Burp Suite Brute Force Attack

  1. Burp Suite Brute Force Attack 2
  2. Images For Burp Suite Brute Force Attack

Burp Suite contains Intruder, one of the suite of tools integrated along with Proxy, which allows for automation of many common attacks. Intruder is one of the tabs present in Burp. Figure 6: Intruder Tab in Burp To send the request to Intruder, right click anywhere in the request window and from the menu options, select Send to Intruder. Brute force attack using Burp, with the help of a powerful dictionary, is a very effective and underrated method of bypassing login pages, which are not made for malicious entities. In case of a weak password, a used, easy, or small password, this is a very effective technique. Here is a good overview about the different attack types of Burp Intruder. What you are looking for is the 'Cluster Bomb' Type with each of the four payload set to numbers from 0 to 9. Browse other questions tagged brute-force burp-suite or ask your own question.

  • There are other brute force tools such as Hydra and Ncrack. Although both are great tools, Burp Suite is more suitable for brute forcing a web application login page, whereas Hydra and Ncrack are more suitable for other protocols such as SSH and RDP. Setting Burp Suite as a Web Proxy Burp is designed to be used alongside your browser.
  • Brute force attack using Burp, with the help of a powerful dictionary, is a very effective and underrated method of bypassing login pages, which are not made for malicious entities. In case of a weak password, a used, easy, or small password, this is a very effective technique.
  1. With Burp running, log in as carlos and investigate the 2FA verification process. Notice that if you enter the wrong code twice, you will be logged out again. You need to use Burp's session handling features to log back in automatically before sending each request.
  2. In Burp, go to 'Project options' > 'Sessions'. In the 'Session Handling Rules' panel, click 'Add'. The 'Session handling rule editor' dialog opens.
  3. In the dialog, go to the 'Scope' tab. Under 'URL Scope', select the option 'Include all URLs'.
  4. Go back to the 'Details' tab and under 'Rule Actions', click 'Add' > 'Run a macro'.
  5. Under 'Select macro' click 'Add' to open the 'Macro Recorder'. Select the following 3 requests:
    GET /login
    POST /login
    GET /login2

    Then click 'OK'. The 'Macro Editor' dialog opens.
  6. Click 'Test macro' and check that the final response contains the page asking you to provide the 4-digit security code. This confirms that the macro is working correctly.
  7. Keep clicking 'OK' to close the various dialogs until you get back to the main Burp window. The macro will now automatically log you back in as Carlos before each request is sent by Burp Intruder.
  8. Send the POST /login2 request to Burp Intruder.
  9. In Burp Intruder, add a payload position to the mfa-code parameter.
  10. On the 'Payloads' tab, select the 'Numbers' payload type. Enter the range 0 - 9999 and set the step to 1. Set the min/max integer digits to 4 and max fraction digits to 0. This will create a payload for every possible 4-digit integer.
  11. On the 'Options' tab, under 'Request Engine', set the number of threads to 1.
  12. Start the attack. Eventually, one of the requests will return a 302 status code. Right-click on this request and select 'Show response in browser'. Copy the URL and load it in your browser.
  13. Click 'My account' to solve the lab.
Burp

Brute Force Account Testing Using Burp Intruder

Introduction

As organizations mature, stronger security controls such as strict firewall rules, WAF, VPN, etc., are implemented to ensure they are safe from attackers. Attackers target web authentication methods like simple username / password combinations, which are commonly implemented in all applications.

As part of web application security testing, one of the things security testers do is to check if the application has implemented any form of weak / default passwords which can be easily guessed. The Open Web Application Security Project (OWASP), as part of Web Application Security Testing Guide (WASTG), has dedicated a chapter on Testing for Weak Account Lockout Mechanism.

Configuration Changes / Tools Used

Security testers commonly use Burp Suite, an integrated platform containing various tools such as Scanner, Intruder, Decoder, etc., which allows for a good and seamless testing experience, from initial mapping of the application attack surface to finding and exploiting various application vulnerabilities. Using Burp, one can have full control over manual techniques, including automation, which makes testing easy and convenient.

Using built-in tools such as Intruder present in Burp Proxy, attackers can perform password spraying attacks as Intruder tests multiple passwords in a short period of time.

Common Issues Encountered

Weak passwords are an industry wide problem and there are several news articles about data breaches which have happened due to default passwords or employees using easily guessable passwords. Customers from all industry verticals, specially Banking, Financial Services and Insurance (BFSI) and other allied industries, should pay more attention to this as there is a huge financial impact if there are no safeguards in place for their applications.

Password Spraying of credentials if there is no lockout implemented is part of the OWASP Top 10 2017 and comes under the A2: Broken Authentication category. Given the importance of this, there are several ways to test for account lockout mechanisms.

