Transcript
English (Auto-generated)
his. And today we're going to learn about a dictionary attack. So we have a simple Hello World app that is going to accept some kind of authentication. And we're gonna go through a dictionary which is basically just a word list of common passwords in order to crack it. Which is pretty interesting from a technical point of view. Like this isn't a very clever attack but I do want to show you how you mitigate against this. So this is mostly gonna be coming from a defense perspective why this would be interesting wants to make a log in here. I call it light. Get some auto complete beautiful and we'll call the password abdominal work. So we're gonna use one of the most common well known word lists basically ever called Rock. You Rocky has an interesting history. Um if you look it up. Yeah Rock, the company that made face millions of users and their entire password base was released in plain text. Something like 100 and something megabytes of passwords. So it's still one of the best password lists available realistic passwords that users are actually likely to to use. Okay so we get the user name and password. It's a form. Pretty good. Pretty good user name and password admin admin. Let's do something that appears early in the list because the list is so big. Okay I love you Princess Rocky and so on and so forth. Okay I'm gonna make the password. I love you. So we're trying to get admin password. Okay. And we're just going to write a python script basically that will read this rock you and hack this web app. So let's make sure that that actually works to be able to use curl A curl local host 5000 slash login. The method is gonna be post and we'll have two pieces of form data. Our user name is admin and a password our password is equal to. I love you. And we see that we get success just to make sure that we're saying we'll try something wrong and great login field. Okay. Let's try something that hacks this. So I mean as you can imagine we can we can do a pretty simple attack just reading from that word list. So we're gonna make some python code that will do exactly that. We'll call it crack app. All right. We'll use the requests library and I forget how to do a form with python requests so not do with curl but form I guess its payload and taylor has to be a dictionary. Let's see you can use a session. Okay. What a mess. Sorry everybody. Okay. Okay. This is a code example. I was expecting to use curl for this but then I suddenly decided I was like, no, you know what I should use a proper script. Okay. This just says if you just pass it a dictionary as data and I guess that by default is like a form. We'll see if that's true. Okay. So we'll say our request equals requests dot close. We're going to push to ah this is a really good guess. Uh Now we're gonna do log in I think it's called and we're gonna send a user name, you know what I publish that equals. Sorry? Y'all just uh Mhm. Unlike big lines admin. Mhm. And yeah. That's ridiculous. I love you. Good job. Okay get it on its own line and I'll just try running this like this. I'm gonna print out whatever the response to so that request is just to make sure it will work Logging six. That's great. And again we'll try something wrong, login failed. We've got it. Okay. Obviously we already know what the password is because we developed the app but pretend we didn't know right. We would have to use this rocky password list to see if any of them work. So that's exactly what we'll do. Okay with open up the file. Thank you. Dot txt. That's rock you a pretty good guess here from from our you have an equals line dot strip. I'll just go ahead and say I call this attempt password attempt. That's like that's better. Okay. We'll make a little I guess the only thing that's ever gonna change is that one part so we can just do it on the same line. Let's do it like this. Maybe our little logging in point and then we'll pass it a dictionary consisting of music I'm in in the password is password I guess. Okay so we'll post that over and then if we if okay, so if we find it, we're just gonna break out of this loop entirely. Okay, so this should work. It should only read a few lines but who knows? Uh it never works the first time as they say. So well I have an actual Oh that's interesting. I have an actual um he called it. That's impact sir. So I have requests that post, I wonder what it's mad about. Oh I never closed my uh I opened this function with this method called the post and I never close it. Okay, easy peasy. And your response to that? Sexy. Beautiful. That's what I found. I love you and you can even look over here if we could run it again and see exactly how long it took. Okay. You know we have 12345 requests and if we look we'll see that that should be on the 123 4/5 line. So yep it totally works. So the question is, what did you do to restrict something like this? Well there's a few answers. Usually the answer would be basically rate limiting. If you were if you want it to be accessible from a command line like this or from code. Right? We want people to log in via via python. Let's say then in that case we would use rate limiting. If this were a web app we could use like a capture system and we could even use something like free capture that respects user privacy so that it doesn't require any javascript can be used by a tour so on and so forth. But yeah this is the basics of what you would want