HTTP BASIC AUTHENTICATION BRUTEFORCE ATTACK WITH NSE (NMAP SCRIPTING ENGINE)
- Layout for this exercise:
- This exercise is based in the previous post Setting up HTTP Basic Authentication.
- The Nmap http-brute script is part of the NSE (Nmap Scripting Engine) and performs brute force password auditing against http basic, digest and ntlm authentication.
- Some of the possible arguments are:
http-brute.hostname = sets the host header in case of virtual hosting
http-brute.method = sets the HTTP method to use (GET by default)
http-brute.path = points to the path protected by authentication
- For more information about this NSE script:
https://nmap.org/nsedoc/scripts/http-brute.html
- In this example we are pointing at the resources identified by the URL www.whitelist.com/basicauth/
- Let's suppose simple credentials, for the ease of this exercise:
username = admin
password = ababa
- Creating users.txt and passwords.txt, both stored into the root(/) folder:
- Launching the http-brute script with the right options, the brute force is successful in just 0.08 seconds:
- Checking that the credentials are correct:
- Note: in this exercise a very simple combination of username:password has been used, because the purpose was just to illustrate the usage of the attacking tools. However, in real world there are available complex lists of combinations of username:password that can be used for performing dictionary and brute force attacks. The Kali command #locate wordlists provides many available wordlists, for instance into the folder /usr/share/wordlists
