Brute Force Attacks


Brute Force Attacks
Brute Force Attacks
PREVIEW15m 21s
5m 40s

The course is part of this learning path

Brute Force Attacks

This course covers brute force attacks as well as the features of Burpsuite as well.


Hi, within this section we're going to focus on Brute Force Attacks. So, in Brute Force Attacks we're going to see how to find passwords of some user or in fact how to find some usernames and passwords together to find a valid credential to log in. So, I'm going to explain this, of course, in a further detail but right now I'm inside of my DVWA as usual, but I'm going to log out because as you might remember, in the previous section, we have worked with Metasploitable2 and DVWA and we have changed the password. So, I cannot log in with admin and password because we have been seeing the CSRF. So, don't forget your previous password. It should be test2 if you have exactly followed the previous section. So, I'm going to change it back to password, okay, so that we don't forget it. I'm going to make this low, by the way, DVWA Security and I'm going to just change it to password, so I don't forget it later on. So, I'm going to come over here and just log in with admin and password. So, here you go. Now we are inside of DVWA and ready for the Brute Force Attack. So, when do we use Brute Force Attack? So, we use it in order to try and log in with some kind of user but we don't know the password. So, in this case, for example, we can try to log in with admin user, okay, administrator user, assuming that we already know there is an admin user and if we don't know it, don't worry, I'm going to show a technique for that as well.

So, websites actually have to provide some kind of security measures for that. And we're going to see if there is one in this case. So, don't forget to turn on your Burp Proxy and open your Burp Suite. So, I'm not going to cover them as well because we have already seen the Burp Suite and Burp Proxy in the previous sections. Now let me try to log in and see what's going on in here with intercept on. So, as you can see it's doing a GET request and it's sending the username and password as parameters over here. So, this username and the other one's password and we have this login parameter here as well. So, what we are interested in is the actually the username or the password. So, if we forward this, of course it will be logged in. We know the password but we're just going to pretend that we don't know the password.

So, if we do something like a test it won't log in because the password will be wrong. Okay, of course you can just test it by forwarding this request as well and as you can see returns, username and/or password incorrect. So, it's working pretty well. But of course, there might be some kind of Brute Force opportunity in here. It can be in any website. So, most of the time, websites or web applications try to come up with some sort of protection in here and hackers actually try to bypass it all the time. So, I'm going to show you how it's done. So, let me see if we can get the intercept again. For some reason, I believe it didn't work. So, let me try one more time. We have to catch and we have to intercept the request. So, here we go, here it is. We know that password is not test, but it really doesn't matter. Before we actually start Brute Forcing, we need a request. So, here is our request. You know how to get this. Now I will send this to intruder. So, we have seen repeater before but we haven't worked with this intruder. All you have to do is just right click and say send to intruder and you can, of course, forward this later on.

But we will have the necessary parameters and the host information in the intruder, that's what we are going to work on that. So, let me close this down. I believe I have sent this to intruder a couple of times for some reason. So, let me just close everything down and here we go. Now we have the target. So, this is automatically brought in here and we have the positions which is the request itself. So, as you can see, we see the request over here with username, admin and password as test. So, this is what we're going to work with. And as you can see they're highlighted. So, like these parameters all here are highlighted like security low, PHPSESSID, username, password and login. So, what we see over here is the parameters that we're going to be brute forcing with. So, of course, we don't want to brute-force or we don't want to try like for PHPSESSID or security or login. We all want, we only want to try something with the username or the password itself. So, I'm going to say clear over here to get rid of all these highlights and I'm just going to find the things that I'm going to be testing, for example, this test, this password.

So, if you add something over here, if you highlight this first and add something, then it will be highlighted one more time. It means that you're going to be performing some tests on this password and over here we have the attack type. So, as you can see there is sniper, there is battering ram, pitchfork, and cluster bomb. We're going to see every of them. We're going to test and see what they do, but we generally go with the sniper most of the time which is very efficient if you're only brute forcing one parameter. So, in this case we're actually going after the password, we are trying to crack the password of the admin user. Then I'm going to just select the sniper. Later on, I'm going to select the other positions or other attack types as well to see what they do. Right now I'm going to go with the sniper and again if you're working with single parameter, then it's better to go with sniper. Now I'm going to come over here to payloads and options. In options, we generally don't change anything, but in payload it's very essential to do some configuration.

