Web App Penetration Testing - #3 - Brute Force With Burp Suite

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

They are on the channel

👍︎︎ 1 👤︎︎ u/AlexiBesto 📅︎︎ Mar 21 2018 🗫︎ replies

Captions

[Music] hey guys hack exploit here back again with another video welcome back to the web application penetration testing series in this video going to get started with brute forcing with beth all right so our uh vulnerable web application of choice is going to be the damn vulnerable web application as we discussed in the previous video all right and i'm going to be using metasploitable 2 as our as my server by default you can install meta you can install the damn vulnerable web application on your kali linux and you can host it on your local on your local server and you can you can then perform your attacks uh but i like running it from an another virtual machine and as you can see i'm running it on the metasploitable 2 virtual machine and by default it's connected to my local network and it's bridged so you can see that my local ip address is 192.168.1.102 all right so i already have the damn vulnerable web application open as you can see it is running on the that ip address of the metasploitable two virtual machine under the damn vulnerable web application so for those of you asking why i'm using metasploitable 2 instead of metasploitable 3 it's because metasploitable 2 has a a much larger choice in terms of vulnerable web applications and it's really good for practicing all right so make sure you're locked into your damn vulnerable web application you need the default username it now password is password all right it's really very simple and now what we're going to be going through in this series uh the web application penetration testing series is we're going to start off with brute forcing command execution csrf file inclusion sql injection and your cross site scripting all right so we're gonna sort it out that way i thought it would be much better if we do it that way all right by default in this video we're gonna set our security level to low if you don't know how to do that you can go into your damn vulnerable web application security and you can set that to low and you can just hit submit the reason we're setting it to low is because most uh logins are you know if you look at the real world if you're talking about big sites this attack may very well work on sites that are older or sites that have not been updated or sites that don't have good security you'll be shocked to find some really big companies that actually don't have any login protection or brute force protection for that matter now that being said what i was talking about is if we go to brute force you can see that we have a login prompt here now i've forgotten the username and password and we're going to be brute forcing it live all right but before we do that we need to actually start our birth all right so startup web suite and you can see i'm using the community edition and it is the latest version all right so make sure that yours is the latest version obviously for obvious reasons and we're just going to start a temporary project because i don't use the pro version and we're going to hit use the pub defaults we're going to start book all right give that a few seconds to start the to start bub and now you want to make sure you you're using the proxy so we're gonna go into preferences and advanced and uh oops uh burp is opened up let me just go into my proxies network settings and we make sure that it's using the manual proxy configuration which is the local host 127.0.0.1 and the port is 8080. we're going to hit okay excellent now we need to move into burp back again and we want to make sure that we're going to proxy and the intercept is set to off all right the reason we're setting the intercept off is because i just want to show you something first now by default intercept essentially just means that you're not intercepting the request uh the requests and the responses being sent from the web application to your browser okay so we have already set the proxy for the browser but we're not intercepting so uh if we just test a random username like test and we say password like one two three four five you can see if i hit login it's gonna tell me that that is incorrect now if i set the intercept to on to see the request let me just turn it to on and we can now reload this so we can say test and the password one two three four five we can see that uh now it's for some reason let me just forward that i'll have to actually just turn that off and we now say log in and for some reason that is not allowing us because we have to reload all right so now if i hit intercept on and oops let me just open up my browser and i hit the password one three four five log in for some reason it's gonna you know it's gonna it's little reloading here uh i probably there we are all right so i've reloaded the page and as you can see now the intercept is on and we go back to burp uh you can see that we got the get request being sent by the web application now let's inspect it for a while now we'll be looking at what all of this really means but by by default the most important thing right now is the get request all right so you can see that the get request has two values here it has the username and the and the password now the the values again are not important we're going to be brute forcing the values but it's very important to get the fields that we're using here now what am i talking about here if you look at the cookie you can see the security is low and if you are to edit the value and for the packets you can set it to high that is basic stuff that's kids stuff right but now we want to brute force this login all right and how do we do that you can see uh the first thing we need to do is we're going to be using the intruder all right so if you're a bit confused about what the intruder is don't be worried the intruder is essentially allow allows us to edit the parameters it allows us to edit the requests and then obviously edit them and manipulate them so you can get the desired results now the great thing about the in the intruder is it allows us to perform attacks like the brute force etc etc all right but now what we need to do is we need to send this request into the intruder so that we can send our own response all right so we're going to right click and send to intruder so we just send it to intruder and once it's sent to the intruder you can just hit forward all right we don't need window we don't need that get request anymore so now you want to go into the intruder and you want to go into your positions and as you can see in your positions you have got you have got uh the get re request that we were we had just intercepted and now you can see something really interesting it's highlighted for you all the different payloads okay or the different fields that we can brute force for by default we have the username value the password value the lock-in value we have the f the sfid value we have the uh the cookie value no no no we don't need all of these the only values that we need are the username and the password value so the most important thing you need to do right now is you need to clear just hit clear all right oops sorry not that clear i beg uh i know i beg your apology there uh i sorry i didn't mean that what i'm trying to say is i'm sorry just clear just hit clear and as you can see now no values are being selected to be brute force against so now we need to select them manually but before that we're going to be using the uh the cluster bomb attack type all right the reason we're using the cluster bomb attack type is because we are going to be using two values we are brute forcing against two values remember that okay and these need to be set in in combinations so that means it's much better to use a cluster bomb because essentially you're clustering two values that need to be uh that need to be tested against the login the login application or the login form together all right so in a combination so we need to select cluster bomb and now we need to select the values because those are the those are that is what we want to brute force again so just highlight the value uh it doesn't matter what the password or the username is just highlight it and you want to hit add all right so just hit add and as you can see we have selected that you know i'm going to the password and you want to highlight that as well and you just want to add that as you can see now once we have added that those