Why not look at Elza (1.4.7) (you will find it on Packetstorm)...there is even an example for brute forcing a web form in the distribution. Life is made much easier than writing the whole thing in Libwww (although that would be my purest solution)as you can setup an elz script to grab any form fields and populate them from a txt file so if you want to brute something like a IIS admin page with three form fields over ssl you can easily do that as well. It uses stunnel for the ssl. Be sure to edit the def file with the appropriate location of stunnel and be sure to have open ssl installed. -----Original Message----- From: Penetration Testers [mailto:PEN-TESTat_private]On Behalf Of Batten, Gerald Sent: Monday, April 23, 2001 6:07 AM To: PEN-TESTat_private Subject: Re: [PEN-TEST] Web site password guessing over SSL Thanks to everyone who gave me helpful suggestions. I decided to write my own program to do the brute-forcing on the form. Unfortunately, I didn't have the time to re-learn Perl (it's been a couple of years), so I wrote it in WinBatch. I was able to write the entire thing, and even add a couple of 'nice-to-have' features, and it only took me one afternoon. It's slow, but it works and right now that's what counts. Before you ask, I can't release the source code (yet) until I get my boss's permission. But the source code to submit a form is included in the WinBatch documentation. Just get the hang of nested loops and file handling and you're there. Gerald.
This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 18:44:21 PDT