HTTP BASIC AUTHENTICATION BRUTEFORCE ATTACK WITH BURP PROXY
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinY2gIcIj5pSw7EOEE16-WEsyQYBov0dZWVxeZnat1vGZveuqN-rJdIjnhfvsT-85hTHTo3U4fSlAl44ydAKyGCwf2OL0Q2jGVqDO5MvCQyWtu8_y8nrTs1t9xXXBQcDH1Tb2Khx48Xc4r/s640/screenshot.24.jpg)
- This exercise is based in the previous post Setting up HTTP Basic Authentication.
- In this case the goal is to bruteforce HTTP Basic Authentication using the Burp Suite Proxy.
- First of all, let's enable manually a proxy connection at the Firefox browser of Kali Linux.
- Firefox -> Preferences -> Advanced > Network > Connection Settings:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDNO-hffe3POqZZmowO7TR4_CmI3VlvB4lLsVJX2KWLsHy86ESyQ03bzyPkgOBo1owi820pjEGdzMoVWGtZqMMWTd8Uc7PG2Z9wp__jfpUaYM9Zc6yMWbUZ6Iuue9BTkKAPyI-UyaQ1Cgq/s640/screenshot.1.jpg)
- Manual proxy configuration: listening on localhost port 8080:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2dXxzSdEzNhzQZllKvC86PeTKKxs0FGNkwHHsgMdUaYYC7RJke2uz9PiQ9H0BikWi23A0lOacQAMxsjBnUFh2WXP-sG7SnLgMJ_PhjzWKbpaYZM8homzopcsYhW_Va87O_CCqpToL4V9J/s640/screenshot.2.jpg)
- Launching Burp:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAo9mfpzFDS7XR8mbB6DDRHlx0cnXjF_8GOjEWzyqd7S6Am7eH-4uG7XIvqQrMs1YDnjt59Ec89o9g0lokkqyBW8V89dLTKWi0ZFy3aFDlMMOpC8aca0qCFUt5v_8zcPmbR0LUeQbBtT9y/s400/screenshot.5.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq7zOMXLtqRF18D1FM0SUZUFW8SkE5M8uHunuGsfxqkAgID_iMchYjX9cCTbvRGCdg_UywDBjUI28gfcG8zMTLqAKVbQaSbWW3eXgKnpRK3y3vGyy6HRUIKMTjg9-nhYUyJ-jd-HOtln0c/s1600/screenshot.4.jpg)
- Options tab: checking that the proxy is listening on the localhost interface at port 8080:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8I7Sl-6iRuyCkE_fBobn7BTC5CrMl-l3urcvwwOm0E_K8_RZym7ZfDWHuEzBy8dqjs6GkuXWQsUa2vcy8aHlBS3vdX5j9wdFOeGY5_ZZ7oYnfv-bPitj-4QvKa38of-24POGxjRTjc6mC/s1600/screenshot.6.jpg)
- Connecting the browser to the web page protected with Basic Authentication:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOxxw0qyFOt4oB5V9HW-0QxSzml684X-iQXVllEaSzxR0t0TyPEjcpOtVy4yvnNj_3_VoF9NIZHAvFkd7njmaUOi8lbgpTqBRvzEREdzJUeSvxpCfr_YJwIrJFNCnUXV2vbrRTbS7qNCOX/s1600/screenshot.7.jpg)
- Burp intercepts the request to the web page:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibthEs6kjWZ6Xka9UQsJBa7DUbHyKNM7AvEzmjm58olc-Sa62wFqCfvDUQH-jrL7EHB9xEZvm-a-oiksnAFQrd9PjoP0KlhrhBZS5SbNUdHC_tGmQeVBTy2TS9WfRN7wAoceurQibEHpRU/s1600/screenshot.8.jpg)
- Forwarding the request:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5-bQXlaYCIuEbv3ISAo33D7iEZ6Suorg9ZA43VnEdcc4i22_UiJKZ5MkS1-nEvxNR8kPVFG1F5tjAdOfpKrWNDjnKdXUGoN-Qm2mhvNi0_nueWFEOhx3T3duKSfv58D8DX97H_op0iAHe/s400/screenshot.9.jpg)
