Powered by Blogger.
Home » » Module 08: Web Application Penetration Testing Methodology 6

Module 08: Web Application Penetration Testing Methodology 6

Written By AKADEMY on Thursday, July 4, 2019 | 10:11 PM

Exercise 6: Performing Dictionary Attack on a WordPress Web Application using Burp Suite

Scenario

Using weak username/password combinations to log in to web applications might allow attackers to brute-force them and gain access to them. This leads to unrestricted access to user accounts and manipulation of data in those accounts.
As a penetration tester, you should be able to identify weak username-password combinations in web applications.
In this lab, you are going to learn how to perform a dictionary attack on WordPress web application using Burp Suite.
Lab Duration30 Minutes
  1. Click Kali Linux (External Network).
    If Kali Linux lock screen appears, click on the screen and press Enter. If it does not appear, skip to the next task.
    Screenshot
  2. Type root in the Username field and click Next.
    Screenshot
  3. Type toor in the Password field and click Sign In.
    Screenshot
  4. Kali Linux Desktop appears. In this lab, we will target a web application with the URL http://172.19.19.8/wordpress.
    So, launch a web browser, type the URL http://172.19.19.8/wordpress and press Enter.
    WordPress index page appears as shown in the screenshot.
    Screenshot
  5. In this lab, we will be launching a dictionary attack on the website to see if there are any weak username/password combinations.
    Here, we will enter random user credentials on the login page, capture the login request and use it in Burp Suite to perform a dictionary attack on the website.
    Type the URL http://172.19.19.8/wordpress/wp-login.php in the address bar and press Enter. This displays the WordPress login page.
    Screenshot
  6. Open Firefox menu and select Preferences.
    Screenshot
  7. Preferences window appears, click Advanced in the left pane.
    Screenshot
  8. In the Advanced window, click Network tab and then, click Settings.
    Screenshot
  9. Connection Settings window appears, click Manual proxy configuration radio button.
    Enter the IP address 127.0.0.1 in the HTTP Proxyfield, specify the port number 8080 in the Port field, check Use this proxy server for all protocols option and click OK.
    Screenshot
  10. Advanced Settings window appears after configuring the proxy settings.
    Now, minimize the web browser.
    Screenshot
  11. Kali Linux Desktop appears, click Burp Suite icon in the Dash Dock to launch the application.
    Screenshot
  12. Burp Suite Free Edition window appears, displaying the License Agreement. Click I Accept button to accept the license agreement.
    Screenshot
  13. Burp Suite projects window appears with Temporary project radio button selected by default. Click Next to proceed with the Temporary Project.
    Screenshot
  14. Burp Suite project configuration window appears, click Use Burp defaults radio button, since we will be using the default project configuration to run the application.
    Click Start Burp to start the application.
    Screenshot
  15. Burp Suite main window appears, click Proxy tab.
    Screenshot
  16. Burp Suite Proxy window appears displaying the Intercept section. Ensure that the Intercept is onbutton is activated.
    Screenshot
  17. Now, maximize the web browser and switch to the WordPress login page.
    We do not know a password to log in. So, type random credentials and click Log In.
    The username and password issued in this lab are test and guess.
    Screenshot
  18. Switch to Burp Suite. You will observe that the application has intercepted the login request.
    We will try a set of usernames and passwords on the username and password fields of this request.
    To try, right-click on the request and click Send to Intruder option from the context menu.
    Screenshot
  19. Click on Intruder tab.
    Burp Suite Intruder window appears, click Positions tab.
    Screenshot
  20. Burp Suite sets target positions by default. Click the Clear § button on the right side of the Payload Positions section to clear the payload positions.
    Screenshot
  21. Once you clear the payload positions, select Cluster bomb from the Attack type drop-down list.
    Screenshot
  22. Now, we will be setting the username and password as the payload positions.
    To set the username you entered in the Task no. 17, highlight test and click Add §.
    Screenshot
  23. To set the password you entered in the Task no. 17, highlight guess and click Add §.
    Screenshot
  24. You will now observe that the username and password positions are set.
    To set the payloads, click the Payloads tab.
    Screenshot
  25. Payloads section appears with Payload set 1selected. Click Load … button in the Payload Options [Simple list] section.
    Screenshot
  26. A pop-up appears displaying the file structure. Navigate to /root/Wordlists in the Look In field, select Usernames.txt and click Open.
    Screenshot
  27. You will observe that the usernames inside the text file are loaded in the Payload Options [Simple list] section as shown in the screenshot:
    Screenshot
  28. Now, under the Payload Sets section, select 2from Payload set drop-down list.
    Click Load … button in the Payload Options [Simple list] section.
    Screenshot
  29. A pop-up appears displaying the file structure. Navigate to /root/Wordlists in the Look In field, select Passwords.txt and click Open.
    Screenshot
  30. You will observe that the passwords inside the text file are loaded in the Payload Options [Simple list] section as shown in the screenshot.
    Now, click Start attack button.
    Screenshot
  31. Burp Intruder pop-up appears, click OK.
    Screenshot
  32. Intruder attack 1 window appears, displaying the various username-password combinations along with the Length of the response and Status.
    Wait for 2-3 minutes for Burp Suite to try various username-password combinations.
    Screenshot
  33. Burp Suite tries all the username-password combinations and records the response for each request sent to the WordPress website.
    The length of the response remains almost the same for all the requests containing wrong username-password combination. When burp suite tries the correct username-password combination on the website, the length of the response differs a lot from the other responses and the status also varies accordingly.
    Click Length in the Filter section to sort the lengths of the responses in ascending order.
    Screenshot
  34. Upon clicking Length in the Filter section, Burp Suite arranges the lengths of the responses in ascending order. The length and status of the response for the username-password combination mike - prince is different compared to the other responses, which shows that it is a valid combination.
    Screenshot
  35. Close the Intruder Attack window.
    If a Warning pop-up appears, click OK.
    Screenshot
  36. Go to Burp menu and click Exit to close the application.
    Confirm pop-up appears, click Yes.
    Screenshot
  37. Now, open the Firefox web browser and switch to the Preferences window.
    Go to Proxy Connection Settings, select the Use system proxy settings radio button and click OK.
    Screenshot
  38. Switch to the WordPress login page, type mike/prince in the username and password fields and click Log In.
    Screenshot
  39. You have successfully logged into the WordPress website, meaning that the dictionary attack using Burp Suite was successful.
    Screenshot
  40. Now, we shall upload a shell into the web application to gain unrestricted access to the machine hosting the website in the next lab exercise.
In this lab, you have learned how to perform a dictionary attack on WordPress web application using Burp Suite
Share this article :

0 comments:

Post a Comment

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT