Welcome back, my aspiring cyber warriors!
In this series, we are exploring the myriad of ways to hack web applications. As you know, web applications are those apps that run the websites of everything from your next door neighbor’s website, to the all-powerful financial institutions that run the world. Each of these applications is vulnerable to attack, but not all in the same way.
Burp Suite, by Port Swigger, is a versatile and powerful tool for web app pentesting. Besides web form authentication testing, it can also be used to test for session ID randomization, injection attacks, fuzzing and numerous other attacks. We will attempt to examine each of these BurpSuite functions in this series.
Here we will be using the Damn Vulnerable Web Application (DVWA) on our Metasploitable OS or the OWASP Broken Web App VM.
Please note that password attacks will not work against all web forms. Often, the web application will lock you out after a number of failed attempts. Also, this attack is dependent upon having a good password list, as the application goes through every possible password looking for a match (with the exception of brute force password cracking which is very time- and resource-consuming). With that caveat having been said, password cracking web forms is a good place to start in hacking web authentication. Of course, we will look at other forms of breaking authentication in subsequent tutorials.
We will be using the free version of Burp Suite that is built into Kali. If you are not using Kali, you can download it here. This free version has some limited capabilities that work well for learning or in a lab, but for real world hacking, you will probably want to buy the Pro version ($399). In addition, make certain that your system is equipped with the JDK 11 or later. BurpSuite is a Java application and requires this version of the JDK to work properly.
Step 1: Fire Up Kali and DVWA
Let’ start by firing up Kali and starting DVWA on another system or VM. Next, start Burp Suite. You will first be greeted by a screen like below. You can only create a “Temporary Project” in the Community Edition. Click Next.
Next, select “Use Burp Defaults” and Click “Start Burp“.
We then need to click on the Proxy tab…
…and enable the Intercept. This is the way that BurpSuite is capable of intercepting traffic to and from a server.
Step 2: Open a Web Browser
Now open your browser and set it up to use your proxy. In Mozilla’s Firefox, go to Preferences ->Network Connections. There you will find the window like that below. Set it up to proxy your browser requests on 127.0.0.1 on port 8080.
Make certain to click OK in order for the browser to save your new settings.
Step #3: Use you browser to navigate to the DVWA.
Once your target system is up and running, let’s open your browser and navigate to the IP address of the Metasploitable system or the OWASP Broken Web Apps VM. On either system, navigate to the Damn Vulnerable Web App (DVWA).
When you get there, select DVWA, which will open a login screen like that below.
Here I have entered my username, OTW, and my password, HackersArise. You do not need to enter the correct credentials.
Step 4: Intercept the Login Request
Before sending the login credentials, make certain that the Burp Suite Proxy intercept is turned on and the proxy setting are set in your browser. Then, when you send the request, the proxy will catch the request like in the screenshot below.
Notice that my username and password are in the last line of the login request.
Step 5: Send the Request to Burp Suite Intruder
Next, we need to send this request to the Burp Suite Intruder. Right click on this screen and select “Send to Intruder” as seen below.
This will open the BurpSuite Intruder. In the very first screen Intruder will display the the IP address of the target. It has gathered this information from the intercepted request. If it is wrong, change it here. Also note that it assumes you are using port 80. Once again, if you’re attempting authentication on another port or service, change it here, but BurpSuite usually gets it right.
Next, click on the “Positions” tab. It will highlight the fields that it believes it needs to use in cracking this authentication form.
Since we want to set the positions manually, click the “Clear” button to the far right.
In this attempt, we will be trying to crack OTW’s password. This assumes we know the user’s username and only need the password (to acquire usernames from WordPress sites, wpscan is excellent for extracting usernames).
Here we will highlight the one field you want to attempt to crack, namely the password and click on the Add button to the right
Step 6: Set Attack Type
Now, we need to set the attack type. There are four types of attacks in BurpSuite Intruder:
1. Sniper
Single set of payloads. It targets each payload and places each payload into each position.
2. Cluster Bomb
Multiple payload sets. There are different payload sets for each position.
3. Pitch Fork
Multiple payload sets. There are different payload sets for each position. It iterates through each payload set simultaneously.
4. Battering Ram
Single set of payloads. It uses a single payload set and runs it through each position.
For a more detailed explanation of the differences in these payloads, see the Burp Suite documentation.
The BurpSuite Intruder defaults to “Sniper“, so let’s leave it as Sniper for this attack.
Step 6: Set the Payloads
Now, we need to set the payload we designated. These are the fields that Intruder will be attacking. Select Payload Set #1 and enter some common passwords that nearly every system has such as “admin,” “guest,” “systemadmin,” “sys,” “root”, “password”, etc.
In addition, let’s select the top10000_passwords.txt from Hackers-Arise (www.hackers-arise/password-lists). These are the 10,000 most common passwords from dark web dumps over the last couple years. It’s always a good idea to use common passwords on your first attempt to crack passwords in these forms.
Next, we need to click on the “Start Attack” button in the upper right corner.
This will start BurpSuite to attempt to login into your DVWA iterating through each password on your list. Note in the screenshot above that both the status (302) and the length (558) are identical for each attempt. What we are looking for is an attempt where the status and length are different than the others that would indicate a successful login.
Step #7: Cluster Bomb Technique
In this technique, we will assume that both the username or the password are unknown to us. We will need to use two payloads; one the username, and one the password. We will Add both the username field and the password field as payloads. We will also set the attack type to “Cluster Bomb“.
With this type of attack, BurpSuite will try a variety of combinations of your list in both the username and password field. This is a more complex and time-consuming attack, but necessary, if you don’t know the username.
Next, let’s click on the Payloads tab. Select Payload set 2 and from the Payload type pulldown window, select Character Substitution.
With Character Substitution selected, BurpSuite will “munge” your password list, replacing typical letter/number substitutions (users are taught to change letters into numbers to prevent dictionary attacks). As you can see below, the default character substitution is; a=4 b=8, e=3 and so on. This is the typical substitution that users employ and should work in most cases, but you can customize or add other letter substitutions here.
Now, add your password list just like the previous attack by clicking on the Load button to the left of the Items window. Note that instead of just 10,000 requests as in the previous attempt, now our attempts have grown to over 2 billion! This is because each word will be attempted as a username and then each word will be attempted as a password. In addition, this method will create additional passwords and usernames by using the character substitution we enabled above.
In the final step, click “Start Attack“. Since we will be attempting 2 billion username and password combinations, this will be a tedious and time-consuming task. Here is where the unthrottled BurpSuite Pro proves its value!
As you can see above, BurpSuite attempts each word in our list as a username and then tries every word in our list as a password.
Like in the attack above, we are looking for anomalies in the status and length fields. These will often indicate a Successful Login.
Step 8: Reading the Results
Here it’s important to note a few things. First, the status column. Note that all the requests in the screenshot are “302” or “found”. Also, note that the length of the responses are all uniform (558).
That uniform length message would be the uniform bad request response. When a response is of a different length and a different code (200), it will warrant further investigation, as it is likely to have the correct username and password. You can find these anomalies by clicking on Status header or the Length header and sort the results by these two fields, rather than manually searching through all 2 billion responses.
Summary
The BurpSuite is an excellent and versatile tool that every web app pentester/hacker should be conversant in. Here, we used it to crack web app logins using the simple and quick sniper attack against a known username and unknown password and then the more time-consuming cluster bomb attack with character substitution against a unknown username and password combination.
In future tutorials, we will use BurpSuite for additional web app pentesting/hacking, so keep coming back my aspiring cyber warriors!