are the two values we're going to be brute forcing against make sure that none of the others are selected none of the other values once that is done you you're almost there now now you want to go into your payloads all right now in your payloads you want to make sure that your payload set is set to 2 which is your username and your password so let's start off with your payload set as payload one all right as your payload uh type make sure that that is a simple list because you can see we're only targeting usernames and passwords so we don't need uh you know runtime file or we're not changing anything uh you know dependent on unicode etc you get the idea okay so simple list and now you go into your payload options which is where you select your user list or your password list or your word list now we are not using a word list but if you want to you can if you're performing this on a real site which i don't recommend unless you have written permission now since we're using this in our penetration testing lab we are going to just add the default usernames as i said the security of the site is low and it's not really a complex brute force to crack okay so what we want to do is we we want to make sure we have set payload set to one which is going to be for our usernames so now we can go into load where you can load your default usernames and your passwords or your word lists but by default we're going to add our own all right so we're going to say uh oops some we're just going to say uh we're going to type in and now like the commonly used usernames all right so something like admin uh administrator oops for some reason actually let me just remove these uh blank values there admin now administrator administrator let me just type that back in administrator uh like so administrator for those of you telling me that my typing is bad that's because my microphone is right in front of me and i can't really see what i'm typing administrator uh let's see what else what are the default ones like we have root um we have password uh actually we're not setting the passwords right now so we can just type in the default ones like this all right so we can say test you know the default ones user one whatever you think could be the most commonly used ones okay or if you know what the username is that is even better so we're gonna add all the usernames all right so we've added the usernames that we want to use now by default again i'm saying you can use a word list if you want to just going to load and select the word list now we want to select our passwords all right so we can go into the payload set too and as you can see now we can add our own values now we can use the default word lists that come with kali linux so if i go into my root and i'm going to use a share and we select word lists let me just find where word lists are if i can find them there we are word lists and the the ones that work great for me are in the metasploit folder and you can look for the default passwords as you can see you have your database default passwords you have your default uh user password for services that's also great it has a great list of of default usernames and passwords that you can use but for me i'm not going to use this because we are sticking to the basics now now you want to add your own password so we can select again some randomly you know commonly used passwords so pass you can say password let's see what else admin you know admin again oops let me just remove that one admin uh root you can use root uh let's see let me think one two three four five that's also one that i've seen many network administrators using one two three four five and you you get the idea all right so i've set our two payloads payload one is set for usernames payload payload2 is set for passwords excellent all right now uh we've selected our payload types we've selected we've added our payload options we don't need to look at payload processing that is advanced once that's done what you want to do is go into intruder and start the attack all right and now it's going to tell you that the community edition of burp contains a demo version but it's essentially telling you that the process is going to be slow all right so we're going to hit ok and it's going to start the attack as you can see it's going through all the combinations and as you can see their combinations that we have here are 25 and it's going to go through all of them now one great thing that you need to do here or one important thing that you need to do is you need to understand the uh these the status codes that the server or the web application is sending back now that's a good way of end of understanding um what password is correct and what uh what username is correct and what password is not correct okay so if we look now at the uh at the results as you can see that it's finished it's going through the brute force attack we checked the status the status is still the same we have a status to 200 if we look at the length all right the length is going to be still the same but you you have to look for things that are not uh that are not matching so for example you can see that the length here that was returned was 4948 and it's not it's not following the format of the others so that means that this could be the username and password don't worry about the status the status will still remain the same uh regardless of that but when we'll be looking at advanced server penetration testing that's something important so you can see that the get that we've got here is very important now if we look at the if we look at the response that will be sent uh right there you can see the the response and if we render it you can see that if it was successful it will tell us that we have logged in successfully so let me just browse down all the way as you can see welcome to the password protected error admin and there you go that is the username and the password it is admin and password now again this was really simple again you can you can increase the security if you're practicing on your own but you can see that this really works and this is how to utilize burp for advanced stuff like brute forcing now again most of the advanced websites nowadays have great content management systems that have the security plugins that essentially prevent you from brute forcing or lock you out but most of the older sites you'll be you'll be actually quite shocked to find out that uh their brute forces uh their login forms sorry are not protected now we have already logged in and you can see that the default username is admin and the password is password okay so you can look at the raw uh the raw http here you can look at the request and the response um you can look at them and you can inspect them if that's what you do and you can look at the headers what's being sent all that good stuff but that was going to be it for this video and now if we just go back into bub uh let me just go into my proxy and i'm going to disable intercept and we can try and log in here so we know that the admin the username is admin and the password is password so let me log in and welcome to the password protected admin area fantastic we have performed our first brute force i hope uh you know you found value in this and we'll be moving along into more advanced and we'll be moving on that way all right so we're going to be following this format right here all right so that's going to be it for this video guys thank you so much for all the support more videos are coming out i'm really motivated to make even more videos and even better videos so thank you so much for the support if you found value in this video please leave a like down below if you have any questions or suggestions you can hit me up in the comment section on my social networks or on my website alright so thank you so much for watching this video and i'll be seeing you in the next video peace [Music] bye

Info

Channel: HackerSploit

Views: 121,479

Rating: undefined out of 5

Keywords: hackersploit, burp suite tutorials, kali linux, bug bounty, bug bounty hunting, bug bounty for beginners, burp suite, web penetration testing tools, web penetration testing with kali linux, web penetration testing course, web penetration testing tutorial, web penetration testing using kali linux, web penetration testing with kali linux tutorial, web penetration testing lab, web app penetration testing, burp suite hacking, burp suite basics, hacking

Id: cL9NsXpUqYI

Channel Id: undefined

Length: 15min 9sec (909 seconds)

Published: Mon Mar 19 2018