How to perfom password cracking using ZAP tool
7,422 views
Skip to first unread message
Brahim Hilal
Aug 31, 2015, 10:00:21 AM8/31/15
to OWASP ZAP User Group
Hi all,
As I am new to penetration testing and to ZAP tool, one of the security aspect that I am assigned to test for our web server is the password cracking, from the security literature, there are tools that are specialized to perform this kind of password cracking testing by brute forcing technic. As I am using ZAP tool and all of my testing were covered, I would appreciate if someone can tell me if the ZAP tool covered this aspect, if so, which feature, is it manual or automatic, if this aspect can be covered by Fuzzer, how to execute this test and where to get the result and how to interpret them.
Thank you in advance.
Matt Seil
Aug 31, 2015, 11:54:18 AM8/31/15
to OWASP ZAP User Group
1. Capture a request for the username/password page
2. Right click in the history pane and do Attack -> Fuzz--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Brahim Hilal
Aug 31, 2015, 1:40:09 PM8/31/15
to OWASP ZAP User Group
Hi xeno6696
Thanks for your quick replay, I have logged to my web app with wrong password, and then fuzzed that string using a customized file (Dictionary List user/password from the internet ) also I fuzzed the password string using the file Fuzzers (fuzzdb-1.09/wordlists-user-password and wordlists-misc)
Once the fuzz process is completed, how can I get the result. How should I know that the application password cracked or not.
From my test, when the fuzz completed successfully, I went to the History tab and tried to find a request that was passed as success, and used the search tab. There were no request passed as success
any hint, and thanks in advance
Simon Bennetts
Sep 1, 2015, 8:34:18 AM9/1/15
to OWASP ZAP User Group
Fuzzing is a manual technique - you specify what ZAP should do and then you need to interpret the results.
ZAP doesnt know that you're trying to crack passwords, all it knows is that you've told it to attack one or more input strings with a set of payloads.
So you need to work out which responses 'worked' for you.
You can do that via information displayed in the Fuzz results tab, eg the response size.
You can also search for expected strings, or the lack of them. To do this use the Search tab and select "HTTP Fuzz Results". So you could search for something like "You have logged in" or "Logout" or the absence of "Login" (using the inverse option).
You can also use scripts to parse the results, but you probably wont need to do that in this case.
Does that help?
Simon
ZAP doesnt know that you're trying to crack passwords, all it knows is that you've told it to attack one or more input strings with a set of payloads.
So you need to work out which responses 'worked' for you.
You can do that via information displayed in the Fuzz results tab, eg the response size.
You can also search for expected strings, or the lack of them. To do this use the Search tab and select "HTTP Fuzz Results". So you could search for something like "You have logged in" or "Logout" or the absence of "Login" (using the inverse option).
You can also use scripts to parse the results, but you probably wont need to do that in this case.
Does that help?
Simon
Matt Seil
Sep 1, 2015, 8:46:20 AM9/1/15
to OWASP ZAP User Group
Simon,
Burpsuite has a post-processing facility where you can define text && regex to pre-filter results. I was looking for a ZAP alternative to this when initially answering the question, but didn't see it. Is it a feature we could add?--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Matt Seil
Cyber Security Software Engineer
Member ACM/OWASPCyber Security Software Engineer
thc...@gmail.com
Sep 1, 2015, 9:15:38 AM9/1/15
to zaprox...@googlegroups.com
Hi.
It's possible to pre-filter/discard the results but it needs to be done
with scripts. There's an example in the community scripts that filters
by status code. [1]
Would you mind raising an issue to also support that in the UI?
[1]
https://github.com/zaproxy/community-scripts/blob/master/httpfuzzerprocessor/http_status_code_filter.py
Best regards.
> <mailto:zaproxy-user...@googlegroups.com>.
It's possible to pre-filter/discard the results but it needs to be done
with scripts. There's an example in the community scripts that filters
by status code. [1]
Would you mind raising an issue to also support that in the UI?
[1]
https://github.com/zaproxy/community-scripts/blob/master/httpfuzzerprocessor/http_status_code_filter.py
Best regards.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
>
> --
> Matt Seil
> Cyber Security Software Engineer
> Member ACM/OWASP
>
>
>
>
>
> --
> Matt Seil
> Cyber Security Software Engineer
> Member ACM/OWASP
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
Brahim Hilal
Sep 1, 2015, 10:56:13 AM9/1/15
to OWASP ZAP User Group
Thanks Simon,
It helps, can you explain more the point when you said:
You can do that via information displayed in the Fuzz results tab, eg the response size.
