Josh Stone, Blog

Josh’s projects and security nerdery

New Hacking Tool “Reformer”

For the first time in awhile, I sat down to do some actual coding. It’s still a relatively small program, but worth a mention on the blog. One thing that has frustrated me, being a penetration tester for the last six months, is the dearth of web-based brute force tools. Often, I am presented with a web-based login form that I’d like to exercise, and some of the tools out there that support it are a little awkward. Usually, they enforce too much structure, and if your particular form deviates from the tool author’s expectations, it’s a pain to make it work.

So, I thought I’d write something up that gives me a strong framework for accomplishing such attacks in a suitably flexible manner. My goals are as follows:

  • Allow direct access to the HTTP request itself
  • Allow permutation of more than just user and password
  • Support multiple means of detecting a “success”
  • Not cost me as much as Burp Suite
  • Design it such that ad hoc extension is possible:
    • Written in an easy scripting language (Ruby)
    • Object-oriented design
    • Decoupled, modular relationships

So, I present: “reformer”, a web form brute force tool. It’s written in Ruby, which makes up its only requirement. It operates at a somewhat low level, so you can’t just point it at a web page and say, “Go!” But, with a little setup, it can accomplish most of what I’ve needed in a tool several times in the last few months. Here’s a little demonstration:

First, I prepare two text files. One contains the raw HTTP request with a placeholder for the password (I could have any number of placeholders, in case I need to change other variables, headers, cookies, etc.). The second contains the dictionary, which is comma-delimited (though not obvious in this screenshot because there’s only one variable that I’m inserting):

reformer in action

Once these files are prepared, I can set up the attack run as follows:

reformer in action

Note that reformer also supports a mode for recording size changes between requests. The idea is that if you don’t know what success and failure look like, you may be able to identify a noticeable change in size that distinguishes a successful login. I’ve used this approach to effect at times with Burp Suite, but it’s throttling in the free version limits its usefulness substantially. So here’s a sample run testing response sizes:

reformer running in size mode

The tool is implemented in an object-oriented fashion, and intended for easy extension. So, if there’s a “success detector” that is not implemented, it’s a matter of subclassing one of the detectors and adding a little code to do what you want. Some more information is available as follows: