https://blog.g0tmi1k.com/

<!DOCTYPE html><!--[if IEMobile 7 ]><html class="no-js iem7"><![endif]--><!--[if lt IE 9]><html class="no-js lte-ie8"><![endif]--><!--[if (gt IE 8)|(gt IEMobile 7)|!(IEMobile)|!(IE)]><!--><html class="js video maskImage placeholder" lang="en"><!--<![endif]--><head><meta charset="utf-8"><title>g0tmi1k</title><meta name="author" content="g0tmi1k"><meta name="description" content="g0tmi1k's personal blog about information security with how to guides, scripts and videos."><meta name="keywords" content="how to, guides, scripts, videos, g0tmi1k, infosec, security"><meta name="HandheldFriendly" content="True"><meta name="MobileOptimized" content="320"><meta name="viewport" content="width=device-width,minimum-scale=1,maximum-scale=1"><link rel="canonical" href="https://blog.g0tmi1k.com"><link href="/favicon.png" rel="icon"><link href="/stylesheets/screen.css" media="screen, projection" rel="stylesheet" type="text/css"><link href="/atom.xml" rel="alternate" title="g0tmi1k" type="application/atom+xml"> <script type="text/javascript" async="" src="https://ssl.google-analytics.com/ga.js"></script><script src="/javascripts/modernizr-2.0.js"></script><script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script><script>!window.jQuery&&document.write(unescape('%3Cscript src="./javascripts/libs/jquery.min.js"%3E%3C/script%3E'))</script><script src="/javascripts/octopress.js"></script><link href="//fonts.googleapis.com/css?family=PT+Serif:regular,italic,bold,bolditalic" rel="stylesheet" type="text/css"><link href="//fonts.googleapis.com/css?family=PT+Sans:regular,italic,bold,bolditalic" rel="stylesheet" type="text/css"> <script>var _gaq=_gaq||[];_gaq.push(["_setAccount","UA-22029722-4"]),_gaq.push(["_trackPageview"]),function(){var t=document.createElement("script");t.type="text/javascript",t.async=!0,t.src=("https:"==document.location.protocol?"https://ssl":"http://www")+".google-analytics.com/ga.js";var e=document.getElementsByTagName("script")[0];e.parentNode.insertBefore(t,e)}()</script></head><body> <header role="banner"></header> <nav role="navigation"><ul class="subscription" data-subscription="rss"><li><a href="/atom.xml" rel="subscribe-rss" title="subscribe via RSS">RSS</a></li></ul><form action="https://www.google.com/search"><fieldset role="search"> <input type="hidden" name="q" value="site:blog.g0tmi1k.com"> <input class="search" name="q" results="0" placeholder="Search"></fieldset></form><fieldset class="mobile-nav"><select><option value="">Navigate…</option><option value="https://blog.g0tmi1k.com/">» Blog</option><option value="https://blog.g0tmi1k.com/archives/">» Archives</option><option value="https://blog.g0tmi1k.com/atom.xml">» RSS</option></select></fieldset><ul class="main-navigation"><li><a href="/">Blog</a></li><li><a href="/archives/">Archives</a></li></ul></nav><div id="main"><div id="content"><div class="blog-index"> <article> <header><h1 class="entry-title"><a href="/dvwa/bruteforce-high/">DVWA - Brute Force (High Level) - Anti-CSRF Tokens</a></h1><p class="meta"></p> </header><div class="entry-content"><p>This is the final "how to" guide which brute focuses Damn Vulnerable Web Application (DVWA), this time on the <strong>high security level</strong>. It is an expansion from the <a href="https://blog.g0tmi1k.com/dvwa/bruteforce-low/">"low" level (which is a straightforward HTTP GET form attack)</a>. The <a href="https://blog.g0tmi1k.com/dvwa/login/">main login screen</a> shares similar issues (brute force-able and with anti-CSRF tokens). The only other posting is the <a href="https://blog.g0tmi1k.com/dvwa/bruteforce-medium/">"medium" security level post (which deals with timing issues)</a>.