Thanks
On Monday, 31 August 2015 10:00:21 UTC-4, Brahim Hilal wrote:
kingthorin+owaspzap
Sep 1, 2015, 11:55:31 AM9/1/15
to OWASP ZAP User Group
I believe he means that a response from a successful authentication is likely a different size versus the response from a failed authentication.
Brahim Hilal
Sep 1, 2015, 12:26:48 PM9/1/15
to OWASP ZAP User Group
Thanks all for your input.
To test if the Fuzzer feature behavior as expected while trying to crack a password, I have created a small dictionary list file including the right password. After wrong logging to the web application, I have fuzzed the password string by adding payload pointing to my customized file including the right password string. I am expecting that after the completion of the Fuzzer process to see the following behaviours:
1. Expected:
The size Resp. Header for the request with the right password payload very small (as mentioned by Simon) compared to the wrong springs payloads.
1. Output:
The current size resp. header for the right password string payload is identic to all wrong attempted password payloads
2. Expected:
After searching the right strings (when a user is authenticated and get access to the application, for instance, <Welome UserX>, and <Sign Out> strings after a success logging), I would expect after performing this string search in the HTTP Fuzz Results, the correcting HTTP request should be found as the attack string payload has the right password.
2. Output
No strings(Welcome UserX and/or Sign Out) from the HTTP Fuzz Results were found
This is a basic validation to test the Fuzzer feature,
any zapper expert have an explication and tell me what I am doing wrong with this basic test scenario.
Thanks in adavnce
On Monday, 31 August 2015 10:00:21 UTC-4, Brahim Hilal wrote:
Matt Seil
Sep 1, 2015, 1:36:35 PM9/1/15
to OWASP ZAP User Group
Thanks for your feedback!
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
thc...@gmail.com
Sep 1, 2015, 1:52:02 PM9/1/15
to zaprox...@googlegroups.com
Thank you!
Best regards.
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>
> > <mailto:zaproxy-user...@googlegroups.com
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>>.
> > <mailto:zaproxy-user...@googlegroups.com
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>>.
Best regards.
> > <mailto:zaproxy-user...@googlegroups.com
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>>.
> > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> >
> > --
> > Matt Seil
> > Cyber Security Software Engineer
> > Member ACM/OWASP
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "OWASP ZAP User Group" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>
> >
> >
> >
> >
> > --
> > Matt Seil
> > Cyber Security Software Engineer
> > Member ACM/OWASP
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "OWASP ZAP User Group" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to zaproxy-user...@googlegroups.com
> > <mailto:zaproxy-user...@googlegroups.com
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>>.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-users%2Bunsu...@googlegroups.com>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to zaproxy-user...@googlegroups.com
thc...@gmail.com
Sep 2, 2015, 3:01:00 AM9/2/15
to zaprox...@googlegroups.com
Hi.
I'd inspect the message with right password to check that everything has
the expected values to be a successful authentication.
Maybe it's using an invalid session token? Wrong anti-CSRF token value?
If everything is right maybe the "issue" is in server side, WAF?
Best regards.
I'd inspect the message with right password to check that everything has
the expected values to be a successful authentication.
Maybe it's using an invalid session token? Wrong anti-CSRF token value?
If everything is right maybe the "issue" is in server side, WAF?
Best regards.
Teodor
Apr 30, 2017, 8:53:39 AM4/30/17
to OWASP ZAP User Group
Hi Guys, The issue is that sometimes the server response for successful vs unsuccessful authentication is very similar. For example, you submit credentials and the response is a redirect to p1.php for success or redirect to p2.php for failure. In that case you will have the same server response code, similar time of response, similar response size... How can you identify the valid credentials in a stack of thousands of Fuzz entries (without manually checking each response)?
kingthorin+owaspzap
Apr 30, 2017, 9:56:03 AM4/30/17
to OWASP ZAP User Group
P1 vs p2 should stick out like a sore thumb....
kingthorin+owaspzap
Apr 30, 2017, 9:58:54 AM4/30/17
to OWASP ZAP User Group
Also keep in mind that you can sort the fuzz results, having things grouped/ordered sometimes makes differences stick out.
Simon Bennetts
May 2, 2017, 6:00:40 AM5/2/17
to OWASP ZAP User Group
You can also search the Fuzz results, which would be my suggestion.
Just go to the Search tab and select "HTTP Fuzz Results" from the pull down.
Use thew 'Inverse' option to find responses that _dont_ contain a specific string/regex, eg one that matches a failure message.
Cheers,
Simon
Just go to the Search tab and select "HTTP Fuzz Results" from the pull down.
Use thew 'Inverse' option to find responses that _dont_ contain a specific string/regex, eg one that matches a failure message.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages