In the last installment we planned the vertical password guessing attack and optimized our wordlist. Now let's get our hands dirty! Attackers utilize a variety of tools to automate password guessing attacks, including Hydra, Nmap in conjunction with the http-form-brute script, and homegrown scripts. However, for the purposes of this exercise we'll use Burp Suite Pro, the Swiss Army Knife of web application penetration testing. We'll leverage Burp Intruder functionality to launch the password guessing attack. Note that Burp Intruder functionality is only available within the commercial Burp Suite Pro, not the free Burp Suite. However, at only $299 per user per year, Burp Suite Pro is an outstanding value.
Let's get this party started! For the purposes of this exercise we'll examine the Symantec Connect login page at https://symaccount.symantec.com/SymAccount/index.jsp. Once your browser is configured to user Burp as a proxy (you can disable intercept functionality), submit the login page and identify the login request within Burp by navigating to the "Proxy" tab and then selecting the "History" subtab:
Right click on the applicable login request and select "Send to Intruder" (or just hit Ctrl-I). Now navigate to the "Intruder" tab and select the "Positions" subtab:
Click the "Clear §" button in order to clear the automatically selected payload positions. I know what you're thinking. Seeing that § symbol makes you want to blast some righteous TheArtistFormerlyKnownAsPrinceThatIsNowOnceAgainKnownAsPrince tunes on your stereo. Well let's don our Raspberry Berets and Party Like It's 1999! Wait a second, then we might be browsing with Netscape Navigator or Lynx. In any case, change the username parameter to your target username and then highlight the value of the password parameter and click the "Add §"" button in order to set the payload position:
Now select the "Payloads" subtab and click the "Load..." button within the "Payload Options (Simple List)" section. Select your optimized wordlist and click the "Open" button. Your wordlist will be displayed:
In this case I added the "correctPassword" entry to the wordlist. And no, my Symantec Connect password is not really "correctPassword". Finally navigate to the "Intruder" menu and select "Start Attack". Burp will launch another window to display the results of the password guessing attack:
You can identify successfully guessed passwords several ways:
- Response Code – Depending on the application, the HTTP response code can often be utilized to differentiate successful versus unsuccessful login attempts. Click on the "Status" column header within Burp Intruder in order to sort by the response code. In this case the Symantec Connect authentication page returns a 302 Moved Temporarily response for successful login attempts but a 200 OK response for unsuccessful login attempts. As an aside, web applications should always return a 302 Moved Temporarily redirect upon successful login. If the web application returns a 200 OK response, the web browser will store the authentication credentials, enabling attackers with subsequent browser access to masquerade as the victim by clicking the Back button until the browser resubmits the authentication credentials to the server.
- Response Length – Depending on the application, the response length can usually be utilized to differentiate successful versus unsuccessful login attempts. Click on the "Length" column header within Burp Intruder in order to sort by the response length. In this case the Symantec Connect login page returns a 1,046 byte response for successful login attempts but a 10,691 byte response for unsuccessful login attempts. Incidentally, the Symantec Connect login page returns a 6,228 byte response for the fourth and all subsequent login attempts. Can you guess why? If you said "that would be account lockout, Alex" you are correct. Unfortunately you did not phrase your answer in the form of a question. In any case, be sure to check for account lockout as discussed in the last installment.
- Response Body – Depending on the application, the response body can almost always be utilized to differentiate successful versus unsuccessful login attempts. In this case the Symantec Connect login page returns "302 Moved Temporarily" within the response body, indicating the redirect and successful login. Applications that do not implement a redirect typically include a telltale welcome message, application menu, or homepage content. Click the "Filter" box and enter the deterministic string in order to search response bodies within Burp Intruder.
Abracadabra! Together with Mary Poppins we have successfully launched a vertical password guessing attack! That saucy umbrella toting vixen was right, a spoon full of sugar helps the passwords go down, the passwords go down, the passwords go down!