- The Apache web server responds with the "Authentication Required" message. Let's introduce some arbitrary credentials, for instance "asdfg:asdfg":
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAqteaVmhxdTDf3w7Ut2b0Jdu53uydFQEjsm4BlDO_pQ3IX4HRvIiTIWbSpBUWMJlLFCgPoXfjOVVaN4LwZdoYmw-i3KZYZMTADpEFYhojhhXRpbbXErD9XodUgssURh9Dkp-wtOjl0SPf/s1600/screenshot.10.jpg)
- Burp intercepts the sending credentials:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjynZs3VRipA2FLxnLtRZocySAsLy5BhIkP9p3Cmo_swc7PPTyjZWBpn3ugrRy-oyYn4F6mObkn256Ufhjp9waDMXQJQjbhFHtfQAplJYWFvwenrnXhkYWvMx0oTAXnVTNbE3dwyrAU3D4t/s1600/screenshot.12.jpg)
- Now, Burp will help us to craft those sending credentials. For that purpose, the message is sent to the Intruder:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL1yIn7qLQTcaq4wLfzjJUnsKMhrNQ3hcqLhQpstI9Y_RNWYbi5kTf2aUE3LxwqUi_GIbCFdA_CVy5YQ_48S6-msW7kWoufc-KIVSnQHYvhcscM98wlLRfm6HIEmCKcgBmuJmqbLzIInQn/s1600/screenshot.13.jpg)
- The target of the attack is www.whitelist.com:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFk5_uiX4tg2Kd22ALp_0a8AskpIYuN9gJmh240LpWExN2mmzs-YW99NPxKNwuUmuWxKnWevDhrLLynFt8MYRIe9ugBfQyjq_aPHNwJAt08oiq_v-sS2gqLST3XLmOkpZV7UQoPqju8wiC/s1600/screenshot.14.jpg)
- The Positions tab helps to specify where to insert the payload for the attack. Decoding with Base64, the fake credentials "asdfg:asdfg" are revealed:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG8JYQB8IfSiiNwXNWlh2yfXyZrLseBBo85HDVmJMCvF3rln-2-Rklkzcaa_VgOePY6bfu5qaqC9Ajq5wiHSSsHe312oHzqy_WUYr8kuQrnyRvv0cLI8bng3zIfzkn5q6DTLu8JfpkAS3r/s1600/screenshot.15.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxH5Hv-izI1Nu0kw6j2axDveBvq0iYOzuHJNpM2DVs2SpWiNiqjxcLCFM1fOtvRoURpRfm3DE37QmEpe7LS_aKVqLM2_cqv-PEsxCHSSTPolSSCJepQal_XYd-fo9DLcmU4LGH-T8zygXn/s1600/screenshot.16.jpg)
- Putting the username:password space between the section sign §:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEKNovgsXYLQIEEgwRCDy7DxZmtmLSs1cqn2lSqOGNvqVrPD5jVWzRA90WOSBDTUX05ENqKwikpbPZCAD6dymB4CSFLvrxpm2oDCjTDU_AbPfrs5w3VMb2YnK0OLwGw4GhVdFC6WOSnGrE/s400/screenshot.17.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMMxRoufZkuXTxz4NZOGAShvYghMh7EI1AYYeXVHpupkSJGixdJy-NUgELmnPfVAz5-pPVfRkfSZs0WW0FfySkp0NzpeN2MHMjc6KQXhmLUQq_p1OHJ5-ym_OyYSIsORxUfek9tST-a9Kt/s400/screenshot.18.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuTw5b9l_9bbJzpG_zg5TqHQMukxcdoErbtQdRW30b44DpA2wMMCaq4A23pibO1gT_7LDPu0iFgNhOAusrY9fZ3xMs4MgSRj_aJJFC3qopdLa_TeVeav1-D3xIoSiacjVcEK_ZRZbJbZft/s400/screenshot.19.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVZTos2fL3p7GcU5XEwfwylfn4GRSHpyUx0D1Biv9znTSkRvF_77LoZqFgrX7i49gVliQXx2ZmRANOYLh8Y3QIyBAZMuTR36-KNn2qFRkUqSUm9utQ-oXVRCOjne8rxp85dBJZBydUQYOd/s1600/screenshot.27.jpg)
