Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:38 PM
John H. Sawyer
John H. Sawyer

That Was Easy: New Tool For Web Form Password Brute Force Attacks

Passwords suck. We all know it, but unless you can afford to provide multifactor authentication to all of your users and business partners, you're stuck with them.

Passwords suck. We all know it, but unless you can afford to provide multifactor authentication to all of your users and business partners, you're stuck with them.Implementing technical controls to enforce strong password creation by your users is a necessity because users will pick weak passwords when given the opportunity. Sure, there are some exceptions to the rule, but those aren't the ones we're worried about as security professionals. We are worried about the ones that are easy to crack.

Back in March, Ron Bowes posted a great blog titled "Hard evidence that people suck at passwords." Ron takes a look at passwords that have been leaked by attackers who've breached sites like phpbb, Faithwriters, and Elite Hackers. He provides some interesting insight into password choices made by users.

Also, it's worth noting that Ron is currently hosting password dictionaries that come from various sources, like password cracking tools and leaked password lists from compromised websites. They are very useful with the tool I'm about to talk about.

In a discussion about password brute forcing on the Metasploit Framework mailing list, someone pointed out a Firefox extension that enables brute force password attacks against Web forms from right within the browser. It's FireForce, and it is available here.

What a simplistic but useful and powerful tool! Typically, we refrain from password attacks because of account lockout issues, but sometimes we encounter Web apps with a local user authentication source that has no lockout feature. FireForce is simple in its implementation, but powerful enough to allow for brute forcing of just passwords or both user names and passwords.

Teamed with the passwords hosted at SkullSecurity, FireForce is nearly unstoppable, but it's not a replacement for Medusa. Be sure to read the documentation for info about running separate Firefox instances and configuring the user name and password brute forcing properly -- the dictionary selection is a little backward.

Addendum: Here is the link that was sent to the Metasploit Express users mailing list. Thanks, Jason.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Exploitation, Phishing Top Worries for Mobile Users
Robert Lemos, Contributing Writer,  2/28/2020
Kr00k Wi-Fi Vulnerability Affected a Billion Devices
Robert Lemos, Contributing Writer,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-28
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for so...
PUBLISHED: 2020-02-28
Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensi...
PUBLISHED: 2020-02-28
An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in.
PUBLISHED: 2020-02-28
A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system.
PUBLISHED: 2020-02-28
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.