Category: Resource Discovery

Categories
brute forzabruta Kali Linux Projects ProjectSuccess Resource Discovery

More Resource Discovery with ForzaBruta.py

Been a busy summer, but I spent some time continuing the work I previously wrote about the brute-forcer, ForzaBruta.py.  This time working through the Lynda coursework to iterate on the brute-forcer to add convenience and analysis capabilities:

  • Take screenshots
  • Capture the MD5 checksum to compare the file contents
  • Record number of words and characters in each file and the time to load
  • Filtering and coloring based on return code
  • Filter for only certain file extensions.

These new capabilities rely on Selenium, a browser automation utility, and PhantomJS, a scriptable headless browser.  The convenience features are nice.  I have not been able to get automated screenshots to work.  All seemingly works well except a zero byte PNG file is created.  I am assuming the issue is related to the nuance of having Kali installed on a MacBook.  These graphics challenges are difficult to debug.  I experienced a similar graphics issue working with Hashcat last month as well.

That’s a long way for me to say I don’t think I’m going to invest the time to get the screenshot capabilities working.

Categories
brute forzabruta Resource Discovery

Brute Force Resource Discovery with Python and FuzzDB

I have been working through a Python course on Lynda.com and in the course we wrote a brute force resource discovery tool using Python.  You put in a URL and then you specify a dictionary word list, and the number of threads to run concurrently.  Then the brute forcer, named ForzaBruta.py, works through the word list and gives the page response codes (404, 403, 200, etc.).

I used the FuzzDB predictable filepaths, file and directory name brute forcer, Raft large directories lowercase dictionary list. I ran this on my main URL in hopes of seeing if I could discover the password manager I described twice previously. To my dismay, I was able to find the password manager within 15 minutes. I then narrowed the URL and re-ran ForzaBruta again. Bang, my password manager was discovered within 45 minutes. Mind you, the password manager was discovered without a single link going to the actual application and I did not have noteworthy entries in the robots.txt file.

This is a handy utility!

Learnings

1. First of all, remember that nothing truly hides in plain site on the Internet.

2. I should have picked directory structure names that were random and un-guessable via a brute force dictionary attack. I now have to make this update.

3.  My web host did not detect this attack and has no controls in place to prevent it.  Also the analytics I run on the site are delayed and they also do not do an adequate job recording the 404 end points – no help there.  While it would be pretty easy to create a honeypot to spot a brute force attack, none of the controls I have in place spotted this one.