- Going to the next tab, Payload sets the type of attack: Brute forcer.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4y_RgqM9jFqmpcV31tD6-m-Kzgz9aEPIsrffYumCr79iUGWsnjOk-Tq4FtAChjF3Qmg4EOZ4x8meNkfL0-94qDdu4XNFfYlA61OG_Lu9I41XVGocvby8PlsxTZZUsBkPw2sH-3MMbAXqC/s1600/screenshot.20.jpg)
- In this example the character set is simple, just 2 letters (ab), and the minimum and maximum number of characters is 5.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDXw6IG8fe_MSH-sdTAQ8OcGJ1hdrMcZGYCyndCtGFXsUM0ZwXmMgqjZ-CNvSrk750XevLZPjG3lyBwm8J8d-Rp16LJ9mWm-KupxL86CzDqjiO6sK9HC-qRS3wknLxS7K8CdF90Uxm3YgB/s1600/screenshot.21.jpg)
- Adding a processing rule for the prefix "admin:", corresponding to the username:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD7Gupve4kvKlZ32OsWNHJtZ076irxGzm2ZI5mo1d-8QANTKGE2cvo6rOIMKgP1frqW1c1KEIygBuSJoLjrCYtlkVCFWr71jzFX4lhD23m6zicVdyttKjrYtcDpOW_vSuM-EMHu4O-gPrE/s1600/screenshot.22.jpg)
- Adding a processing rule for Base64 encoding, used by Basic Authentication:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhanC3KUakb2qrg3UKbugIPjPpYKW9oSRzquVOG-NKLjA2anc9zIlC8ldEom6y1stU7BkhIHSQmYmMcmpTpkiXkS9BgzhY5_XHo_7CPSKVZjbVL5lMq8Retqmp__pLvuq0tGuDaZxIeapcr/s1600/screenshot.23.jpg)
- The two rules for proccessing the payload:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMsppDqUfhprr8VerkZbCdNYpYCgxFwRhxSwMdbLQVXRNo1M0RQFWTACtX7ytI8UtzVwSvhWX3CxcsK1XaaazqC75dm13QWOP_Yro3AR15wwfacRoNm1fF9eOkYEt4J_OsxjSmzli3Rmdu/s1600/screenshot.24.jpg)
- It is also very important to remove the character = for encoding, because = is used by Base64 for padding:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKQ_D2andiUD8tjrqrLsaD03xVOotCz8CpmNSszB8M6hJxrrrJyk7FlVeMNHihnXZMxvCZDQ2820ooU_osVl9Hmh6oYBmFenwvEcgtWVQB7kGN4dEENDlX6HqFotdDUCmO-lbO4y23stZH/s1600/screenshot.25.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIW4RyyzX5ZlNel1bNc4XXPzFvahK1g1-Ru2cMmMAv3NIovWd3AAXM6OxcHcIVU7dg5LFVs6JQTvJ1PUY8e3qChd2d8CcjMpBGTQ1LS9zrC0dU5zkYW_uEf6UctmOu9ZmyrEd7Edd4boV1/s1600/screenshot.26.jpg)
- The attack is ready to be started:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv2q8wtYLhqA4h-aVCOwVCnmz_yFjbdHwtoniw92DYvq9cenEDI3oTR2FWzCwIYIPH9We0IZpZIZdSD93jkscwylxHq8VVJ_bUTIzMqmequpheaHeCcdbhMX-FBUJAMyEXRrl2RXtl3clm/s1600/screenshot.27.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAIyoSUnsNquwEuhicJcMTT-t3i7Su8h5lKOCHDj62jxqEuzqXMTl1vqlQZ4ELeFN8ENxoIb3RnslHb9awq92SAx5jloxDd5Q59pQrEWeZwcKGtP901GUw-9ZVg3fysgHvCmxLUq5bC3Ri/s400/screenshot.28.jpg)
- Because the charset is 2 and the number of characters is 5, the total number of tries will be 2^5 = 32.
