Username enumeration via different responses

This lab is vulnerable to username enumeration and password brute-force attacks.

The target site has an account with a predictable username and password, which can be found in the following wordlists:

814B

usernames.txt

850B

passwords.txt

To solve the lab, enumerate a valid username, brute-force this user's password, then access their account page.

Enumeration

Home Page

Login Page

Upon Inspection of the login page, we are able to get a detailed response regarding the entered information.

Exploitation

Username Enumeration

Setup burp to intercept requests.

Make a login request with random credentials and intercept it with burp.

In the response of that request, we are able to see that the site returns Invalid Username

Right-click on the POST request and send it to the intruder tab

Head over to the Intruder tab and clear all markings

Mark only the username field

Head over to the payloads tab under Intruder and make sure the following options are set and paste the username list for enumeration.

Payload set: 1
Payload type: Simple List

Once done, hit start attack. (ignore error, if any)

Once, attack is completed, sort the requests according to Length. When done so, one of the requests should have a longer length compared to the rest as shown below.

Upon further inspection of that request, we are able to see a new error as such. This confirms that the username is indeed application

Incorrect password

Password Enumeration

Now repeat the process all over again but target the password field with the password list while keeping the username a constant.

Right-click on the POST request and send it to the intruder tab

Setup the positions as such

Paste the password list where the username list was

Start the attack

Once, attack is completed, sort the requests according to Length. When done so, one of the requests should have a longer length compared to the rest as shown below. The 302 status code indicates a redirect and looking at the location parameter in the response confirms that we have indeed got the right password. (soccer)

Upon Logging in with the found credentials, we complete the lab.

application:soccer

✅

PreviousAuthentication NextUsername enumeration via subtly different responses

Last updated 2 years ago