The below screenshot shows how to enable proxying in Mozilla Firefox. To get to the Connection Settings follow the below steps:

  1. Click on Firefox > Preferences (in Mac) / Tools > Options (in Windows) and scroll down to Network Settings
  2. The Connection Settings window will pop up upon clicking the Settings button.

The proxy options will vary from browser to browser.

Proxy in this context is a piece of software sitting on the tester’s machine which allows the requests going to the server to be intercepted by the tester and manipulated before it is forwarded to the server.

The below screenshot shows the port used by Burp and the IP of the localhost (the computer where Burp is installed) and used to capture the traffic. The same IP and port details need to be entered in to the browser’s proxy configuration.

Figure 2: Burp Configuration

Set Up for Testing

For the purpose of this demo the following tools will be used:

Burp Suite Brute Force Attack
  • Burp Suite – Installed on your testing computer along with the browser you will use to interface with the application.
  • Zen Cart – Free e-commerce shopping application.

Once the application is installed and traffic is captured in Burp, the color in the Intercept tab will change to orange as shown below. Ensure that the Intercept button is turned on to intercept the requests.

To begin brute forcing, first enter a user name and password in the login page and capture the request in Burp Proxy.

Figure 4: Zen Cart Login

Once the request is captured the Intercept tab will show the login request in either a GET / POST format along with cookie values, header information along with the login credentials which is required by the server.

Burp Suite contains Intruder, one of the suite of tools integrated along with Proxy, which allows for automation of many common attacks. Intruder is one of the tabs present in Burp.

Figure 6: Intruder Tab in Burp

To send the request to Intruder, right click anywhere in the request window and from the menu options, select Send to Intruder. The tester needs to be in the Proxy tab viewing the request that needs to be sent to Intruder.

Once the request is sent to Intruder, the Intruder window is automatically shown with the selected request.

Figure 8: Intruder Active

Intruder auto selects the positions based on the parameters present in the request. When the request is sent to the Intruder, the parameters present in the GET / POST request and cookies are automatically populated with the § symbol, indicating all these will be targeted in the attack.

These can be left as is (if required) or customized by clicking the clear button and selecting the required parameter and clicking the “Add §” button present at the right hand side. This will place the § symbol in the start and end positions of the required parameter as shown in the screenshot below.

In this scenario, as we are performing a brute force attack, we want to target the password as we already know the username. Select Sniper as the Attack Type. This is the default attack type and can be changed from the drop-down based on the type of testing being conducted.

Intruder has different attack types such as Sniper, Cluster Bomb, Pitchfork and Battering Ram. These can be used based on different attack scenarios.

As we have decided to target the password, a predefined list of passwords can be used. The passwords can be generated using various tools or, if the tester already has list of passwords, they can be pasted in.

Burp suite brute force attacks

Figure 10: Passwords for brute forcing

Go to the payloads tab and Load the password file if a list is already prepopulated or add individual passwords manually by clicking on the Add tab.

Once all the passwords are added, click the Start Attack button. Intruder will iterate through the various password combinations. In this example, upon finding the correct password, the response will show up in Intruder with a different status code and length.

The meaning of the status codes are given below:

200 OK – This indicates the request has succeeded. The information returned with the response is dependent on the method used in the request.

302 Found – This indicates the requested resource is residing in a different URI. In this example as the Intruder uses the correct password, the request is redirected to a different URI after a successful authentication from the server.

The response varies for each attack scenario, and the tester needs to pay attention to the response behaviours to notice the difference when Intruder uses the correct password.

Figure 12: Length change after successful password attempt

Conclusion

This blog post illustrates how the Intruder tool in Burp Suite can be used to automate testing for weak / easily guessable passwords.

Burp Suite Brute Force Attack 2

The example shown will not work if the application has implemented a password lockout after a certain threshold of failed attempts were made. Further configurations could integrate Single Sign On into the application, which could allow authentications to follow corporate established password policies. Additionally, implementing a multi-factor authentication (MFA) mechanism in place as MFA is one of the best methods to prevent unauthorized access to applications. Showing a CAPTCHA after specific number of attempts are exhausted is another way to prevent brute forcing.

Burp Suite Brute Force Attack
  • Wps office free online. Copyright © 2021 Optiv Security Inc. All rights reserved.

  • No license, express or implied, to any intellectual property or other content is granted or intended hereby.

  • This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information.

  • Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards.

  • Complaints / questions should be directed to [email protected]

Security)

Most web applications provide a 'forgot my password' feature where a recovery or reset token is delivered to the associated account email address..

Images For Burp Suite Brute Force Attack

Blog