DonationCoder.com Software > N.A.N.Y. 2013

N.A.N.Y. 2013 Submission - FreeNAS Brute Forcer

<< < (3/3)

Renegade:
The initial navigation is done with this string:


--- Code: C# ---string _url = "http://{0}/account/login";// then later like this:wbrFreeNas.Navigate(string.Format(_url, txtIpAddress.Text));
So, it will accept more than just IP address octets. It's a quick and dirty solution.

The main navigation for the actual brute forcing is actually much more robust and versatile with no reliance on an address:


--- Code: C# ---wbrFreeNas.Document.Forms[0].InvokeMember("submit");
You can actually drop a page into the browser to load it, e.g. Drag & drop from Chrome into the browser. That will load another page for whatever. So, if you've got your FreeNAS open in another browser, you can drag it into the program to load that page. The IP address is only used to initially load the page.

e.g.



I didn't do a lot of validation and the like because, well, like you say, if you can't use it properly, you probably shouldn't be using it.

Renegade:
Somebody found a decent use for it! Pen testing! :D

http://www.elithecomputerguy.com/2013/01/25/brute-forcing-freenas-servers-with-freenas-brute-forcer-v1-0/

 :up:

wraith808:
That was a really good write up!  I'd never thought of using it for that either, but I'm sure as with everything else, there's a lot of people out there using FreeNAS in an unsafe environment that have bad security measures in place.

Navigation

[0] Message Index

[*] Previous page