As you can see in the payload set, I will see only one thing because I have only highlighted one thing. Then if I add something like this, okay, then I can see more than one over here but since I have chosen sniper in the attack type, then I cannot see the other payload sets. So, I only get one in here because as I said before, sniper only works with one parameter. So, if I want to go for username or if I want to go for password, then it's definitely going to be sniper. But if I want to go for both of them then sniper won't work, as you can see it doesn't work in here. So, if I chose two sets then I would expect to see two sets. So, for example, let me go for pitchfork and then we're going to see two sets. But that's not what we are looking for at the first day at least, okay, because we already know there is a user called admin. Then we will see if we didn't know how to find the usernames or stuff. Then we're going to see how to use the pitchfork or the other options over here. But right now, I want to go for the sniper and only the password. So, payload type, there are a couple of payload types over here. We generally go with a simple list.

So, what does simple list mean? It means we're going to give it a list and it will try everything on that list against this password. So, as you can see you can give numbers, you can give like something like a bit maybe like a date, something like that. But most of the time you use intruder for brute forcing passwords or username and you do it with a list. You can add the list over here, like manually, like this okay; password, admin, test, and stuff. You can just write whatever you want and it will test everything. Also, you can load something from here as well, like the word list we have seen before. You can just click over here and it will open the word list folder for you. If it doesn't open, you can always go to user share word lists like we have seen before. Not the root, sorry. Let me go back and just find the usr and just go to share after this and then word lists. So, let me try to find the word list. Okay, here you go. Here you go. Now, let me try to double click on this and you can just choose any word list that you want. So, we have worked with dirbuster before. Now dirbuster is not very appropriate for that one.

For example, there's rockyou.txt and fasttrack.txt is applicable in this case because it contains most popular passwords around the world. So, if I want to try for a password then I definitely want to go for fasttrack or rockyou.txt. The bad thing is rockyou.txt contains like thousands or tens of thousands of passwords, so it's not a bad thing. But the free version of the Burp Suite actually runs very slow on this one. So, as you can see if we choose the fasttrack, then it will load something like 200 or 300 passwords over here. You can remove them manually afterwards if you don't want them. And you can just add them manually, something like that. Okay, you can remove, add and use pre-created list, whatever you want. Whatever you type here will be actually tried against the highlighted parameter in the positions tab. Over here we have like payload encoding. We generally don't want to change that because we don't need any kind of special encoding like if you don't want to URL encode these characters, we can just specify that, but we really want that, so that we won't get an error regarding to URL encoding.

So, as you can see we cannot change the number of threats. We have changed this to be 200 in the dirbuster attack as you might remember. DirBuster is a brute forcing as well. We try against the wordlist and we try to find some hidden web pages and over here we are trying against the wordlist, but this time we're trying to find the password, but we cannot change this type. We can actually change the number of retries on network failure and pause before we try. So, you can increase or decrease these numbers if you have a web application firewall going on. But this time I'm just going to start the attack and see what's going on. Here, it's saying that your attacks will be slow because you're using free version but as you can see we are getting some results in here. So, it's trying to brute-force and it's trying every password that we have given in that list against this highlighted parameter. That's what's going on. So, let me just start this one more time because I have lost the other one for some reason. And as you can see there are 182 possible passwords. It will try and find the matching passwords if there is one inside of that list. Of course, the password might not be on the list that we have chosen, then we will do not get any result. But as you can see it's trying against everything. Then the most important part is that we have to understand how this works and as you can see password is in this type, actually in this list and it should have found this. If you click one of those then you can see the request and response so that you can understand if that was successful or not.

But let me show you where to look at. As you can see we have different kind of status thing going on here. So, 200 means that it's okay, but it's okay not means that it's actually working because you might get a response from the server but the response would be you've got the wrong password. In this case, status is not very differentiating factor for us. We have to see the responses for each request that we made but if we scroll down in any password over here, we will see that it's not working. Let me come and find over here, username and password incorrect. So, we cannot have the time to oversee every response that we have. So, I'm going to sort this against length, as you can see every response has the same length except for one. So, in the password we got a different response. So, if I come down a little bit to here and as you can see, it says that welcome to the password protected area admin. So, what you can do, you can sort this against status and see if there's anything different and then just sort this against length and see if there is any different length and try to see the response of the related payload or related password that you have chosen. So, in this case it was easy because our password is password, it's definitely going to be in the fasttrack. So, it's very common password actually and as you can see, it still didn't finish. So, we are trying in this list and we are at the 68 or 69th record and we still have time to go. So, it's pretty slow, unfortunately. It's much faster in Pro version, but Pro version costs something like $400 a year. So, we are doing this test in the free version. So, that's it. That's how you understand the response of the Brute-Force attack, intruder attack. We're going to stop here actually and we're going to deep dive the other type of payloads or other type of attack types in the next lecture.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.