LogoLogo
  • 🤩Welcome!
  • Buffer overflow
    • Remote Buffer Overflow
      • Crashing the Application
      • Controlling the EIP
      • Finding Bad Characters
      • Finding a Return Address
      • Generating Shellcode
      • Getting a Shell
  • Wireless Penetration Testing
    • Wifi Pineapple - Tetra
      • Setup
      • Firmware Upgrade
      • Capturing Wireless Handshake
      • Cracking WPA2 Handshake
      • PineAP
      • Modules
  • PortSwigger Labs
    • Authentication
      • Username enumeration via different responses
      • Username enumeration via subtly different responses
      • Username enumeration via response timing
  • TryHackMe
    • 🎄Advent of Cyber 3 (2021)
      • [Day 1] Save The Gifts
      • [Day 2] Elf HR Problems
      • [Day 3] Christmas Blackout
      • [Day 4] Santa's Running Behind
      • [Day 5] Pesky Elf Forum
      • [Day 6] Patch Management Is Hard
      • [Day 7] Migration Without Security
      • [Day 8] Santa's Bag of Toys
      • [Day 9] Where Is All This Data Going
  • Google Cloud Computing
    • ☁️Cloud Computing Fundamentals
      • Getting Started with Cloud Shell and gcloud
      • Creating a Virtual Machine
      • App Engine: Qwik Start - Python
      • Cloud Functions: Qwik Start - Command Line
      • Kubernetes Engine: Qwik Start
      • Set Up Network and HTTP Load Balancers
Powered by GitBook
On this page
  • Exploitation
  • Username Enumeration
  • Password Enumeration

Was this helpful?

  1. PortSwigger Labs
  2. Authentication

Username enumeration via subtly different responses

This lab is subtly vulnerable to username enumeration and password brute-force attacks.

PreviousUsername enumeration via different responsesNextUsername enumeration via response timing

Last updated 3 years ago

Was this helpful?

Exploitation

Username Enumeration

Submit an incorrect set of credentials to the login page and capture the POST request with burp. Then send the request to Intruder.

The only response we get after an incorrect try is Invalid username or password.. Let's try and look for that while brute forcing usernames first. Under the positions tab, mark the username field.

Under payloads, paste the given username list.

Under options, head to the Grep - Extract tab and hit add.

Highlight the phrase Invalid username or password. . this will mark this and check for this occurrence on every request. We might be able to spot a difference and maybe find the username.

Once the attack completes, sorting the grep extract reveals one request with a slightly different response compared to the rest as shown below.

We are able to see that request number 56's response is missing a full stop compared to the rest. We can assume that this was intentional by the challenge developer and take the payload as the username.

Username = alpha

Password Enumeration

With the username found, we can now replace the username in the request with the correct one and mark the password field for brute force under the positions tab.

Then head to the payloads tab, paste the given password list and start the attack!

Once the attack is completed, sorting the requests by status codes reveals a request with the status code 302. Which is often seen after a successful login.

From this we can infer that the password is dragon.

username = alpha
password = dragon

Logging in with those credentials completed the lab!

✅