</p><p><img class="center" src="/images/dvwa-bruteforce-high.png" title="Brute Force DVWA High Level" alt="Brute Force DVWA High Level" itemprop="image"></p><p>For the final time, let's <strong>pretend we do not know any credentials</strong> for DVWA....</p><p>Let's <strong>play dumb and brute force</strong> DVWA... <em>once and for all!</em></p></div> <footer> <a rel="full-article" href="/dvwa/bruteforce-high/">Read More</a> </footer></article> <article> <header><h1 class="entry-title"><a href="/dvwa/bruteforce-medium/">DVWA - Brute Force (Medium Level) - Time Delay</a></h1><p class="meta"></p> </header><div class="entry-content"><p>This post is a "how to" guide for <strong>Damn Vulnerable Web Application (DVWA)'s brute force module on the medium security level</strong>. It is an expansion from the <a href="https://blog.g0tmi1k.com/dvwa/bruteforce-low/">"low" level (which is a straightforward HTTP GET form attack)</a>, and then grows into the <a href="https://blog.g0tmi1k.com/dvwa/bruteforce-high/">"high" security post (which involves CSRF tokens)</a>. There is also an additional brute force option on the <a href="https://blog.g0tmi1k.com/dvwa/login/">main login screen</a> (consisting of POST redirects and a incorrect anti-CSRF system).</p><p><img class="center" src="/images/dvwa-bruteforce-medium.png" title="Brute Force DVWA Medium Level" alt="Brute Force DVWA Medium Level" itemprop="image"></p><p>Once again, let's <strong>pretend we do not know any credentials</strong> for DVWA.</p><p>Let's <strong>play dumb and brute force</strong> DVWA... <em>again ...again</em>!</p></div> <footer> <a rel="full-article" href="/dvwa/bruteforce-medium/">Read More</a> </footer></article> <article> <header><h1 class="entry-title"><a href="/dvwa/bruteforce-low/">DVWA Brute Force (Low Level) - HTTP GET Form [Hydra, Patator, Burp]</a></h1><p class="meta"></p> </header><div class="entry-content"><p>This post is a "how to" for the <strong>"brute force" module</strong> set to <strong>"low" level security</strong> inside of <strong><a href="http://dvwa.co.uk/">Damn Vulnerable Web Application (DVWA)</a></strong>. There are separate posts for the <a href="https://blog.g0tmi1k.com/dvwa/bruteforce-medium/">medium level (time delay)</a> and <a href="https://blog.g0tmi1k.com/dvwa/bruteforce-high/">high setting (CSRF tokens)</a>. There is a related post for the <a href="https://blog.g0tmi1k.com/dvwa/login/">login screen</a> as it was also brute forced (HTTP POST form with CSRF tokens).</p><p><img class="center" src="/images/dvwa-bruteforce-low.png" title="Brute Force DVWA Low Level" alt="Brute Force DVWA Low Level" itemprop="image"></p><p>Once more, let's <strong>forget the credentials</strong> we used to login to DVWA with (<code>admin</code>:<code>password</code>).</p><p>Let's <strong>not try the default login</strong> for the web application.</p><p>Let's <strong>play dumb and brute force</strong> DVWA... <em>again</em>.</p></div> <footer> <a rel="full-article" href="/dvwa/bruteforce-low/">Read More</a> </footer></article> <article> <header><h1 class="entry-title"><a href="/dvwa/login/">DVWA - Main Login Page - Brute Force HTTP POST Form With CSRF Tokens</a></h1><p class="meta"></p> </header><div class="entry-content"><p>Upon installing <a href="http://dvwa.co.uk/">Damn Vulnerable Web Application (DVWA)</a>, the first screen will be the main login page. Even though technically this is not a module, why not attack it? DVWA is made up of designed exercises, one of which is a challenge, <a href="https://blog.g0tmi1k.com/dvwa/bruteforce-low/">designed to be to be brute force</a>.</p><p><img class="center" src="/images/dvwa-login-code.png" title="DVWA Login" alt="DVWA Login" itemprop="image"></p><p>Let's pretend we did not <a href="https://github.com/RandomStorm/DVWA/blob/master/README.md">read the documentation</a>, the message shown on the setup screens, as well as on the <a href="http://dvwa.co.uk/">homepage</a> of the software when we downloaded the web application.