BYPASSING HTTP BASIC AUTHENTICATION WITH METASPLOIT
- Layout for this exercise:
- This exercise is based in the previous post Setting up HTTP Basic Authentication.
- Creating the files users.txt and passwords.txt:
- Launching Metasploit in quiet (-q) mode:
- Using the auxiliary module http_login:
- Setting some options:
- Running the exploit, there is a successful login corresponding to the correct credentials:
- Authenticating with the correct credentials, the web resource is available:
- Note: in this exercise a very simple combination of username:password has been used, because the purpose was just to illustrate the usage of the attacking tools. However, in real world there are available complex lists of combinations of username:password that can be used for performing dictionary and brute force attacks. The Kali command #locate wordlists provides many available wordlists, for instance into the folder /usr/share/wordlists
