Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/21/2010
01:38 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

That Was Easy: New Tool For Web Form Password Brute Force Attacks

Passwords suck. We all know it, but unless you can afford to provide multifactor authentication to all of your users and business partners, you're stuck with them.

Passwords suck. We all know it, but unless you can afford to provide multifactor authentication to all of your users and business partners, you're stuck with them.Implementing technical controls to enforce strong password creation by your users is a necessity because users will pick weak passwords when given the opportunity. Sure, there are some exceptions to the rule, but those aren't the ones we're worried about as security professionals. We are worried about the ones that are easy to crack.

Back in March, Ron Bowes posted a great blog titled "Hard evidence that people suck at passwords." Ron takes a look at passwords that have been leaked by attackers who've breached sites like phpbb, Faithwriters, and Elite Hackers. He provides some interesting insight into password choices made by users.

Also, it's worth noting that Ron is currently hosting password dictionaries that come from various sources, like password cracking tools and leaked password lists from compromised websites. They are very useful with the tool I'm about to talk about.

In a discussion about password brute forcing on the Metasploit Framework mailing list, someone pointed out a Firefox extension that enables brute force password attacks against Web forms from right within the browser. It's FireForce, and it is available here.

What a simplistic but useful and powerful tool! Typically, we refrain from password attacks because of account lockout issues, but sometimes we encounter Web apps with a local user authentication source that has no lockout feature. FireForce is simple in its implementation, but powerful enough to allow for brute forcing of just passwords or both user names and passwords.

Teamed with the passwords hosted at SkullSecurity, FireForce is nearly unstoppable, but it's not a replacement for Medusa. Be sure to read the documentation for info about running separate Firefox instances and configuring the user name and password brute forcing properly -- the dictionary selection is a little backward.

Addendum: Here is the link that was sent to the Metasploit Express users mailing list. Thanks, Jason.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...