Common-Credentials/10-million-password-list-top-1000.txt

To find the login or email, hackers usually use OSINT techniques.

As you can see on the screenshot, the app displays a clear message if the authentication failed: “Bad combination of e-mail and password!”

Finally, the last 3 information can be found by inspecting the source code of the authentication form:

brute-force-form.png

So now we can feed all these information to Dokos (on a single line):

dokos
  -l jane.doe@example.com 
  -P 10-million-password-list-top-1000.txt 
  -f "Bad combination of e-mail and password"
  --login_field email
  --password_field password
  http://ip172-18-0-18-cf7utl63tccg0089sr0g-8000.direct.labs.play-with-docker.com/

Dokos will show you the different passwords that it is testing, and at the end tell you if it found a password that’s correct.

dokos-run.png

Final words

In this blog post, we have illustrated that the login form of a web application can be easily cracked if the app is not protected. This leads us to 2 conclusions:

As a web developer, you should always ensure that your app implements appropriate protections.

As a user, you should always use strong passwords (that include numbers and special characters). Moreover, you should never use the same password on different web applications.

This blog post is licensed under CC BY-SA 4.0