- The attack starts, and the response status is 401 until a 200 answer is received. Obviously, the 200 message corresponds to a successful try:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiywyFnnGdrATHsr_rwOVGTwPPtC_T04en2gsVYVs7gMC8GlZlh-8zL4b65BJBQLjf_V77gi9tpglvv4IIZymjxsJux-qR7IaFFEYb2KVMC9QspfeoH0vgxpOnhZxrtcMugX-bPejLHUzNW/s1600/screenshot.29.jpg)
- Decoding with Base64:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBT0n6Qi7LDJqp0sXQPwgaca-IcAu1NchIeUjyouZXlLSf-edUEauECck2nBqit2VTUmrJ7Gjb8YqVD3y-o_ec8tZWRjI-PY-0p9i9owyhaxx7XsZV2L8VJX1EskQWlcOv7itgBhkmvXVm/s1600/screenshot.30.jpg)
- The result is the correct credentials "admin:ababa":
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGoDJqxy_6sfKXAGUbc5yVI7I4zUKmzzULQuRNXyzlf3wvqWJxagZYYad2sANprjLTvHk91o4D9E1EO0ActKGZEIkS7uW2BPMKeoNZfvqSOj7kBYvq0R3N3Mwjshjj0kKlI1i1aAT3_3uk/s1600/screenshot.31.jpg)
- The web server responses, as expected, with the HTML code of the web page:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXSofhFvBGMGPUkGy9NQxKTduRJLYE911mQ_PZaqRFksALm3vJKVfrJINjCTmOCBDIcLwIaQBZZcoUzgdbwxnLxv7UJOIM6fR6nUdw_7UVvbwKqCmpS2yXycnbpNnaDJrC0SpHvhUXMzLQ/s1600/screenshot.35.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeiLhHUYGHrLPLi_yoebbP5tVzFKyqQVr40H3rvJQCH00hhYCp1SWNvnkyp1UhDSfRTN8nSAmO4oVtQrhUxtgdmEEmSMV3FW383YoTCumwrPE8JNJFp3SVlPxKQ6Or1hE3jhyphenhyphenT4kLeoKZV/s1600/screenshot.36.jpg)
- Removing the proxy:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN6cTjNqs00HWSfHFdNGxwMBWf3vrd1sq_KPvitveglw9MCNPrcSAActqtGnC-Om83c3lBc-F7XvhSkyKOE5c52Yjo_5B0x5XTOtF9eOh_9bcovmyiWwGmojGjxNxYSmWHvVQKoBXFKDaL/s1600/screenshot.33.jpg)
- Finally, authenticating the correct credentials the web page is available:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwqdobh_uPzY9yqpY8RjSRpPS1vxdE7wsuoT410dxc5eTyLQORKnAb8VAiuRnaKHQ4oJbaqvvlexQtAm2IToh6vpAnPRWZ2uJzYD22pnViVKPkOdhyphenhyphentjuiJLKjainTjUsEu_oSq8XSJcmY/s1600/screenshot.32.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAdoc6fkrAQI7NrICcs05hUbv6M0hZz9-wzf1ri_9_SoL1axSNkpPN36ihrh7e8atSozpFEjPG62uFcRnqv3IhUoFUwOMEs-JHXxrHWv4bAlJl2hg6pjkL371DuaoS0zri3XXzE6TopcaB/s1600/screenshot.34.jpg)