Web security practice (12) password detection

This series navigation http://www.cnblogs.com/xuanhun/archive/2008/10/25/1319523.html

Security Technology Zone http://space.cnblogs.com/group/group_detail.aspx? Gid = 100566

Preface

(Author: Xuan soul)

 

Next, I will discuss the topic of user name enumeration in the previous article. Next, I will briefly discuss common password detection.

Yuan You Hunts. C left a message yesterday about the internal network of the school. He said, "It is a user ID and email address. In fact, the user ID here is the role of the user name. However, it only uses email logon. In fact, the Intranet supports username logon and email logon. In addition, each user is assigned a unique ID. Hunts. C is right. ID and user name play the same role, but for user name enumeration, ID is hidden for user name, because ID cannot be used for login.

This time I want to talk about less content.

Body

12.1 automated password detection

The so-called automated password detection is to use the detection software to continuously send requests to the target, based on the response to determine whether the detection is successful or not.

There are two methods for automatic detection.

First, try different passwords for the same user name, and second, try the same password for different users. The second method can effectively prevent account locking.

There are two ways to generate a user name and a password: one is to use the existing dictionary, and the other is to generate a program based on the user name or password combination rules.

The biggest obstacle to automated password detection is the differentiated verification code and human-machine testing (simple problem ).

12.2 social engineering

I don't know how the word "social engineering" came into being. At first I thought it seemed more appropriate to call it behavioral psychology. Later I learned that social engineering is actually a espionage activity.

(1) speculative method. Based on relevant information, common examples include birthday, name, phone number, commonly used combination of numbers (1213456, etc.), letter combinations, email addresses, and parents' names.

(2) spoofing. You can obtain related information through chat Based on the QQ information that he gives you.

(3) Use customer service. For example, you can pretend to be an email user and call customer service to say that the password is lost. I used to hear that QQ is okay. The park friends told me that Yahoo's mailbox was okay the day before yesterday. It was incredible.

(4) "social engineering" allows you to obtain the information you want by approaching the target person, his family, and friends. Of course, this web attack is not closely related, but it is one of the methods of hacker attacks.

 

12.3 Post user name and password

There are also a lot of ready-made software available to choose from to crack the Web login password. The use of tools is not the focus of our discussion. Let's take a look at its working principles.

The following is a post data section when I log on to the internal network (the actual analysis process should be full-process data analysis, which is only partial ):

Post/login. Do HTTP/1.1

HOST: login.xiaonei.com

User-Agent: Mozilla/5.0 (windows; U; Windows NT 5.1; ZH-CN; RV: 1.9.0.3) Gecko/2008092417 Firefox/3.0.3

Accept: text/html, application/XHTML + XML, application/XML; q = 0.9, */*; q = 0.8

Accept-language: ZH-CN, ZH; q = 0.5

Accept-encoding: gzip, deflate

Accept-charset: gb2312, UTF-8; q = 0.7, *; q = 0.7

Keep-alive: 300

Connection: keep-alive

Referer: http://www.xiaonei.com/SysHome.do

Cookie: syshomeforreg = 1; isnewreg = 1; XNESSESSIONID = abc_7S1cRa2rw8aernG6r; ick = Shanghai; _ utma = Shanghai; _ utmb = 204579609; _ utmc = 204579609; _ utmz = forward = (direct) | utmcsr = (direct) | utmcmd = (none); _ de = 8EAD38BFFD04FDBE; userid = 201573034; univid = 5426; gender = 1; univyear = 2005; hostid = 201573034; BIGipServerpool_profile = 3720.16938.20480.0000; xn_app_histo_201573034 = 6-35-17954-4-8-16555-12012-3-2-13496-19; mop_uniq_ckid = 123.189.16.20._ 1231047874_1991448146

Content-Type: application/x-www-form-urlencoded

Content-Length: 83

Email = xuanhun & password = xuanhun521 & origURL = http % 3A % 2F % 2Fwww.xiaonei.com % 2FSysHome. do

This is a conventional Post request data segment. The last part is the user name and password, which should be encrypted during network transmission because of https connection. Brute-force detection constantly sends similar requests to the target server and determines whether the request is successful based on the response.

12.4 Program Design

The design of a specific brute-force cracking program is not clear in a few words, and we hope to have the opportunity to display the specific program.

The following is an automatic logon code that shows a cross section of brute-force cracking. For more information, see HttpWebRequest and HttpWebResponse.

HttpWebRequest request = (HttpWebRequest) WebRequest. Create (targetURL );

Request. Method = "POST"; // post

 

Request. ContentType = "application/x-www-form-urlencoded ";

Request. ContentLength = data. Length;

Request. UserAgent = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1;. net clr 2.0.1124 )";

Stream newStream = request. GetRequestStream ();

NewStream. Write (data, 0, data. Length );

NewStream. Close ();

Request. CookieContainer = cc;

HttpWebResponse response = (HttpWebResponse) request. GetResponse ();

Cc. Add (response. Cookies );

Stream stream = response. GetResponseStream ();

String result = new StreamReader (stream, System. Text. Encoding. Default). ReadToEnd ();

Return result;

If you understand how to send logon information, you can write your web Password detection tool by combining multithreading and dictionary attacks.

Of course, we didn't handle the verification code. If the verification code is stored in a cookie or hidden field, it is very ridiculous. We can directly read it using a program. The verification code is generally stored on the server side. Generally, we can put the content of the randomly generated verification code into the Session. When the user submits the verification code, the submitted content is compared with the verification code in the Session. The content of the verification code will be discussed later in the bypass Verification Section.