Web Form Password Brute Force with FireForce
I spent many hours today playing around with DVWA – (Damn Vulnerable Web App), from Randomstorm, brushing up on my web app pentesting skills, to be honest its been a long time and I really need to get back on top of this.
Anyways, after going through all the usual SQL injection, XSS stuff I thought I’d have a go at the brute forcing part of the app.
Well after what seemed like days I gave up, with little or no success – I’d tried the usual suspect for ‘bruting’ the password – Hydra.
Until I Googled around and found a Firefox addon called ‘Fireforce’ the article that I found is here Dark Reading
What the extension does is finds out the fields for the brute force attack in the web page source code, an automated way rather than reading through it manually, and then tries to brute force using your wordlists.
You can view the source code for the webpage by right clicking on the page and selecting View page source.
Here you can pick out the form action ‘GET’ and the password, username and submit info.
This is what you would normally feed into Hydra, as shown here:-
hydra -l admin -P wordlist.txt -f -v 192.168.124.123 http-get-form “/vulnerabilities/brute/:username=^USER^&password=^PASS^&submit=Login:Username and/or Password incorrect.”
So to Fireforce, best read the manual for all options, but really all you have to do once its installed is right click in the fields for username and password and load up your wordlists for usernames and passwords and let it rip.
After a bit more reading after publishing this post, I found out that Hydra falls a little short when dealing with web forms, an article I found on the excellent Attack Vector blog, Mat also had issues with Hydra and web forms.