Crack a login page : the easy way

Jan 24, 2023 by Thibault Debatty | 2671 views

Offensive Security Cylab Play

https://cylab.be/blog/254/crack-a-login-page-the-easy-way

In this blog post, we will show that a login page from a web application can be easily cracked if the application does not implement specific protections against this kind of attack.

The tools that we use a publicly available, so you can easily reproduce yourself. However, you must always ask for owner's consent before testing a web application!

Dokos installation

Dokos is a simple login cracker written in Python. You can install it with:

python3 -m pip install dokos

dokos-install.png

After installation, dokos will be available in your path, so you can simply test with:

dokos

On Windows, you can run Dokos with:

python -m dokos

dokos-help.png

The victim

For this demo, the victim will be Brute Force app from Cylab Play, our collection of vulnerable containers.

cylab-play.png

I deployed the app using Play with Docker. It is a very simple app, with a login form.

brute-force-failed.png

Running the attack

Login cracker tools, like Dokos, typically need 6 information to run:

  1. a list of passwords to try;
  2. the username or email to use when we try to login;
  3. a way to detect a successful (or failed) authentication;
  4. the URL of the login page;
  5. the name of the field that must be used to send the username or email;
  6. the name of the field that must be used to send the password;

You can easily find lists of known passwords online, for example on https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-Credentials

For this demo, I will use the top 1000:

wget https://github.com/danielmiessler/SecLists/raw/master/Passwords/Common-Credentials/10-million-password-list-top-1000.txt

To find the login or email, hackers usually use OSINT techniques.

As you can see on the screenshot, the app displays a clear message if the authentication failed: "Bad combination of e-mail and password!"

Finally, the last 3 information can be found by inspecting the source code of the authentication form:

brute-force-form.png

So now we can feed all these information to Dokos (on a single line):

dokos
  -l jane.doe@example.com 
  -P 10-million-password-list-top-1000.txt 
  -f "Bad combination of e-mail and password"
  --login_field email
  --password_field password
  http://ip172-18-0-18-cf7utl63tccg0089sr0g-8000.direct.labs.play-with-docker.com/

Dokos will show you the different passwords that it is testing, and at the end tell you if it found a password that's correct.

dokos-run.png

Final words

In this blog post, we have illustrated that the login form of a web application can be easily cracked if the app is not protected. This leads us to 2 conclusions:

As a web developer, you should always ensure that your app implements appropriate protections.

As a user, you should always use strong passwords (that include numbers and special characters). Moreover, you should never use the same password on different web applications.

How to detect filtered (and opened) outgoing ports on a network?
Sometimes you want to access services running on unusual ports, like a SSH server running on port 2222 for example. If connection fails, how can we detect the outgoing ports that are filtered or open on the network?
May 16, 2023 | 686 views
Adv-Bot: Realistic Adversarial Botnet Attacks against Network Intrusion Detection Systems
Due to the numerous advantages of machine learning (ML) algorithms, many applications now incorporate them. However, many studies in the field of image classification have shown that MLs can be fooled by a variety of adversarial attacks. This raises many questions in the cybersecurity field, where a growing number of researchers are recently investigating the feasibility of such attacks against machine learning-based security systems, such as intrusion detection systems.
Mar 28, 2023 | 649 views
SQLMap : additional techniques
In a previous blog post, we have explained what SQL injection is, and how to exploit it using sqlmap. In this blog post, we will show some additional techniques: how to exploit web applications that use clean URLs, how to exploit a POSTed form, how to hide traces etc.
Mar 21, 2023 | 961 views