Monday, April 2, 2018

HTTP Basic Authentication bruteforce attack with Burp proxy


- Layout for this exercise:

- This exercise is based in the previous post Setting up HTTP Basic Authentication.

- In this case the goal  is to bruteforce HTTP Basic Authentication using the Burp Suite Proxy.

- First of all, let's enable manually a proxy connection at the Firefox browser of Kali Linux.

- Firefox -> Preferences -> Advanced > Network > Connection Settings:

- Manual proxy configuration: listening on localhost port 8080:

- Launching Burp:

- Options tab: checking that the proxy is listening on the localhost interface at port 8080:

- Connecting the browser to the web page protected with Basic Authentication:

- Burp intercepts the request to the web page:

- Forwarding the request:

- The Apache web server responds with the "Authentication Required" message. Let's introduce some arbitrary credentials, for instance "asdfg:asdfg":

- Burp intercepts the sending credentials:

- Now, Burp will help us to craft those sending credentials. For that purpose, the message is sent to the Intruder:

- The target of the attack is

- The Positions tab helps to specify where to insert the payload for the attack. Decoding with Base64, the fake credentials "asdfg:asdfg" are revealed:

- Putting the username:password space between the section sign §:

- Going to the next tab, Payload sets the type of attack: Brute forcer.

- In this example the character set is simple, just 2 letters (ab), and the minimum and maximum number of characters is 5. 

- Adding a processing rule for the prefix "admin:", corresponding to the username:

- Adding a processing rule for Base64 encoding, used by Basic Authentication:

- The two rules for proccessing the payload:

- It is also very important to remove the character = for encoding, because = is used by Base64 for padding:

- The attack is ready to be started:

- Because the charset is 2 and the number of characters is 5, the total number of tries will be 2^5 = 32.

- The attack starts, and the response status is 401 until a 200 answer is received. Obviously, the 200 message corresponds to a successful try:

- Decoding with Base64:

- The result is the correct credentials "admin:ababa":

- The web server responses, as expected, with the HTML code of the web page:

- Removing the proxy:

- Finally, authenticating the correct credentials the web page is available: