The Revoluti0n
| last article | table of contents | next article |
|---|
| last article | table of contents | next article |
|---|
Strange Article - Web Cracking by Conwow
Types of Password Protection
Web cracking, what is it. Well Web Cracking is a term used to referrer to
password cracking on HTTP Servers. Now first lets deal with the basics, what
is a HTTP Server and how does it work. Well HTTP is HyperText Transfer
Protocol, this is the protocol that is used to send HyperText to a HTTP
Client. What is a HTTP client then, well you are probably reading this from
a HTTP client, a client is something that is used to receive data, such as
Internet Explorer which is used for a number of things, namely to receive
HTML (Hypertext Mark-up Language).
So what is a protocol, well in the medical profession protocols are put in
place for patients. These are set rules that every doctor has to follow to
protect patients, which ever hospital you are in say in the UK doctors will
follow the same protocol, the same set of rules. So protocols are a set of
use that something must follow, now on the Internet all Hypertext servers
follow a set of rules, this means any browser can receive HTML documents of
an server, they all do one thing when you send them one uniform request.
So how does a HTTP server password protect a section of its site, or one of
its documents. Well there are two methods, by far the most common is to use
CGI scripts. What is a CGI script then, well a CGI script is a small
program. This is ran on the server instead of the users PC, like Java
scripts, which are ran when the document is opened on the users side. The
provider often does very little other than provide files.
CGI changes all this, a CGI script will be ran on the server and the results
sent to the user via the HTTP Server. Now password protection scripts are
very simple, they just take the user name as a variable (the changeable
thing) check it against a list of usernames and see if the user name exists.
If it does then the CGI script will request the password and call it a
variable and see if matches the variable found in the database of usernames
next to the password. This is a basic and very simplistic explanation of CGI
scripts password protection but is all you need to know.
Now before I talked about another sort of password protection, the server
does this alone and CGI scripts aren't even used. The server will have
access file this will contain authentication instructions. The user on the
client side (the person sat at their computer entering the site) will get a
pop up box asking for the user name and password. The access file will check
the username and password the user gives and see if they match the username
and its password in the database of passwords.
What the Browser actually sends.
Now we have to learn a little about HTTP and different methods of getting
and sending information. If you look at the source of a password protected
site you will probably see something like this: -
< TR >
< TD COLSPAN="2" >
< FORM METHOD="POST" ACTION="/admin/login.html" >
< TABLE >
< TR >
< TD >User Name:< /TD >
< TD >< INPUT TYPE="TEXT" NAME="ID" >< /TD >
< TD >< /TD >< /TR >
< TR >
< TD >Password:< /TD >
< TD >< INPUT TYPE="PASSWORD" NAME="PW" >< /TD >
< TD >< INPUT TYPE="SUBMIT" VALUE="LOGON" NAME="" >
< /TD >< /TR >< /TABLE >< /FORM >< /TD >< /TR >
Now we aren't interested in a lot of those things, just three.
< FORM METHOD="POST" ACTION="/admin/login.html" >
and
< INPUT TYPE="TEXT" NAME="ID" >
and
< INPUT TYPE="PASSWORD" NAME="PW" >< /TD >
< TD >< INPUT TYPE="SUBMIT" VALUE="LOGON" NAME="" >
Now we have to learn about HTTP requests before we can go any further. When
you click on a link what actually happens is your browser coverts the < A
HREF="somepage.htm" > to a request. Now your browser works out that it is a
relative hyper link, this is because there is no http://www.somesite.com
which is the hostname, of the site so it thinks oh so we are in
http://www.othersite.com so it must mean
http://www.othersite.com/sompage.htm. So you browser sends "GET/
somepage.htm / HTTP/1.1" (no sure about the / though). Now the HTTP server
will send back somepage.htm. Now the GET is a type of request, it's a
request to GET somepage.htm of the server and send it to the client, this
isn't the only type of request lets look at a few more.
GET
This method is used to download a page of a server (usually that you are
already connected to) and it downloads all the data to the HTTP client (Web
Browser).
POST
This is for sending files to the web server you are connected to, it is not
just restricted to files though. It can be used to POST information to a CGI
script, this would just send a chunk of information to a CGI script so it
could process it. This is often used with password protection on sites.
HEAD
This is used to check if a file exists, it just downloads the header of the
file and isn't very important as it is hardly ever used.
Now we should have a slightly better idea of how the Hypertext protocol
works. This will aid us greatly when it comes to looking at the source
again. Let us take a look at the source and see if we can figure out what is
going on: -
< FORM METHOD="POST" ACTION="/admin/login.html" >
< TABLE >
< TR >
< TD >User Name:< /TD >
< TD >< INPUT TYPE="TEXT" NAME="ID" >< /TD >
< TD >< /TD >< /TR >
< TR >
< TD >Password:< /TD >
< TD >< INPUT TYPE="PASSWORD" NAME="PW" >< /TD >
< TD >< INPUT TYPE="SUBMIT" VALUE="LOGON" NAME="" >
< /TD >< /TR >< /TABLE >< /FORM >
Now this is a form this is used to communicate with the HTTP browser and
almost always CGI scripts. So the form is taking two "values" from the user
the username and password this is then sent to the Web Server over HTTP
where it is checked by a authentication file that decides whether the
username and password are correct. If so it will let the user enter the
site. So when we are web cracking we have to know 4 things the name the
username value is given and the value the password is given and the method
used to send it to the server and the address of the CGI script or where the
form is sending this information. In this case: -
Method: - MOST
Address of Authentication file:- http://HOSTNAME/="/admin/login.html
Username name:- ID
Password name:- PW
For more on HTTP Authentication read rfc2617
The Actual Cracking
What is Cracking
As I am writing this assuming you know nothing about hacking I will explain
to you what Cracking is. Cracking like many easy hacking methods uses the
one thing that you are allowed to do with a service and it exploits and
abuses this. Cracking is basically trying as many passwords as you know how
until the server sends authentication success (username and password where
right basically). Now this is very fast if the service your cracking is on
your computer, but often it isn't often the service your cracking is a HTTP
server.
HTTP cracking is slow, this is because the information has to go about
100,000 miles (well I'm guessing here) through about 13 servers. So this all
takes time and bandwidth. Now we all know that the connection between your
hard disk and your processor is much faster and more powerful than that dial
up account you have. So by default its slow, now this means you have to come
up with clever techniques to increase the chances of you getting as password
right.
Brute Forcing
This is a very slow technique, it relies on the cracker sending first A the
B then when it has worked through the alphabet in single letters if move on
to AA then AB this will get any password and if left has a 100% success
rate. But when web cracking this is simply not practical so people don't use
it.
Dictionary Cracking
This is the most common method of Cracking, it works because peoples
passwords aren't random letters usually. Hence it being called password so
the Cracker gets a list of common passwords and sends these. Now this is
considerably quicker than sending random strings of numbers. A good source
of word lists is http://www.totse.com. Now word lists can cut down the time
spent cracking but you must get the word list right, there is no point in
using girls names for a username for a viagra site etc. So choose you word
list carefully to get the best results.
Threads
This is a really big development in Web Cracking and cracking in general,
back in the days when everyone was on 14kb dial up lines the server being
slow wasn't really a problem because the phone lines where often slower but
now everyone has high speed Internet access the rules have changed. Threads
are the number of separate attempts to send of a username and password at
anyone time, so you can have 13 threads running and it would be as if you
where filling in the username and password 13 times every time you filled it
in instead of just one.
Proxies
It is amazingly easy to pick up an attempted to crack a password by just
looking at the people logging in and seeing that Joe Bloggs has attempted to
login 100,000,000 times in the past 2 days. Now they just look next to it go
oh IP address 212.54.123.12 and report you to the ISP. Then they check this
against their logs say oh yes Mr R.S Dull was logged on at what ever time
you where cracking the account using IP address 212.54.123.12 and they
cancel your account.
Now wouldn't it be nice if you could not get caught, what if you sent all
username through a server a proxy server in fact, now these exist and they
are very easy to get hold of. All you want is a HTTP proxy and you enter the
IP address of it and the port its operating on and every authentication
attempt is sent first through the proxy then to the HTTP server where it is
sent back to the proxy then to you and the IP address of the proxy will show
up in the logs (that is all explained very simplistically but its all you
need to know).
Now where do you get lists of such proxies, try google search for free
public proxy lists and you want to use HTTP Proxy Servers. Then all you do
is enter them into the Cracker and run it. They will run slightly slower
than if you weren't using them but this is worth it because you won't get
caught.
Software
I'm not going to hold your hand and explain how to use each individual piece
of software. You would be able to work this out for yourself if you have
taken the time to read the text.
Brutus 2 : - A great little Cracker from the hoobie, but you have to
remember to use HTTP Form not HTTP Basic Authentication. Available from
www.hoobie.net/brutus.
Web Cracker 4.0: - This is something special, not only is it the best Web
Cracker I've ever seen or used but it comes with the ability to abuse know
CGI exploits to crack quicker. Available from www.webcracker.net
EliteSys Entry v2.05:- Entry is a popular HTTP/FTP/POP3 password cracker, it
is fast and easy to use and updated regularly. As it is commercial software
you cannot use it to its full potential until you have registered it. This
is a bitch but is available of any good warez.
On Linux/Unix you can build your own script or program to crack HTTP server
password protection, but I'm not going to explain that in this text as no
*nix users will read it and I'm not good enough at them to do this.
Disclaimer
All information contained with in this text is purely for educational
purposes and me the writer cannot be held responsible for misuse or use of
information contained within.
Contacting Me
Site: - http://www.conwow.tk
MSN Messenger: - conwow352@hotmail.com