Monday, April 2, 2018

HTTP Basic Authentication bruteforce attack with NSE (Nmap Scripting Engine)


- Layout for this exercise:

- This exercise is based in the previous post Setting up HTTP Basic Authentication.

- The Nmap http-brute script is part of the NSE (Nmap Scripting Engine) and performs brute force password auditing against http basic, digest and ntlm authentication.

- Some of the possible arguments are:

     http-brute.hostname = sets the host header in case of virtual hosting
     http-brute.method = sets the HTTP method to use (GET by default)
     http-brute.path = points to the path protected by authentication

- For more information about this NSE script:

- In this example we are pointing at the resources identified by the URL

- Let's suppose simple credentials, for the ease of this exercise:

username = admin
password = ababa

- Creating users.txt and passwords.txt, both stored into the root(/) folder:

- Launching the http-brute script with the right options, the brute force is successful in just 0.08 seconds:

- Checking that the credentials are correct:

- Note: in this exercise a very simple combination of username:password has been used,  because the purpose was just to illustrate the usage of the attacking tools. However, in real world there are available complex lists of combinations of username:password that can be used for performing dictionary and brute force attacks. The Kali command #locate wordlists provides many available wordlists, for instance into the folder /usr/share/wordlists