[Brute-force] Lab 1: Username enumeration via different responses
Lab 1: Username enumeration via different responses
This lab is apart of my journey on to the burp suite certified practitioner.
And is on the server side vulnerabilities from Port Swigger.
The lab says that the website is vulnerable to username enumeration, this means that there is some type of login page located in the website that will give us a particular output on whether or not a certain username is valid or not.
We are also provided with a wordlists which we can download into our Virtual machine and use with burp suite in the intruder module.
to transfer the wordlists into the VM port swigger made it easy with links to copy and paste.
RECON
when i open the site we can see it is sometime of BLOG page with few button in the corner as well as different blog posts from different users with different user names.
the My account button is top right might lead us to a possible login page. my thinking right now is to locate the login page since we are going to be doing a
brute force attack then use foxy proxy to intercept the login request then send that request to intruder in burp suite tool.
After going to the myaccount button it redirects me to the /login page now i can turn on the proxy and intercept that request:
I just provided 2 parameters for my the username and password so i could intercept the request with burp suite
now that i sent it to the intruder in burp suite i can choose type of attack i want to do and customize it to use my provided wordlists.
How to use the Burp suite intruder
when open the burp suite intruder, we can see bunch of option some of the important ones is auto since it will auto detect which parameters to use with the payloads.
Notice that the parameters weʼre going to brute force have this symbol ‘§ʼ before and after. That identifies the area where payload is being sent or areas.
Attack Types
for the attack type which is another option in intruder there are 4 types that i have the only one we will be using for this lab is the pitch fork ram attack type since it uses multiple set payloads and a different payload set for each defined position. so i can have the position of the username parameter user the username wordlist as a payload, then the password parameter, position have it own password wordlist payload set.
Configuring the Payloads
Loading the payload:
to load the payload in burp suite intruder we go hit on the Payloads tab at the top then under payload setting hit load and pick the 2 files we want to use.
so for our first payload set we load the username.txt
then to select our second payload set we go to the payload set number 1 and change it to 2, i underlined it in red.
I had change of mind i will first brute force only user name to see which are valid then use the password list against the valid user names.
a useful feature in the intruder is the fact you can do grep matching for i created a regex based off of the ‘invalid usernameʼ error i get from the web page to let me filter through the response which are and arenʼt valid. this will help me further fine tune my attack
so now we can see
the only valid user name was ‘admʼ so now time to start a new attack, since i explained steps before i wont go into to much detail ill just include screen shots.
Now since i know the username i will only be using one payload set, the password payload set. what ill do is i will use the sniper attack type.
well now how do we know if the password is valid or not?
the way i went about it is using the the length of the response to determine whether or not i got different response.
and there we go lab completedʼ
