HTTP Hacking with Python (Mac Version)

What You Need

A Mac or Linux computer.

Purpose

Learn Python HTTP Methods.

Task 1: Using HEAD to Grab HTTP Banners

In a Terminal window, execute this command to create and edit a file named "head.py".
nano head.py
In nano, enter this code, as shown below:
import socket
s = socket.socket()
s.settimeout(2)

target = 'ad.samsclass.info'

s.connect((target, 80))
s.send('HEAD / HTTP/1.1\nHost: ' + target + '\n\n')
print s.recv(1024)
s.close()

Press Ctrl+X, Y, Enter to save the file.

Running the HEAD Script

In a Terminal window, execute this command to run the head.py program.
python head.py
You should see an HTTP banner, telling you that my server uses Apache on Ubuntu Linux, as shown below:

Explanation

This code connects on TCP port 80 just like the scanner you made in a previous project, but once it connects, it sends an HTTP request like this:
HEAD / HTTP/1.1
Host: www.ccsf.edu
The HEAD method grabs only the banner, without getting any pages from the server.

Task 2: Using POST to Log In

This is a simple login form. Try logging in with a username of foo and a password of bar.

Username:      

Password:      

Your credentials are rejected, as shown below.

Using Chrome Developer Tools

For the next step, you need Chrome. If you don't have it, get it here.

You should be viewing this page in Chrome.

From the Chrome menu bar, click View, Developer, "Developer Tools".

In the Developer Tools pane, at the top, click Network.

Log in again with a username of foo and a password of bar.

The Developer Tools shows a network request to "login1.php", as shown below.

In the "Developer Tools" pane, click login1.php. Details of the network request appear.

In the "Request Headers" section, click "view source", as shown below.

A block of text appears, beginning with "POST". Highlight all this text with your mouse, right-click, and click Copy, as shown below.

Making a Python POST Login Script

In a Terminal window, execute this command to copy the head.py script, and edit the post.py script:

cp head.py post.py
nano post.py
In nano, after the line beginning with "target", type this text:
req = """
Point your mouse cursor just to the right of the three quotation marks, right-click, and click Paste, as shown below.

The request lines appear, as shown below.

After the request lines, press Enter twice, and add this text:

u=foo&p=bar"""
Your script should look like the example shown below.

In the "s.send" line, remove all the text between the parentheses and replace it with req, as shown below.

Press Ctrl+X, Y, Enter to save the file.

Running the POST Script

In a Terminal window, execute this command to run the post.py program.
python post.py
You should see a response beginning with "HTTP/1.1 200 OK", as shown below.

Requesting Plain Text

Notice the strange symbols at the end of the response. This is the Web page saying your credentials were rejected, but it's zipped and unreadable. This happens because our request allowed the server to send the data with "Content-Encoding: gzip". That works in a Web browser, but we want plain, readable text.

To get that, we need to remove the "Accpt-Encoding" tag.

In a Terminal window, execute this command to edit the post.py script:

nano post.py
In nano, find the line starting with "Accept-Encoding", as highlighted in the image below.

Delete that line entirely, as shown below.

In nano, save the "post.py" file.

In the Terminal window, execute this command to run the post.py program.

python post.py
Now you get a readable response, as shown below.

Putting the Username and Password into Variables

In nano, modify your script to use variables for the username and password, as shown below.

The changed lines are outlined in green.

In nano, save the modified program.

In the Terminal window, execute this command to run the post.py program.

python post.py
You get the same response, as shown below.

Changing the Username and Password

In nano, modify your script so the username is root and the password is toor, as shown below.

In nano, save the modified program.

In the Terminal window, execute this command to run the post.py program.

python post.py
You get a "socket.timeout" error message, as shown below.

Changing Content-Length

Why is this script failing? It's because we changed the length of the username and password without also changing the "Content-Length" line to match.

In nano, modify your script as shown below, to calculate the correct Content-Length and insert it into the request.

In nano, save the modified program.

In the Terminal window, execute this command to run the post.py program.

python post.py
Now you get a "200 OK" response, as shown below.

Using a Different Password

In nano, modify your script to use a password of
password
instead of "toor".

Run that script to get a "Successful Login" message, as shown below.


Task 3: Using Loops

Looping Through String Values

In a Terminal window, execute this command to create and edit a file named "loop1.py".
nano loop1.py
In nano, enter this code, as shown below.

In the Terminal window, run the loop1.py program.

You should see four lines of output, as shown below.

Looping Through Numerical Values

In a Terminal window, execute this command to create a file named "loop2.py".
nano loop2.py
In nano, enter this code, as shown below.

In the Terminal window, run the loop2.py program.

You should see five lines of output, as shown below.


Challenge 1: Brute Forcing a Login Form (15)

Write a script in Python to try all possible credentials and get into the form below.

The user name is one of these:

The PIN is a two-digit number, like this:
Username:
PIN:

Write a script that finds the correct credentials and logs in.

When you find it, you'll be able to get your name onto the WINNERS PAGE as shown below:

Hints

1. Don't just use the same script you created earlier. Examine a login with Chrome Developer Tools to see how this login differs from the previous one.

2. Apache only allows you to make 100 HTTP requests before you need to close the connection and re-open it.


Challenge 2: Four Accounts (50)

Break into each of the four accounts below.

You'll be able to get your name onto these pages:

Username:            PIN:    

Credits

CEO: Sarah Bellum
Staff: Pete Moss, Sandy Beach
(Stolen from A Prairie Home Companion)

Hints

1. First try logging in by hand. Examine the error messages you get to find out what names and password types are used.

2. You need to find four accounts, but only three employee names are shown. Think about what other account is needed, why it would not appear in the list of employees, and why it might not have the same security policies.


Updated to https PHP links 10-20-18