Penetration Testing: RE: password cracking a web form, tried hydra and brutus

["Rob Shein" <shoten () starpower net>]

Since web forms can vary widely, there is no cut-and-dried program that will
do this for you. The closest thing is a scripting language called ELZA
(http://www.stoev.org/elza/) that is designed for this sort of thing.  But
if you can't really code, you're out of luck.

> -----Original Message-----
> From: aRt dE vIvRe [mailto:bishan4u () yahoo co uk] 
> Sent: Thursday, February 05, 2004 5:18 AM
> To: Rob Shein; pen-test () securityfocus com
> Subject: RE: password cracking a web form, tried hydra and brutus
>
>
> Hi,
>
> > The problem is you're trying to use HTTP authentication, instead of 
> > submitting the results to the form.
> Yes, you are right. I tried Accessdriver also, but that also 
> works only for HTTP authentication and not for submitting form.
>
> > Your better bet is to work something
> > up,
> > in perl most likely (but any tcp-capable language will do), 
> that will 
> > submit requests just as would happen if you were to 
> sequentially try 
> > various login
> > attempts on their web page.
> Sorry, but I'm not so good at programming.
> Is there any open source program which does this? I'm looking 
> for such a program over a week now, but no luck!
>
> > There are also other ways you could poke at it...have you tried SQL 
> > injection attacks in either the password or login field?
> Can you please put some more light on it!
>
> Thanx and Regards,
> b'shan

---------------------------------------------------------------------------
----------------------------------------------------------------------------