October 28, 2017

Burping a Login Page

Scenario

I’ve got Burp Suite Pro v1.7.27 configured as the proxy server for the Firefox browser.  The Web Application takes me to a login.php page.  I don’t know the login credentials, but I want to.  Here I’ll walk you through my method of Burping a login page.

DVWA login page

Interception

I set up Burp to intercept my request to the login.php page.

Burp Proxy Intercept on

I put random crap into the login.php username and password fields, just to make the form submit.

dvma-login-crapuser-crappassword

Intruder

Now that I have intercepted the login request, I can use it with a dictionary of usernames and passwords to brute force the login.  To do that, I need to send this request to the Intruder tab, by clicking the Action button, then selecting Send to Intruder.

Select Action then click Send to Intruder

I click on the Intruder tab to setup the attack.  By default the second level tab will be a number (e.g. 5), but you can rename it by double clicking it and giving it a name.  This is handy when you have multiple attacks that you are performing.  I’m attacking the login.php page, so I renamed 5 to login.php.

burp-intruder-target

Positions

I click on the Positions tab next to display the request again.

burp-intruder-base-request

Now, I can see that there a few values that have been highlighted and surrounded by a weird looking character (§).  Those values in between the §…§ symbols mark the values in which we will attack and are called positions.  I don’t care about the fields other than the username and password fields, so I remove the surrounding §’s from the other values.

Help with Attack Types

Now that I have my positions identified, I need to select the appropriate Attack type from the drop down list.  I’m not sure which one to choose (Sniper, Battering ram, Pitchfork, or Cluster bomb).  I go to the Burp Suite Documentation from the Help menu option.

Burp Help menu

Burp Cluster Bomb

I’m choosing a Cluster bomb attack, because I’m attacking 2 different unrelated fields.

Selecting cluster bomb

Next, I will set up the payloads for each position.  The positions will be identified by numbers on the Payload tab, which is just the order of them highlighted.  For my attack, as I traverse down from the top the username value is 1st, so I will refer to it as 1.  The password value is 2nd, so I will refer to it as 2.

Now that I know which each position is, I click the Payloads tab to define what I’m going to attack them with.

Burp Intruder payloads

Usernames

First I will build a simple dictionary for the username values.  I’m guessing that there is an admin, administrator, or root user so I add them to the list.  First, I make sure that Payload set 1 is selected for the username values.  Then, I go down to the Payload Options [Simple list] section and I type each username guess into the textbox next to the Add button to add each one.  You can see each one get added to the list.

Passwords

Now that the username guesses are in place, it’s time to load up the dictionary for the passwords.  I’m going to use one of Burp’s built-in dictionaries first, in hopes of getting lucky.  Rather than typing in the names manually like I did for the usernames, I click Add from list dropdown list (just below the Enter a new item textbox) and select Passwords.

burp-intruder-payloads-passwords

I could load up multiple list into this payload here, but I’m going to try this one (Passwords) individually to see how successful it is.  Once I see that I have password guesses loaded into my payload.  I click Start attack.

Burp ready for the attack

Attack

After clicking the Start attack button, a second Burp window will pop-up.  A progress bar at the bottom will tell me when it’s finished.

Analyze Burp results

Analysis

Now the analysis phase comes into play.  How do I figure out which (if any) guesses were successful?  I must check the responses from the web server for a clue.  My strategy:

  • Check for a different status code returned from the server = NOGO, they are all 302 redirects.
  • Check for a difference in the length = NOGO, they are all 435 bytes.
  • Since all are redirects, are all response going to the same location? BINGO, they are not!!  All responses except one goto to Location: login.php.  I found one that goes to Location: index.php.

burp intruder attack analyze

And look what I found!  Looks like I could’ve just guess that manually in less time rather than setting up Burp to do it.  Oh well, lesson learned!

Not surprisingly, I successfully logged in using admin/password

Burp Im In

Conclusion

Always try the default credentials first.  There are a lot of uneducated users out there who just plug things into the Internet.  Research what the default passwords are for the system you are trying to login to, try them.  Then make sure your own passwords are not the default ones.