Monday, April 2, 2018

Bypassing HTTP Basic Authentication with Metasploit


- Layout for this exercise:

- This exercise is based in the previous post Setting up HTTP Basic Authentication.

- Creating the files users.txt and passwords.txt:

- Launching Metasploit in quiet (-q) mode:

- Using the auxiliary module http_login:

- Setting some options:

- Running the exploit, there is a successful login corresponding to the correct credentials:

- Authenticating with the correct credentials, the web resource is available:

- Note: in this exercise a very simple combination of username:password has been used,  because the purpose was just to illustrate the usage of the attacking tools. However, in real world there are available complex lists of combinations of username:password that can be used for performing dictionary and brute force attacks. The Kali command #locate wordlists provides many available wordlists, for instance into the folder /usr/share/wordlists