Help with Brutus

[usernull]

I manage a site that has a phpBB forum and I would like to test our login security. We recently had several moderator accounts broken into. The site owner demands that I find and reproduce the security exploit to show him the amount of work it would take for someone to break in again. He wishes to do this in order to judge if he feels it's worth paying a professional to set up advanced encryption and the like. FYI, I'm a college student studying IT, I have just started my sophomore year and cannot say I'm that particularly knowledgeable about encryption/hashes or anything of the like.

Anyways, after reviewing the network logs from the day of the incident, I'm assuming the accounts were hacked using a brute force cracker. There were a ton of requests for random strings, that is what lead me to believe so. I've tried researching some brute force programs and Brutus seems to be a popular one with the HTTP form capability. I have spent the last day or two reading tutorials I find but I can't seem to find out how to correctly implement it. This is where I ask of your help.

Once I've started up the program, I select the HTTP form type. I leave the connection settings and form settings alone, but I go into the "modify sequence" menu. I enter the URL of our login form and match up the username/password ID's. I've input the error message that displays on the page in the first HTML response. As for authentication options, I've applied the list of our users and selected "Brute force" mode.

Whenever I attempt to run the program, it successfully connects and attempts to input a password, but only one. After the first password attempt, it does nothing. It does not say that the password was incorrect or that the program has disconnected, it's just perpetually on the first password attempt. I've tried fiddling around with the settings but this is as far as I can get.

Does anyone have any idea as to why it does not continue any further? It connects to our server, so I'm assuming it's not a port issue. Is there something I've overlooked in the HTTP form options? Could it be a flaw in the program itself? Are there any other programs someone could recommend that use HTTP form? Any help would be greatly appreciated.

[thedotmaster]

There's no need to brute force your own site to test it, it's pretty obvious that it's bruteforce-able.
A simple way to stop bruteforcing is implementing a series of controls:
[list=][*]Password length longer than 6, or better, 8 characters
[*]Password must contain a number
[*]Only 3 password attempts (or similar) per hour
[*]Enter a captcha on login
[*]Check referrers (though this can be spoofed, it will put off some bruteforce attacks)
[*]IP block repeat offenders (though this also can be circumvented)[/list]

Some of those methods can prove annoying for the user, especially the captcha. It is crucial that you get a good balance of security and ease of use. One of the best bits of security is limiting password attempts.

As you are using phpBB, you will need to either work out how to enable these features (I don't know if they exist, I have never administrated phpBB) or alter the code yourself to add them. That might be pretty challenging, but it's definitely worth it.
Try googling for modules or fixes.

[usernull]

I appreciate the advice, but like I stated in the post, my boss is requesting that I reproduce attack. He is unfamiliar with any sort of hacking and assumes it's like the movies where it can be done in seconds with just a few keystrokes.

[thedotmaster]

Sorry, I won't help you with that because firstly there is no skill involved in brute forcing (and it certainly isn't hacking) and also I can't see why there is any need for you to brute force your own login.
I get the feeling somehow that the login you are targeting isn't actually your own.
Good day.

[usernull]

That's fine, I understand your concern, even though I thought this would certainly be the type of forum that would have someone informed on the subject and willing to help. Evidently not.

One further question, if you feel so inclined to answer. You mentioned limiting the number of login attempts per IP. The attacks we previously sustained came from multiple IP's, literally hundreds or thousands. I am assuming that they were using a brute force program in conjunction with a rotating IP list or something along those lines. Besides the use of a CAPTCHA for every single login, what can I do to prevent someone using that type of attack?

[thedotmaster]

A simple solution would involve a delay period between logins. If the user enters their password incorrectly the first time, they can enter it again in 10 seconds. This could then increase to 20 seconds for the third attempt, 40 seconds.. 80.. etc.
It would be reset when a login is successful.

This is the best method for dealing with brute force attempts apart from captchas, which can be annoying. I would strongly recommend implementing the referrer check (i.e. stop access attempts which do not originate from the login form).
This is pretty simple to do and will deter 90% of brute force attempts.

HackThisSite are against criminal behaviour, as I am too. That's why I won't mention how to use a bruteforce tool. If you really want to, there are tutorials out there on the net. Better still, write your own brute forcer.