Username enumeration via response timing

This lab is vulnerable to username enumeration using its response times.

Exploitation

Username Enumeration

Intercepting a login request with invalid credentials, we are able to see that the server takes some time to get back to us. After a certain number of requests, the server returns You have made too many incorrect login attempts. Please try again in 30 minute(s). (as shown below) This indicates that the server has some soft of Web Application Firewall inplace to mitigate against brute force attacks.

There are usually 4 possible HTTP headers that can aid in bypassing an IP filter.

X-Forwarded-For
X-Originating-IP
X-Remote-IP
X-Remote-Addr

Adding X-Forwarded-For and giving it a random value bypasses the WAF as shown below. We are able to get a response. However, we would have to keep iterating the value of this field to keep bypassing and conduct a brute force attack.

Additionally, I noticed that the server takes longer to respond to a request containing the right username and a long wrong password. However, the server instantly responds to a request containing the wrong username and a long wrong password.

This implies that the server checks the username then the password. We can abuse this and perform username enumeration by sending requests with long passwords accompanied by our username list. If the username is wrong, we would get a quick response. Else, we would get a slow response confirming our username. Pretty cool ngl!

Now that we have an understanding of what goes on in the background, we can now move on to enumerating the usernames. Send the request to Intruder, mark the X-Forwarded-For & username field, modify the password to be any long value and switch the attack type to Pitch Fork as shown below.

Under the payloads tab, select payload set 1 and set the type to number. We will be using this payload type to randomize/iterate our X-Forwarded-For field. Under payload options, set the following.

Type = Sequential
From = 10
To = 100
Base = Decimal
Max Fraction Digits = 0

Next select the 2nd payload set and paste the username list for brute force. Once done, hit start attack and wait for the attack to complete.

Meanwhile, enable the Response received and the Response completed column on the attack window for further analysis later on.

Once sorted by Response Received, as suspected there is a request which yielded a slow response time from the server. The username appears to be applications as shown below.

username = applications

Password Enumeration

Now that we have the username, we can remove the "long password" technique and rerun the brute force attack with just the X-Forwarded-For increment to bypass the WAF.

Decrease the password length and mark its field instead of the username field.

Replace the list under payload set 2 with the password list and hit start attack.

Once the attack is completed, we are able to see one request with a status code 302 which signifies a redirect after a successful login 😉

We are able to infer the password from this response. password = monitor

Username = applications
Password = monitor

Logging in with these credentials solves the lab!

✅

PreviousUsername enumeration via subtly different responses NextAdvent of Cyber 3 (2021)

Last updated 2 years ago