Best approach for a site with no SSL
#1
I'm checking out this site.
No SSL

I thought of bruteforce attack buts this site is not popular so wordlist won't work on login.

Ideally I'd like to get credentials or db.

SQL injection or xss?
Reply
#2
Hm... don't see what the absence of the SSL layer has to do with getting creds for it, it just means your http traffic is not encrypted and the site doesn't use any sort of certificate. Well, unless you're talking about user creds...

If you are looking for USER credentials, like their customer accounts, you should consider setting up a man in the middle attack via corrupted DNS caches. Due to the lack of SSL, you can easily request & resend the pages and requests, reading all of them and getting your hands on usernames and passwords. It won't make any difference to the end user, since they only get security alerts for https sites with faulty certificates.
With that approach, you might only get the hashed user creds so in order to login yourself, you would need to edit your own http requests for the site, which takes additional capturing efforts. I recommend using either burpsuite or tcpdump for it, as both of them are quite handy for copypasting http stuff.

Otherwise, sure, XSS and SQLI can do the trick too, if you know how to do it.

If you are after the website admin's creds, you could consider using some http webserver exploit, perhaps the site is missing a few patches since the admin was too cheap to setup ssl? Sometimes you can even XSS with php instead of js, which allows you to open a remote shell on the server.
Reply
#3
First of all, I don't endorse going around cracking accounts or cracking in general. So this is all theoretically speaking from me. I agree with serpent. SSL doesn't really affect whether you can brute force logins or not. And less users doesn't necessarily mean that a wordlist won't work. Here's what I would do in your situation. Check if there's a list of the user's usernames on the site anywhere and gather those. Then see if you can find anywhere (like the registration page) where the password requirements are specified. For example how long passwords have to be, whether digits and special characters are required. Stuff like that. First go around, try the username as the password if the password requirements allow it. Then try a combo of a few common passwords from wordlists (20 or so passwords) and common first names. If you're feeling adventurous you can add 1-4 digits to the end of the name passwords. That should cover a decent portion of passwords.
Reply
#4
(12-31-2020, 03:42 PM)serpent Wrote: Hm... don't see what the absence of the SSL layer has to do with getting creds for it, it just means your http traffic is not encrypted and the site doesn't use any sort of certificate. Well, unless you're talking about user creds...

If you are looking for USER credentials, like their customer accounts, you should consider setting up a man in the middle attack via corrupted DNS caches. Due to the lack of SSL, you can easily request & resend the pages and requests, reading all of them and getting your hands on usernames and passwords. It won't make any difference to the end user, since they only get security alerts for https sites with faulty certificates.
With that approach, you might only get the hashed user creds so in order to login yourself, you would need to edit your own http requests for the site, which takes additional capturing efforts. I recommend using either burpsuite or tcpdump for it, as both of them are quite handy for copypasting http stuff.

Otherwise, sure, XSS and SQLI can do the trick too, if you know how to do it.

If you are after the website admin's creds, you could consider using some http webserver exploit, perhaps the site is missing a few patches since the admin was too cheap to setup ssl? Sometimes you can even XSS with php instead of js, which allows you to open a remote shell on the server.

Thanks, lot of things to think about, I don't know how to do MITM yet.
Hope i learn this at one point.
Reply
#5
(12-31-2020, 09:39 PM)DeepLogic Wrote: First of all, I don't endorse going around cracking accounts or cracking in general. So this is all theoretically speaking from me. I agree with serpent. SSL doesn't really affect whether you can brute force logins or not. And less users doesn't necessarily mean that a wordlist won't work. Here's what I would do in your situation. Check if there's a list of the user's usernames on the site anywhere and gather those. Then see if you can find anywhere (like the registration page) where the password requirements are specified. For example how long passwords have to be, whether digits and special characters are required. Stuff like that. First go around, try the username as the password if the password requirements allow it. Then try a combo of a few common passwords from wordlists (20 or so passwords) and common first names. If you're feeling adventurous you can add 1-4 digits to the end of the name passwords. That should cover a decent portion of passwords.

Yes there is a list of members for this site.
I was thinking on using Sentry MBA, with a big word list from similar category.
Reply
#6
If you want to get cerdinals or db you have nothing to do with the presence of the ssl, it has nothing to do with. Cuz ssl is a means of transporting data in secure/encrypted mode.
Even ssl vulnerabilities can't help you get cerdinals or db, EXCEPT if you are in the same network with the administrator or users of the website.


Well, finally u must learn more about web pentesting, and take a basic look inside webservers  https://www.tecmint.com/best-open-source...rvers/amp/ , then learn more about how to discover and exploit web vuln in different FRAMWORKS, It's a bit big because each web framework differs from one to another u can start by php or python or smth else, Then practice and act, just be patient Big Grin . Good luck Wink
Reply
#7
(01-02-2021, 01:19 PM)9ys Wrote: If you want to get cerdinals or db you have nothing to do with the presence of the ssl, it has nothing to do with. Cuz ssl is a means of transporting data in secure/encrypted mode.
Even ssl vulnerabilities can't help you get cerdinals or db, EXCEPT if you are in the same network with the administrator or users of the website.


Well, finally u must learn more about web pentesting, and take a basic look inside webservers  https://www.tecmint.com/best-open-source...rvers/amp/ , then learn more about how to discover and exploit web vuln in different FRAMWORKS, It's a bit big because each web framework differs from one to another u can start by php or python or smth else, Then practice and act, just be patient Big Grin . Good luck Wink

Hi,
I do run my own servers ( apache, nginx), crack WIFI, test run a botnet, modified a crypter.
For sure I'm just starting though.

I tried scanning the site with a cms detector but nothing came up. I'm guessing it's not wordpress or commmon frameworks.
Reply
#8
Try something more hardcore like NIKTO...
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  How to reduce the risk of being tracked when creating a phishing site? tR0J_0Ut4LuV 7 11,817 02-20-2021, 08:44 PM
Last Post: tR0J_0Ut4LuV
  McAfee Institute Partial Site Rip. [45GB][Mega] Hellsing 0 6,247 03-30-2019, 10:17 PM
Last Post: Hellsing
  Android 7 SSL Inspection EnigmaCookie 4 13,350 05-24-2018, 01:49 PM
Last Post: EnigmaCookie
  Using dorks to gather info on target site xany 3 12,951 01-22-2018, 07:26 AM
Last Post: Vhaka