Broken brute-force protection, IP block
To access the lab visit the following link:
This lab is vulnerable due to a logic flaw in its password brute-force protection. To solve the lab, brute-force the victim’s password, then log in and access their account page.
- Your credentials:
wiener:peter - Victim’s username:
carlos - Candidate passwords
Click on the given button to access the lab
On the Lab’s homepage we can see “My account” option. Let’s click on that to attempt login.
Let’s login using victim’s username to capture the login request using burp. In this case I used “test” as password.
As soon as we log in the response from the server indicates “Incorrect password.” This message is a clear vulnerability, as it explicitly confirms that the username is correct but the password is incorrect. This type of response provides attackers with valuable information, allowing them to focus their efforts on finding the correct password for a known valid username.
Let’s see the POST request in burp HTTP history. Right click and send that request to repeater
In repeater tab we will send the same request again and again to check the server’s response and and after 3rd attempt it says “please try again after 1 minute.”
This means when we send the same login request multiple times, the server tracks the number of attempts made within a certain period. To prevent further attempts, the server temporarily blocks any additional login attempts from the same source (IP address, user account, etc.) for a specific duration, which is 1 minute in this case. This is designed to protect against brute force attacks, where an attacker tries to guess the password by rapidly sending many login requests.
In this case we have used the correct username and incorrect password.
Now, Let’s try to login with the known correct username and password. In this lab we have correct username wiener with password peter.
When we login with these credentials we can see the response code received is 302.
We can see a “Follow redirection” button in the repeater tab. Let’s click on that button and render the response in response tab.
On rendering response after redirection we can see that we are redirected to login page again.
Now, let’s login again with correct username and incorrect password to see the response from server. The response shows Incorrect password which means the account is not locked now and the counter is reset.
In our application, after every two incorrect password attempts, the server does not prevent further login requests if the subsequent attempt uses the correct credentials. This indicates that the server’s counter for tracking failed login attempts starts with the first failed attempt and resets upon a successful login.
First Attempt: Incorrect password.
- Server records one failed attempt.
Second Attempt: Incorrect password.
- Server records the second failed attempt.
Third Attempt: Correct password.
- Server resets the counter.
So for brute forcing the password we need to login with correct credentials after every two incorrect attempts. We are provided with the password list on the lab page.
We have a list of 100 passwords and after every 2 passwords we need to add the correct password of wiener so that we can carry out brute force attack without facing account lock issue. I have copied the password list and created “password.txt” file in vs code.
To add correct password after every two passwords in the provided list i have written the following python code. The code generates two lists. One for username and one for passwords. We will use these both lists to attempt successful brute force.
You can copy the same code below:
print("------usernames------")
usernames = ["wiener" if (i + 1) % 3 == 0 else "carlos" for i in range(150)]
for username in usernames:
print(username)
print("------passwords------")
with open('passwords.txt', 'r') as f:
lines = [line.strip() for line in f]
for i, pwd in enumerate(lines):
print(pwd)
if (i + 1) % 2 == 0:
print("peter")When we execute the code it generates the username list first and after every two username of carlos we are adding wiener as we will be adding wiener’s password after every two passwords of carlos in the passwords list as well.
After usernames the code updates the given password list as well and it adds correct password of wiener after every two passwords. We will use these two lists to initiate brute force attack.
To start brute force attack right click on the captured request and send that to intruder.
In intruder position tab select Attack type to pitchfork.
Click on “Clear §” to remove all the automatic payload positions. Highlight the value of the usernameparameter.
Click on “Add §” to mark this value as a payload position. It will be surrounded by § symbols.
Highlight the value of the passwordparameter.
Click on “Add §” to mark this value as a payload position. It will be surrounded by § symbols.
Navigate to the “Payloads” tab in Intruder. you can see the Payload tab in the intruder section as shown below.
In the “Payload” section, make sure “Payload set 1” is selected, corresponding to the position you marked.
Under “Payload sets”, select “Simple list”.
Copy the usernames generated by the code and click on paste in intruder’s Payload section to add list.
Now, in the “Payload” section, make sure “Payload set 2” is selected, corresponding to the position you marked.
Under “Payload sets”, select “Simple list”.
Copy the passwords generated by the code and click on paste in intruder’s Payload section to add list of passwords.
Now, go to the “Resource pool” tab in intruder and select Create new resource pool and mark “Maximum concurrent request” as checked. Add 1 in the box next to it.
By default resource pool sends 10 concurrent requests but in this case we want our requests to go one by one so that we don’t get block by the server.
Now that we have set all the payloads click on “start attack” button.
Burp Suite will start sending requests with each username in our list with a corresponding password and display the results in the Intruder tab.
Upon finishing the attack we found that only one request of carlos gives 302 status code. The password corresponding to this status code is shown in payload 2 column.
Let’s get back to our login page and try to login with the correct username and password we identified.
And we are successfully logged in. The lab is also marked as solved.
Congratulations! The walkthrough of sixth authentication lab finishes here.
You can see walkthrough of Seventh lab by clicking the following link:
