Bruting web forms usually is part of a web app assessment. We love to use Hydra, Medusa, or Wfuzz for this but we recently stumbled across a tool that makes it much easier. It’s called Fireforce. It’s a Firefox extension that gives you point and click bruting.
We ran it in our labs with about a 74% success rate, meaning it mapped the parameters for web form logins correctly and gave us the correct password back (aka it didn’t spaz out and kill our browser). So it isn’t perfect, but we’re willing to forgive that for it’s ease of use. It’s dead simple. Give it a username, right click in the form password field, give it the text the login form gives on an unsuccessful login, and a bruteforce list. Make sure to read the documentation as you’ll need to use a seperate firefox profile if you wish to browse will while using the tool, (it’s a mem/cpu hogger). *note* We haven’t done a code analysis on the extension, use at your own risk in your lab.
Also, yesterday we tweeted about Ron Bowes of Skullsecurity.com’s password analysis and password list collection which are much win. Ron has done some data analysis on some of the leaked password lists of the last few years like RockYou, MySpace, and PhpBB. He also stores the default password lists of many common industry tools, and even the passwords conficker used to spread. I’d grab these lists if you dont already have them, who knows how long they will stay up. Ron has actually been on a hot-streak lately, as he has released an awesome tool called dnscat. He also did some VMware Guest stealing NSE scripts which we will post on later 😉
Remember, password bruteforcing is great as long as you don’t DOS the application/server. Also remember just because it’s a web form doesnt mean its not tied to another backend system (ldap, etc) so be aware you could lockout users.
Also you might wanna check out our writeup a bit back on password attacks here.
Get Fireforce Here
Get Password Lists Here
Get DNScat Here
Catch Ron on twitter: @iagox86