- A-Z Education website offers courses related to React Development, Amazon Web Services and Cyber Security algorithms.
- The website has a login page through which users create an account to purchase and view videos related to the course.
- A-Z Education does not utilize multi factor authentication methods like One Time Passwords, Security Questions, or email verification which leaves it vulnerable to a variety of attacks.
In this case, I, the attacker, try to access the administrator panel of the website using a list of common usernames and passwords. To carry out the attack, Burp Intruder is used to find firstly the admin username and after finding the username finding the respective admin password to view the dashboard for the website.
- Python
- Burp Suite
- Clone this repositroy and start the flaks app.
git clone https://github.com/akshatmiglani/Brute-force-for-login-bypass-on-a-local-website.git
cd Brute-force-for-login-bypass-on-a-local-website
pip install flask
python app.py
-
Launch Burp Suite and access the login panel in Burp Browser.
-
Make sure the intercept is on in Burp Suite and use any credentials to post a request.
- Send this request to Burp Repeater, Choose the attack type to Sniper and add a payload position to username.
-
Using the common
usernames.txtof this repostiory, add this to the payload as a simple list and start the attack.
-
Sample bruteforce attack on username.
-
Observe that one status code is different than the others.
-
After finding out that “admin” is the admin username, we change the payload to the password parameter and apply brute force using password list to find the password.
- Now we come to know the password and username for the admin (because of the status codes) and thus we login in to the admin panel using these credentials.
- Accessed the admin panel.
- Use Strong Passwords.
- Limit Login Attempts.
- Monitor IP addresses.
- Use Two-Factor Authentication (2FA).
- Use CAPTCHAs.
- Use Unique Login URLs
- Disable Root SSH Logins
- Use Web Application Firewalls (WAFs)