</p><p>Let's forget the default login is: <code>admin</code>:<code>password</code> <em>(which is also a very common default login)</em>!</p><p>Let's play dumb and brute force it =).</p></div> <footer> <a rel="full-article" href="/dvwa/login/">Read More</a> </footer></article> <article> <header><h1 class="entry-title"><a href="/dvwa/index/">Damn Vulnerable Web Application (DVWA)</a></h1><p class="meta"></p> </header><div class="entry-content"><p>This is a <a href="https://blog.g0tmi1k.com/dvwa/">SERIES of blog posts</a>, which will all relate to one another, <strong>but will take time</strong>.</p><p>I'm publishing as I go, but will come back and edit them in places at a later date - as well as adding in videos.</p><p>Best to check back when there is the <strong>"Undocumented" Bugs/Vulnerabilities</strong> post (<strong>that will be the last post</strong>!) ;-).</p><hr><p>The following posts will demonstrate <strong>various environments, scenarios and setups</strong>. This will cover a mixture of Operating Systems (<strong>Linux &amp; Windows</strong>), range of web servers (<strong>Apache, Nginx &amp; IIS</strong>), different versions of PHP (v5.4 &amp; v5.6), databases (MySQL &amp; MariaDB) as well as user permissions (inside the services and also the ones running services on the OS itself). DVWA also comes with a (outdated) <strong>Web Application Firewall (WAF)</strong> called PHP-IDS, which also has its own issues with! Lastly, there are <strong>"undocumented" vulnerabilities</strong> with DVWA's core which are either hidden bugs and/or unintended issues...</p><p><img class="center" src="/images/dvwa-logo.png" title="DVWA Logo" alt="DVWA Logo" itemprop="image"></p></div> <footer> <a rel="full-article" href="/dvwa/index/">Read More</a> </footer></article> <article> <header><h1 class="entry-title"><a href="/2014/01/offensive-security-wireless/">Offensive Security Wireless Attacks (WiFu) + Offensive Security Wireless (OSWP)</a></h1><p class="meta"></p> </header><div class="entry-content"><p><em>The views and opinions expressed on this site are those of the author. Any claim, statistic, quote or other representation about a product or service should be verified with the seller, manufacturer or provider.</em></p><p>A few months back, I took <a href="https://www.offensive-security.com/">Offensive Security</a>'s online course <a href="https://www.offensive-security.com/information-security-training/offensive-security-wireless-attacks/">WiFu</a> course &amp; exam <a href="https://www.offensive-security.com/information-security-certifications/oswp-offensive-security-wireless-professional/">OSWP</a>, as I had written up a review for <a href="https://blog.g0tmi1k.com/2011/07/pentesting-with-backtrack-pwb/">PWB/OSCP</a> &amp; <a href="https://blog.g0tmi1k.com/2013/08/cracking-perimeter-ctp-offensive/">CTP/OSCE</a>, I thought I would do this too. As always, everything in this post is both personal comments and my own experience with the course.</p><p><img class="center" src="/images/offsec-wifu-boxes-medium.png" width="235" height="304" title="Offec WiFu" alt="Offsec WiFu Box" itemprop="image"></p></div> <footer> <a rel="full-article" href="/2014/01/offensive-security-wireless/">Read More</a> </footer></article> <article> <header><h1 class="entry-title"><a href="/2013/08/cracking-perimeter-ctp-offensive/">Cracking the Perimeter (CTP) + Offensive Security Certified Expert (OSCE)</a></h1><p class="meta"></p> </header><div class="entry-content"><p><em>The views and opinions expressed on this site are those of the author. Any claim, statistic, quote or other representation about a product or service should be verified with the seller, manufacturer or provider.