Module 08: Web Application Penetration Testing Methodology 6

Exercise 6: Performing Dictionary Attack on a WordPress Web Application using Burp Suite

Scenario

Using weak username/password combinations to log in to web applications might allow attackers to brute-force them and gain access to them. This leads to unrestricted access to user accounts and manipulation of data in those accounts.
As a penetration tester, you should be able to identify weak username-password combinations in web applications.
In this lab, you are going to learn how to perform a dictionary attack on WordPress web application using Burp Suite.

Lab Duration: 30 Minutes

1. Click Kali Linux (External Network).
   If Kali Linux lock screen appears, click on the screen and press Enter. If it does not appear, skip to the next task.
   
2. Type root in the Username field and click Next.
   
3. Type toor in the Password field and click Sign In.
   
4. Kali Linux Desktop appears. In this lab, we will target a web application with the URL http://172.19.19.8/wordpress.
   So, launch a web browser, type the URL http://172.19.19.8/wordpress and press Enter.
   WordPress index page appears as shown in the screenshot.
   
5. In this lab, we will be launching a dictionary attack on the website to see if there are any weak username/password combinations.
   Here, we will enter random user credentials on the login page, capture the login request and use it in Burp Suite to perform a dictionary attack on the website.
   Type the URL http://172.19.19.8/wordpress/wp-login.php in the address bar and press Enter. This displays the WordPress login page.
   
6. Open Firefox menu and select Preferences.
   
7. Preferences window appears, click Advanced in the left pane.
   
8. In the Advanced window, click Network tab and then, click Settings.
   
9. Connection Settings window appears, click Manual proxy configuration radio button.
   Enter the IP address 127.0.0.1 in the HTTP Proxyfield, specify the port number 8080 in the Port field, check Use this proxy server for all protocols option and click OK.
   
10. Advanced Settings window appears after configuring the proxy settings.
    Now, minimize the web browser.
    
11. Kali Linux Desktop appears, click Burp Suite icon in the Dash Dock to launch the application.
    
12. Burp Suite Free Edition window appears, displaying the License Agreement. Click I Accept button to accept the license agreement.
    
13. Burp Suite projects window appears with Temporary project radio button selected by default. Click Next to proceed with the Temporary Project.
    
14. Burp Suite project configuration window appears, click Use Burp defaults radio button, since we will be using the default project configuration to run the application.
    Click Start Burp to start the application.
    
15. Burp Suite main window appears, click Proxy tab.
    
16. Burp Suite Proxy window appears displaying the Intercept section. Ensure that the Intercept is onbutton is activated.
    
17. Now, maximize the web browser and switch to the WordPress login page.
    We do not know a password to log in. So, type random credentials and click Log In.
    

    The username and password issued in this lab are test and guess.

    
18. Switch to Burp Suite. You will observe that the application has intercepted the login request.
    We will try a set of usernames and passwords on the username and password fields of this request.
    To try, right-click on the request and click Send to Intruder option from the context menu.
    
19. Click on Intruder tab.
    Burp Suite Intruder window appears, click Positions tab.
    
20. Burp Suite sets target positions by default. Click the Clear § button on the right side of the Payload Positions section to clear the payload positions.
    
21. Once you clear the payload positions, select Cluster bomb from the Attack type drop-down list.
    

    Cluster bomb uses multiple payload sets. There is a different payload set for each defined position (up to a maximum of 20). The attack iterates through each payload set in turn, so that all permutations of payload combinations are tested. I.e., if there are two payload positions, the attack will place the first payload from payload set 2 into position 2, and iterate through all the payloads in payload set 1 in position 1; it will then place the second payload from payload set 2 into position 2, and iterate through all the payloads in payload set 1 in position 1. This attack type is useful where an attack requires different and unrelated or unknown input to be inserted in multiple places within the request (e.g. when guessing credentials, a username in one parameter, and a password in another parameter). The total number of requests generated in the attack is the product of the number of payloads in all defined payload sets - this may be extremely large.

    more...
    
22. Now, we will be setting the username and password as the payload positions.
    To set the username you entered in the Task no. 17, highlight test and click Add §.
    
23. To set the password you entered in the Task no. 17, highlight guess and click Add §.
    
24. You will now observe that the username and password positions are set.
    To set the payloads, click the Payloads tab.
    
25. Payloads section appears with Payload set 1selected. Click Load … button in the Payload Options [Simple list] section.
    
26. A pop-up appears displaying the file structure. Navigate to /root/Wordlists in the Look In field, select Usernames.txt and click Open.
    
27. You will observe that the usernames inside the text file are loaded in the Payload Options [Simple list] section as shown in the screenshot:
    
28. Now, under the Payload Sets section, select 2from Payload set drop-down list.
    Click Load … button in the Payload Options [Simple list] section.
    
29. A pop-up appears displaying the file structure. Navigate to /root/Wordlists in the Look In field, select Passwords.txt and click Open.
    
30. You will observe that the passwords inside the text file are loaded in the Payload Options [Simple list] section as shown in the screenshot.
    Now, click Start attack button.
    
31. Burp Intruder pop-up appears, click OK.
    
32. Intruder attack 1 window appears, displaying the various username-password combinations along with the Length of the response and Status.
    Wait for 2-3 minutes for Burp Suite to try various username-password combinations.
    
33. Burp Suite tries all the username-password combinations and records the response for each request sent to the WordPress website.
    The length of the response remains almost the same for all the requests containing wrong username-password combination. When burp suite tries the correct username-password combination on the website, the length of the response differs a lot from the other responses and the status also varies accordingly.
    Click Length in the Filter section to sort the lengths of the responses in ascending order.
    
34. Upon clicking Length in the Filter section, Burp Suite arranges the lengths of the responses in ascending order. The length and status of the response for the username-password combination mike - prince is different compared to the other responses, which shows that it is a valid combination.
    
35. Close the Intruder Attack window.
    

    If a Warning pop-up appears, click OK.

    
36. Go to Burp menu and click Exit to close the application.
    

    Confirm pop-up appears, click Yes.

    
37. Now, open the Firefox web browser and switch to the Preferences window.
    Go to Proxy Connection Settings, select the Use system proxy settings radio button and click OK.
    
38. Switch to the WordPress login page, type mike/prince in the username and password fields and click Log In.
    
39. You have successfully logged into the WordPress website, meaning that the dictionary attack using Burp Suite was successful.
    
40. Now, we shall upload a shell into the web application to gain unrestricted access to the machine hosting the website in the next lab exercise.

In this lab, you have learned how to perform a dictionary attack on WordPress web application using Burp Suite