I manage a site that has a phpBB forum and I would like to test our login security. We recently had several moderator accounts broken into. The site owner demands that I find and reproduce the security exploit to show him the amount of work it would take for someone to break in again. He wishes to do this in order to judge if he feels it's worth paying a professional to set up advanced encryption and the like. FYI, I'm a college student studying IT, I have just started my sophomore year and cannot say I'm that particularly knowledgeable about encryption/hashes or anything of the like.
Anyways, after reviewing the network logs from the day of the incident, I'm assuming the accounts were hacked using a brute force cracker. There were a ton of requests for random strings, that is what lead me to believe so. I've tried researching some brute force programs and Brutus seems to be a popular one with the HTTP form capability. I have spent the last day or two reading tutorials I find but I can't seem to find out how to correctly implement it. This is where I ask of your help.
Once I've started up the program, I select the HTTP form type. I leave the connection settings and form settings alone, but I go into the "modify sequence" menu. I enter the URL of our login form and match up the username/password ID's. I've input the error message that displays on the page in the first HTML response. As for authentication options, I've applied the list of our users and selected "Brute force" mode.
Whenever I attempt to run the program, it successfully connects and attempts to input a password, but only one. After the first password attempt, it does nothing. It does not say that the password was incorrect or that the program has disconnected, it's just perpetually on the first password attempt. I've tried fiddling around with the settings but this is as far as I can get.
Does anyone have any idea as to why it does not continue any further? It connects to our server, so I'm assuming it's not a port issue. Is there something I've overlooked in the HTTP form options? Could it be a flaw in the program itself? Are there any other programs someone could recommend that use HTTP form? Any help would be greatly appreciated.