1 00:00:00,090 --> 00:00:05,100 ‫So in brute force attacks, it's better to determine some of the rules first. 2 00:00:05,430 --> 00:00:10,020 ‫For example, the password length will be between three and eight. 3 00:00:10,350 --> 00:00:13,840 ‫It will contain just number and capital letters, etc.. 4 00:00:14,400 --> 00:00:17,580 ‫Suppose that we don't determine any rule. 5 00:00:17,970 --> 00:00:25,110 ‫The brute force tool will try every possibility, starting with one character length, password possibilities 6 00:00:25,290 --> 00:00:33,180 ‫and then two character length password possibilities, etc. In most cases, dictionary attack is chosen 7 00:00:33,180 --> 00:00:37,320 ‫to crack a password because users have to remember their password. 8 00:00:38,190 --> 00:00:44,370 ‫They generally choose passwords that are easily digestible and not complex enough. 9 00:00:44,820 --> 00:00:49,230 ‫There are dictionaries that you can find online, which contain the most frequently used passwords. 10 00:00:49,890 --> 00:00:56,190 ‫There are a lot of tools that can be used in password cracking, and some of them can also be used in 11 00:00:56,190 --> 00:00:58,290 ‫online password cracking attacks. 12 00:00:59,280 --> 00:01:05,790 ‫So let's see, an online dictionary attack here will use Burp Suite and -- vulnerable web applications 13 00:01:05,790 --> 00:01:06,750 ‫for this example. 14 00:01:09,270 --> 00:01:10,770 ‫Go to log in of DVD. 15 00:01:12,270 --> 00:01:15,930 ‫Suppose that we don't know any credential to log in to the application. 16 00:01:17,840 --> 00:01:21,110 ‫Run Burp Suite and turn off interception. 17 00:01:22,700 --> 00:01:25,160 ‫We just collect the login requests at the beginning. 18 00:01:27,550 --> 00:01:32,170 ‫Modify the browser proxy settings to use Burp as the proxy server. 19 00:01:32,200 --> 00:01:34,600 ‫Make a few unsuccessful login attempts. 20 00:01:39,450 --> 00:01:42,120 ‫Now, go back to Burp Suite, find a log in request. 21 00:01:44,970 --> 00:01:51,420 ‫Right click on it and choose Send to intruder, go to Intruder tab, go to Positions tab. 22 00:01:54,240 --> 00:01:55,140 ‫Clear pointers. 23 00:01:58,100 --> 00:02:00,050 ‫Point to the fields that we want to crack. 24 00:02:05,340 --> 00:02:12,030 ‫Choose cluster bomb as attack type in this type of attack, it iterates through each payload set in 25 00:02:12,030 --> 00:02:15,960 ‫turn, so that all permutations of payload combinations are tested. 26 00:02:15,990 --> 00:02:19,350 ‫Go to Payloads tab choose simple list as the payload type. 27 00:02:19,350 --> 00:02:22,430 ‫Since we use the free version of Burp Suite, the tries are slowed down. 28 00:02:22,440 --> 00:02:26,010 ‫So on this demo, we use handmade dictionaries, which have a few words. 29 00:02:26,790 --> 00:02:29,550 ‫Enter a few words for payload set one. 30 00:02:30,530 --> 00:02:32,660 ‫Admin administrator. 31 00:02:34,400 --> 00:02:35,180 ‫User. 32 00:02:36,950 --> 00:02:37,790 ‫User1. 33 00:02:39,350 --> 00:02:49,490 ‫And a few words for payloads at two one two three four five six Q, W, E R, T Y User Admin, etc. 34 00:02:49,520 --> 00:02:50,750 ‫Go to the Options tab. 35 00:02:51,110 --> 00:02:53,240 ‫Now let me bring your attention back to here. 36 00:02:53,270 --> 00:02:56,600 ‫Since the first response of login attempt is a redirection. 37 00:02:58,300 --> 00:03:04,990 ‫We choose always in redirection, in grep, match frame and a string, which shows the login attempt 38 00:03:04,990 --> 00:03:07,150 ‫is failed, so it is login failed. 39 00:03:10,850 --> 00:03:18,080 ‫And don't forget to tick flag result items, go to intruder menu and select start attack and see what 40 00:03:18,080 --> 00:03:18,680 ‫we have here. 41 00:03:19,580 --> 00:03:27,110 ‫Admin, admin and user user credentials are not ticked as log in failed because they are valid credentials. 42 00:03:28,860 --> 00:03:32,880 ‫Now we can go to the login page and log in one of the credentials. 43 00:03:33,940 --> 00:03:34,510 ‫Capture. 44 00:03:35,540 --> 00:03:42,380 ‫A back room for completely automated public Turing test to tell computers and humans apart. 45 00:03:42,890 --> 00:03:48,650 ‫It's a type of challenge response test used in computing to determine whether or not the user is human. 46 00:03:49,130 --> 00:03:54,560 ‫It's used in log in pages and in forms which have to be filled in by people, not by machines. 47 00:03:54,830 --> 00:04:01,910 ‫CAPTCHA implementations are often vulnerable to various kinds of attacks, even if the generated CAPTCHA 48 00:04:02,060 --> 00:04:02,990 ‫is unbreakable. 49 00:04:03,530 --> 00:04:09,200 ‫The following vulnerabilities are quite common in many CAPTCHA implementations when the generated image 50 00:04:09,200 --> 00:04:10,340 ‫captcha is weak. 51 00:04:10,610 --> 00:04:15,590 ‫It can be identified by only a simple comparison with an already broken captcha. 52 00:04:16,010 --> 00:04:22,640 ‫Another weakness occurs when the generated CAPTCHA questions have a very limited set of possible answers. 53 00:04:23,330 --> 00:04:29,030 ‫When the value of decoded CAPTCHA is sent by the client, it is often encrypted by a simple algorithm 54 00:04:29,270 --> 00:04:35,510 ‫and can easily be decrypted by the observation of multiple decoded captcha values, or the value is 55 00:04:35,510 --> 00:04:39,320 ‫hashed by a weak hash function that can be broken using a rainbow table. 56 00:04:39,650 --> 00:04:43,430 ‫Now, in two cases, you can be successful in reply attacks. 57 00:04:44,090 --> 00:04:50,240 ‫First, the application does not keep track of which idea of CAPTCHA image is sent to the user. 58 00:04:51,170 --> 00:04:57,560 ‫Therefore, the attacker can simply obtain an appropriate capture image and its ID, solve it and send 59 00:04:57,560 --> 00:05:00,920 ‫the value of the decoded capture with its corresponding match. 60 00:05:02,020 --> 00:05:07,990 ‫Second, the application does not destroy the session when the correct phrases entered by reusing the 61 00:05:08,000 --> 00:05:09,740 ‫session idea of a known catch. 62 00:05:09,760 --> 00:05:13,090 ‫It is possible to bypass a CAPTCHA protected page.