Posted in Penetration Testing, web app testing

Seattle v0.3 – Burpsuite bruteforce

In the previous post I managed to login to the Seattle v0.3 vulnerable Web Application using a simple SQL Injection command after finding out the username of the Admin account for the site.

In this post I wanted to use one of my favourite tools in Kali Linux, Burpsuite. There is a ton of videos and blogs on how to set up Burp from a beginners standpoint. Essentially Burp acts as a proxy. When you browse the web you do so through Burpsuite and it captures the request/responses from client to server and vice versa. It’s a great tool.

Seattle VM Login

Once again let’s go to the login page of the Seattle Sounds website. This time I’m not going to use SQL Injection to login. I wanted to use the known credentials to test a fully working bruteforce using Burpsuite.

LoginPage

No different from last time. We need to enter an email address to login. We know from the last post that the username is ‘admin@seattlesounds.net’ I just want to test this application so that burp can grab the request.

A little on Burp

You set up Burp as a proxy server. Give Burp the IP of localhost (127.0.0.1 or localhost) and usually port 8080. You then have to point your browser to this IP and port. This will pass any request through the Burp proxy and handle any responses that come back.

Back to the Action!!

LoginPage1

So, if we just enter the login details of anything really and hit login, you will see nothing happens. It just spins. This is because the request is being held in Burp. Over to Burpsuite we go to see what is going on.

There is a lot going on in Burpsuite, however, a neat thing is any active tab glows orange when it receives data. In the ‘Proxy > Intercept’ tabs you will see some information.

Request

When you hit ‘Login’ on the sites page it sent the Request off to what it thought was the webserver. In actual fact it went to Burpsuite and was held frozen for you to do something with it. You can ‘Forward’ this request on to the web server, however, we need this information.

At this point Right Click the ‘Request’ test and ‘Send to Intruder’. It sounds very bad, but don’t worry. The Intruder tab will glow orange as it’s received the data you sent it. Navigate to the ‘Intruder’ tab

cluster

It’s important to do a few things when you hit this window. You will be in the ‘Positions’ tab.

  • Hit the ‘Clear $’ button on the right
  • Highlight the username entered text and hit the ‘Add $’ button
  • Highlight the password field text then also hit the ‘Add $’ button
  • Select the drop down menu in ‘Attack type:’ and select ‘Cluster Bomb’

This part is important because you are selecting payload options and the type of attack you want to perform. You can look up the attack types if it interests you. Some are useful for certain situations. For this we need Cluster Bomb as we are testing a username with various passwords.

Navigate to the ‘Payloads’ tab

Payload set: 1 – This is where you set the username shown in the image below

payload1

Payload set: 2 – This is where you either ‘Load’ a precompiled dictionary list of passwords or just add them manually.

payload2

There are a few options we can enter in the ‘Options’ tab to check against Response parameters, however, it’s not needed here.

Hit the ‘Start Attack’ button. You’ll receive a message about Burp being free and any test will be throttled, however, just hit ‘OK’

A new window will appear and before long (a few seconds) it will be finished.

success

Success!!

Wait, what just happened? I’m confused!

You still need to kind of do some looking around this screen to see if your brute force attempt was successful. I’ve used Burp for a number of months now so I know what to look for. In the interests of quickness you should pay attention to the following.

  • Raw Response tab can be very useful
  • The character length of the response changes in this example from 261 to 320.

This means that the password ‘P@ssw0rd’ was correct for this username. You’d still need to navigate to the site and enter these details. Burp only sends and receives RAW responses and sends Requests without the GUI of the site. The site will still be spinning away in the background in your browser.

Burp is amazing

I do like Burpsuite. I’ve used it a lot, and there’s so much more it can do. It’s detailed quite well in the book “The Hackers Playbook”, only it’s the Pro version they use. The free version has limitations.

In the next post I want to use SQLMAP to enumerate the backend databases.

Thanks!

Once again, thanks to HollyGraceful for creating the VM for everyone to exploit. Also to Vulnhub for hosting it.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s