to do. Um We have our user name, we have our password, everything works. How do we defend against it? Okay. How are we going to implement rate limiting? Well the main thing we're going to, the main thing we can do, we don't want to say that people can only log into admin a certain number of times because then you can prevent other people from logging into their account by just trying to log into it. What we want to do is via I. P address looks like a flask request I. P. Address basically say hey they can only make so many requests. Okay. It's part of requests dot remote pattern. What we do is we would have a list of like I don't know requests will have like off attempt his dictionary of how many times H. I. P. Has attempted to log in. Okay. Mhm. So we'll just log attempts like that. And whenever somebody logs in let's say off attempt let's say if let's say if the remote is already in there and we add one to it And if not we said it to have one but we're gonna actually use the current date and time. The reason for that is that if we just added in like how are we going to say I really want to limit them for a certain amount of time. Right. We don't want to say like ok, you're logged in three times you're done forever. So that would that would that would definitely be bad actually. We'll get the current epoch current UNIX epoch that way. It's a number and we can work with it mathematically a little more easily. Okay. We're gonna look at this from the python Rebel. Let's see if it looks like what I'm expecting. Epoch time. Yeah, there we go. Okay. Okay. I think that's the time in seconds since eunuchs was created. Let me make sure that your next deepak the number of seconds. Okay. So we'll make a function called Thanks the Park. That's called epoc exactly what I wanted to do. And so instead of saying set it to equal one attempt, we will create this little list and we'll list all the times that they tried to log in so that we can see here is the times they've logged in and here's the times they've logged in how many of those were within the last hour. If there's more than three that were in the last hour then don't let them log in. Right, Okay. Beautiful. Alright, but we're not done yet because we still need to add the functionality that says, hey you've logged in too many times? We'll do that right up front. Let's say, hey, are they already in there? So that's we're gonna do that If the if they're already in off attempts, that's when we would have to worry about that. So if the current epoch, Okay, so let's see. So we'll say, I don't know, attempt within our remember, these are seconds. So let's see first. We'll get all of their attempts right? Yeah. Actually, you know what, let's just use some crazy list comprehension to get just the attempts will say attempts this hour and we will use a list comprehension to say, hey, we just want the ones that are within this amount of time. So let's say attempt. Mhm. I actually like the little a I think it's helping me out. There we go. If if the attempt, if the current epoch minus the attempt, It's greater than what would that be 60 seconds we wanted to be? Mm hmm. Second. Which minutes? Yeah. So in 60 minutes, how many seconds do we have? We have 3600 to make an hour. So if the current time minus that attempt Is greater than 300 and is less than that. I mean it was within the last hour but we can get the number. So these are all the attempts. We can say if lengths of attempts this hour is more than five too many attempts. Let's see if it works. So what we're saying here is, hey, you've logged in too many times and we want to see if that's gonna work. So let's try logging in a bunch of times. But remember what our app is gonna do is it's going to try, you know, I'm only gonna allow three log in attempts or Apple because I think it gets it on the third one. But that's unrealistic. Normally would take a lot longer than that. So I can only give you three attempts so restart the server and try brute forcing it again. It should it should still work like if we actually just if you actually just run it. Mhm and Logan success. Right? But if we try to hack it with our app It should not work. And if we see what's going on over here we're getting a bunch of 403 post logins and it'll keep going and going going. It'll never actually work. Okay. And that's what these 403 zar is it saying hey yep you've logged in too many times logged in too many times. It's just blocking it because it's rate limiting our I. P. Address. There you go. That's it. So we have an app where you can log into it. But now actually if I try logging in manually it should block me because I have the same I. P. Address, you have too many attempts. So this I. P. Address because of the script had too many attempts and those attempts within the last hour. So I could wait an hour. Or I could just say flask run log on successful. There you go. That's it. That's the principle of rate limiting. That will prevent dictionary attacks. There are other things you could do. But this is one of one simple thing you could do. That hints at more complex strategies like trying to prove that someone is a human or um other other forms of rate limiting other than I. P. Address, like having some other form of authentication and then rate only allowing behavior once there and there's all kinds of things you can do. Um But I hope this gives you a basic idea and thanks a lot for your time. Bye bye.