</em></p><p>It's been a while <em>(just shy of two years)</em> since I did "<a href="https://blog.g0tmi1k.com/2011/07/pentesting-with-backtrack-pwb/">Penetration Testing with BackTrack (PWB) &amp; Offensive Security Certified Professional (OSCP)</a>". Over the last couple of weeks I've taken the next step with Offensive Security's training course – "<a href="http://www.offensive-security.com/information-security-training/cracking-the-perimeter/">Cracking the Perimeter (CTP)</a>", which, when successfully passed, gives you "<a href="http://www.offensive-security.com/information-security-certifications/osce-offensive-security-certified-expert/">Offensive Security Certified Expert (OSCE)</a>" certificate. Below are my thoughts &amp; feelings regarding my overall experience of the course.</p><p><img class="center" src="/images/offsec-ctp-boxes-medium.png" width="235" height="304" title="Offec CTP" alt="Offsec CTP box" itemprop="image"></p></div> <footer> <a rel="full-article" href="/2013/08/cracking-perimeter-ctp-offensive/">Read More</a> </footer></article> <article> <header><h1 class="entry-title"><a href="/2012/09/pwnos-2-php-web-application/">pWnOS 2 (PHP Web Application)</a></h1><p class="meta"></p> </header><div class="entry-content"><p>This is the second release in the "<a href="https://blog.g0tmi1k.com/categories/pwnos/">pWnOS</a>" <a href="https://blog.g0tmi1k.com/2011/03/vulnerable-by-design/">vulnerable machine</a> collection, however, it has a different creator from the previous one (which explains why it has a different "feel" to it). As always with "<a href="https://blog.g0tmi1k.com/categories/boot2root/">boot2root</a>" machines, it has purposely built "issues" allowing for the machine to become compromised, with the end goal being to become the super user, "root". This method uses a vulnerability in a PHP web application (see <a href="https://blog.g0tmi1k.com/2012/09/pwnos-2-sql-injection/">here</a> for exploiting via SQL injection).</p><p><img class="center" src="/images/pwnos2.png" width="469" height="105" title="pwnOS2" alt="pwnOS Logo" itemprop="image"></p></div> <footer> <a rel="full-article" href="/2012/09/pwnos-2-php-web-application/">Read More</a> </footer></article> <article> <header><h1 class="entry-title"><a href="/2012/09/pwnos-2-sql-injection/">pWnOS 2 (SQL Injection)</a></h1><p class="meta"></p> </header><div class="entry-content"><p>This is the second release in the "<a href="https://blog.g0tmi1k.com/categories/pwnos/">pWnOS</a>" <a href="https://blog.g0tmi1k.com/2011/03/vulnerable-by-design/">vulnerable machine</a> collection, however, it has a different creator from the previous one (which explains why it has a different "feel" to it). As before, it has purposely built in "issues" allowing the machine to become compromised. This method uses a SQL injection flaw (see <a href="https://blog.g0tmi1k.com/2012/09/pwnos-2-php-web-application/">here</a> for exploiting the PHP web application). As always with "<a href="https://blog.g0tmi1k.com/categories/boot2root/">boot2root</a>" machines, the end goal is to become the super user, "root".