Automating a brute force web attack
This week was all about hacking at the SANS Cyber Retraining Academy, as students attempted to take control of a drone before embarking on a two-day Netwars capture the flag marathon.
The challenges spanned a huge range of skills – we found ourselves doing everything from setting up backdoors and stealing WordPress credentials to delivering Metasploit payloads and gaining root access on Linux target machines. It was a lot of hard work, but also plenty of fun.
There’s plenty I could write about, but the most satisfying moments came when I managed to automate attacks, so I’ll focus on one specific time my command line skills paid off.
The goal of the exercise was to access a web page as an administrator. Authorisation was managed by a security code supplied with the HTTP GET request, which had to match a randomly-generated code on the page. This changed each time and was impossible to predict, so the only way forward was to subject the site to a brute force attack.
My initial reaction was to choose a valid security code and refresh the page with F5 until the values happened to align, but it quickly became clear that this would take forever and the repetitive action ran the risk of refreshing beyond the authenticated page.
So what, I thought, if I could automate the process within the Linux shell, saving the results of each attempt to remove the need to spot the target page in real time? Here’s what I came up with:
watch -n 1 wget http://targetsystem.com/?securitycode=2208
The first part of this command – watch -n 1 – tells Linux to repeat the following command once every second. The wget command fetches the file from the URL and saves it to Downloads.
Running this for 10 minutes put hundreds of HTML files in my Downloads folder. Spotting the page where authentication was successful was as easy as sorting them by size and spotting the anomaly. It was simple, but a solution to what might have been an overwhelming task.
The lessons I learnt from this trial-and-error process came in useful on several more occasions over the coming days, when I created more shell scripts and looping commands. It just goes to show that the most effective solution is not always the most complex one.
Field notes // A monthly newsletter on tech and design
No spam - just thought-provoking articles and useful tidbits
📓 |
Field Notes newsletter |
Thoughtful monthly insights on tech and business, without the clickbait and noise
No spam. Unsubscribe anytime.
Other posts
- Take note: How to waste less time on the internet
- A reminder that you can just do things... kind of
- Death Stranding: The journeys lost to life on demand
- When you travel, the real journey isn't photographed
- Amazon Kindle review: I wish I'd bought one years ago
- AI chatbots are kicking journalism while it's down
- Agentic AI could be the catalyst for safer autonomy
- Endpoint detection and response (EDR) - setting the record straight
- Quality products begin with detail-obsessed leaders
- Bluesky's nearly there, but it won't replace X just yet
- Staying productive when everything feels urgent
- New York City: Observations and recommendations
- Humanising AI encourages intellectual lethargy