TL;DR
This guide shows you how to use OWASP ZAP to brute force alphanumeric passwords between 1 and 7 characters long. It’s a basic example, but it demonstrates the core principles of automated password cracking.
Steps
- Install and Launch ZAP
- Configure a New Session
- Spider the Target Application
- Identify the Login Form
- Access Forced Browse
- Configure the Brute Force Attack
- Navigate to ‘Tools’ -> ‘Options’ -> ‘Brute Force’.
- Under ‘Attack Configuration’, set the following:
- Method: GET or POST (choose based on how your login form submits data).
- Target URL: The URL of the login form.
- Parameter Name(s): The name of the password parameter in the login form (e.g., ‘password’).
- Under ‘Password List’, click ‘Add’ and select a suitable password list file.
- For alphanumeric passwords, you can create a text file containing a list of possible passwords, one per line. A simple example might include:
password,123456,admin, etc. - Alternatively, use a pre-built password list (be aware of legal implications).
- For alphanumeric passwords, you can create a text file containing a list of possible passwords, one per line. A simple example might include:
- Under ‘Attack Strength’, configure the following:
- Minimum Length: 1
- Maximum Length: 7
- Character Set: Alphanumeric (a-z, A-Z, 0-9)
- Start the Attack
- Monitor the Results
- Review and Analyze Results
Download OWASP ZAP from the official website and install it. Once installed, launch the application.
Start a new session in ZAP. You can choose ‘Automated Scan’ or ‘Manual Exploration’, depending on your needs. For this example, we’ll assume you are testing a local web application.
Use ZAP’s spider to map out the target application. This helps identify all potential login forms and endpoints. Right-click in the ‘Sites’ tree, select ‘Attack’, then ‘Spider…’. Configure the spider as needed (e.g., maximum depth) and start the scan.
Once the spider is complete, review the ‘Sites’ tree to locate the login form you want to test. Look for forms with input fields like ‘username’ and ‘password’.
Right-click on the identified login form in the ‘Sites’ tree, select ‘Attack’, then ‘Forced Browse…’. This will help ZAP understand how to submit credentials.
Click ‘Attack’ to start the brute force attack. ZAP will begin submitting passwords from the list to the login form.
The ‘Alerts’ tab will display any successful or failed attempts. Look for alerts indicating a valid password has been found (HTTP 200 OK response, usually). The ‘History’ tab shows all requests made during the attack.
Carefully review the results in the ‘Alerts’ and ‘History’ tabs. Pay attention to any successful login attempts and investigate further. Remember that brute force attacks can be noisy and may trigger security measures on the target application.