</p><p><img class="center" src="/images/pwnos2.png" width="469" height="105" title="pwnOS2" alt="pwnOS Logo" itemprop="image"></p></div> <footer> <a rel="full-article" href="/2012/09/pwnos-2-sql-injection/">Read More</a> </footer></article> <article> <header><h1 class="entry-title"><a href="/2012/09/21ltr-scene-1/">21LTR - Scene 1</a></h1><p class="meta"></p> </header><div class="entry-content"><p><a href="https://blog.g0tmi1k.com/categories/21ltr/">21ltr</a> is another <a href="https://blog.g0tmi1k.com/categories/boot2root/">boot2root</a> collection, with its own unique twist. It has various 'issues' with the operating system, which have been purposely put in place to make it <a href="https://blog.g0tmi1k.com/2011/03/vulnerable-by-design/">vulnerable by design</a>. The end goal is to become the '<em>super user</em>' of the system <em>(aka 'root')</em>. There is an optional stage afterwards, in which the user can try and find the '<em>flag</em>', proving <em>(to themselves)</em> that they successfully completed it.</p><p><img class="center" src="/images/21ltr.png" width="326" height="155" title="21ltr" alt="21ltr Logo" itemprop="image"></p></div> <footer> <a rel="full-article" href="/2012/09/21ltr-scene-1/">Read More</a> </footer></article><div class="pagination"> <a class="prev" href="/page/2/">← Older</a> <a href="/archives/">Archives</a></div></div> <aside class="sidebar"> <section class="odd"> <a href="/"><img src="/images/logo.png" class="center" alt="g0tmi1k" id="logo" width="290" height="163"></a> </section> <section class="even"><h1>Recent Posts</h1><ul id="recent_posts"><li class="post"> <a href="/dvwa/bruteforce-high/">DVWA - Brute Force (High Level) - Anti-CSRF Tokens</a></li><li class="post"> <a href="/dvwa/bruteforce-medium/">DVWA - Brute Force (Medium Level) - Time Delay</a></li><li class="post"> <a href="/dvwa/bruteforce-low/">DVWA Brute Force (Low Level) - HTTP GET Form [Hydra, Patator, Burp]</a></li><li class="post"> <a href="/dvwa/login/">DVWA - Main Login Page - Brute Force HTTP POST Form With CSRF Tokens</a></li><li class="post"> <a href="/dvwa/index/">Damn Vulnerable Web Application (DVWA)</a></li><li class="post"> <a href="/2014/01/offensive-security-wireless/">Offensive Security Wireless Attacks (WiFu) + Offensive Security Wireless (OSWP)</a></li><li class="post"> <a href="/2013/08/cracking-perimeter-ctp-offensive/">Cracking the Perimeter (CTP) + Offensive Security Certified Expert (OSCE)</a></li><li class="post"> <a href="/2012/09/pwnos-2-php-web-application/">pWnOS 2 (PHP Web Application)</a></li><li class="post"> <a href="/2012/09/pwnos-2-sql-injection/">pWnOS 2 (SQL Injection)</a></li><li class="post"> <a href="/2012/09/21ltr-scene-1/">21LTR - Scene 1</a></li><li class="post"> <a href="/2012/09/stripe-ctf-20-web-edition/">Stripe CTF 2.0 (Web Edition)</a></li><li class="post"> <a href="/2012/02/kioptrix-level-4-local-file/">Kioptrix - Level 4 (Local File Inclusion)</a></li><li class="post"> <a href="/2012/02/kioptrix-level-4-sql-injection/">Kioptrix - Level 4 (SQL Injection)</a></li><li class="post"> <a href="/2012/02/kioptrix-level-4-limited-shell/">Kioptrix - Level 4 (Limited Shell)</a></li><li class="post"> <a href="/2012/01/hackademic-rtb2/">Hackademic RTB2</a></li></ul> </section> </aside><span class="toggle-sidebar"></span></div></div> <footer role="contentinfo"><div id="footer"> <span style="float:left"> <a href="/atom.xml" title="RSS"><img src="/images/social/rss.png" alt="RSS Feed" title="RSS" height="24" width="24"></a> <a href="https://github.com/g0tmi1k" title="GitHub"><img src="/images/social/github.png" alt="GitHub Profile" title="GitHub" height="24" width="24"></a> <a href="https://twitter.com/g0tmi1k" title="Twitter"><img src="/images/social/twitter.png" alt="Twitter Profile" title="Twitter" height="24" width="24"></a> <a href="http://plus.google.com/110108403609022118432" title="Google Plus"><img src="/images/social/google-plus.png" alt="Google Plus Profile" title="Google Plus" height="24" width="24"></a> </span> <span style="float:right"><p>Copyright © 2009-<span id="footer_date">2024</span> <span class="credit">g0tmi1k</span></p> </span> <script>document.getElementById("footer_date").innerHTML=(new Date).getFullYear()</script></div></footer></body></html>