BYPASSING HTTP BASIC AUTHENTICATION WITH METASPLOIT
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEid2gfnc6FALrrTI12a9588RTPt4EoEW3ZAkPtJVokFZgoOdPhzZCa87kiy9f8liCXLbuJh_Y3bWTKFj02pyQzxCWuFKzYRRMg7fIgnsBKG5Xd8DUTvKHyF6LegRAwzI_J8nSduADYXENNZ/s1600/screenshot.24.jpg)
- This exercise is based in the previous post Setting up HTTP Basic Authentication.
- Creating the files users.txt and passwords.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgruny7DEOpEvnLIhZJsPKPkvlKzlu_kJ1z559PiVY4QVAXPwPauqIBfOwMYgcJi3Zx_22quBRBzwUcPm3o-RLHKHFX9LhXuLG8W3T1ePsE3E1EXGOR3rFtTVjdm6ndx8C2wS8yJBWS2zEm/s400/screenshot.59.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZTugHzZQfZ7K8xCWdRKlglVFv8PH9mBENzonjoktEpmfxZSdKmdoiquKErGNXjw75VFqEIXbtJg1FmowJr3VDRWeWew6fMy9qoVnV3MgxptmQGqrdsfO99c-AbwO-Ryx9_tqOteUS1Y8_/s1600/screenshot.53.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO3Jjxoe4DM4p79xyxnMK7Sku_Y0cNnfFJ_SDSwD6RvM6RCPwj3Cg2MCGdnusTRtKdZPiuwThCMs8baNZmx0WwBzG7k6rW3XzSHFIze7mWlVk0wkrN5bqeM-NYULbwWiut5MolT6RjIlRk/s1600/screenshot.54.jpg)
- Launching Metasploit in quiet (-q) mode:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMDF2-g4nb9jZPtnTl79tYvodxp9RRIKb0Z4C2WuIpsofq3YC79JF9lkBbXDgK99X5xJTFv30MH5gtmqcKlKK3324EdIO-ZOxu3tJE245LRm3uQaLGsEPkYUxADn38M9-GgY3j8OSqwnLh/s400/screenshot.55.jpg)
- Using the auxiliary module http_login:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv5-yyVkHKbC_mE2aFXf0y-Yr36PVKGODSHystv6o7wi1ZXuEhoZmCvnRtyeKanP6WJ0OO0INVnekqyt1GKDgkoWBpeubJso-g3SI8MGp0aBYl1dhz7k_7sDllpZMzHL9gxSY_vytbMn71/s1600/screenshot.56.jpg)
- Setting some options:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCuT3f1kPeoQFVyhqGF9GZtGFW-gRiR7bPrlLIIX1Wjn5URIiIkSE7ZGEsf57JtSy8DQFBQlZMGEnuft3sqS7cOEPW06o1QdLX4L2XPZ8WCRmGF2YWorDZMGcMN8OgLJDUVtH4l9vqbtTP/s1600/screenshot.58.jpg)
- Running the exploit, there is a successful login corresponding to the correct credentials:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFgxH8nvjFtjvz7dGGa-Jvq2yzFhcdeWMXMxsWND7YMk5TFWf6WMMYYycN3d1apWp6hnTnAZIvQt_PxFjDEiDqR9MB7V-C9KbSGA6RYvtLSTn-AB-aZ8LLiaLLi26HPYuVZCruv82DWmzi/s1600/screenshot.57.jpg)
- Authenticating with the correct credentials, the web resource is available:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPVgAT6ZnEuf6tvF4cInhEWP2gOlyC1b3-nK6zvasCztsrhOzRbTCZ5R5Zk1WVNjEjoJeuBauXLucp4B1BiiSYf98c3tNkumH3XlDk_yPhZkd93vXOPyICH9E7pHC6gpFrqX8Sd3m-znGw/s1600/screenshot.60.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghTK3jnWxX7o2U5GZzYhgjud5hnYeL2nwMqiYNhZNGA_fBycUOFwsdVh6wjo4iuJ8ML5SdRXwZkaFa_J3jObrAH7lQUXjll6T1he1xAFlBI22lXGFLMO6kfpV1vIz45Ya79Y4i6U5eaZnO/s1600/screenshot.61.jpg)
- Note: in this exercise a very simple combination of username:password has been used, because the purpose was just to illustrate the usage of the attacking tools. However, in real world there are available complex lists of combinations of username:password that can be used for performing dictionary and brute force attacks. The Kali command #locate wordlists provides many available wordlists, for instance into the folder /usr/share/wordlists