Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Description

In this lesson, participants receive a demonstration of a username enumeration via web service. Using mutillidea, participants learn about a username enumeration using a Burp extender in the Burp Suite. Participants learn step by step instructions in obtaining all valid usernames and getting user responses to see which accounts exist and which do not.

Video Transcription

00:04
Hello and welcome to the cyber very secure coding course my name Miss Anywhere in this is O OSS top 10 for 2013
00:13
a two broken authentication and session management demo.
00:19
Use your name in new Marais Shin via a web service.
00:26
This is the demo for user name in New Marais Shin via a soap web service.
00:34
We're gonna use Mattila Day and under the broken authentication session Manage section.
00:40
We have user name in new Marais Shin.
00:43
We're going to attempt this.
00:46
Threw the soap Web service call.
00:52
So just one thing to note before we get started is I am using an add on
00:58
to burbs. Suite is called Whistler.
01:02
This is an extension that you can get from the burp app store and so you can download that
01:11
and just add it in as a burp extension.
01:14
It's gonna provide some parsing functionality to us, which makes it much nicer to work with whizzed ALS.
01:22
So going back to the proxy tab we have our intercept on.
01:26
We are going to click the whistle in order to capture that in our request.
01:34
And so what we can do is we know it's a wisdom because after the get we actually see Ah whizzed a ll there. Now we're gonna go ahead and parse this Whizzed a ll using our burp extender
01:53
And so we can go to the Whistler
01:57
tab
01:59
and we can see all the operations that are in this wisdom.
02:04
Now, since we're doing user name in new Marais Shin, we're interested in the get user operation.
02:12
Now for this particular request, we don't actually have a name for the user name, but this is this is the operation that were interested in and we're interested in in new Marais ting
02:25
A cz many user names that are valid in the application as we can get.
02:31
The purpose, of course, is to then try to brute force the valid accounts.
02:38
Now, in order to do this, we probably should go ahead and send this to the repeater
02:49
so that we can capture the response and compare the response of an account that doesn't exist with the response oven account that does exist.
03:01
So what I can do is I can click go,
03:05
and that gives me the response. Now, in this particular response,
03:09
we can see that the get user response is
03:16
that this particular user does not exist. Okay,
03:23
I'm going to send this on to the compare er,
03:29
and we're going to take a look at that
03:31
after we send another request.
03:38
So let's go ahead and
03:40
interceptor request again.
03:52
So I'm gonna turn on the interceptor.
03:59
Uh, this is my wisdom. So I'm going to once again
04:03
parse this
04:11
and but this time I want to send it to the repeater and actually want to change
04:17
the user name
04:21
to a valid one. So I'm gonna type in Sonny
04:28
and click the go button.
04:32
So this is my response. I'm gonna send this response to the compare.
04:39
Now, I have two different responses to compare.
04:44
I've got the one that was invalid or the account didn't exist. And then I have a valid one. I can compare these responses the the words by clicking this compare words
05:01
and you can synchronize the views. In this case, it's very short. But you can synchronize the views so that if you had a scroll by here, they would scroll together
05:13
things that are different. Obviously, the time stamps are gonna be different. The content length is different.
05:19
But this is really
05:21
what is of interest to us. It says that this user does not exist. But in this one, I have results for Sonny.
05:31
Okay, I think I can use that to my advantage. So
05:39
let's close this.
05:42
Go back to the repeater.
05:44
So here you have your your two requests and responses. Right? So
05:49
this one tab shows me where the user did not exist in two shows me where the user did exist. So what I would like to do is I would actually like to send this response to the intruder,
06:06
because I want to
06:10
in new Marais, tw all of the valid users that Aaron this application.
06:16
So
06:17
when you first come into the intruder, it's going to set up these replacement variables at various
06:25
prepositioned
06:27
locations where it thinks you you may want to substitute values. I don't really want these preset ones here, so I'm gonna clear.
06:36
But I am going to replace the name of my user,
06:43
so I'm going to put the variables around this one,
06:47
okay? And so this becomes my baseline.
06:51
I'm gonna leave the attack style as sniper because it's just this one variable that I'm replacing with one value
07:01
now, if I go to my payloads, I actually have a
07:06
file that I've created ahead of time that has some user names in it.
07:14
So I'm just gonna load that payload here.
07:16
She can see I've got some user names there.
07:23
We are going to add a payload processing rule,
07:28
and that will be
07:30
in regards to the case. We're gonna modify case sensitivity to just be lower case just to make things consistent.
07:42
Okay, I want to enable that.
07:46
And then finally, I want to go to the options. If you remember, we had that
07:53
string that we could grip on results for.
07:58
Ah, so let's go ahead and
08:01
and that so that we can grab for those
08:05
exact words.
08:09
Okay, So results for
08:13
and it ends with
08:16
this quote.
08:18
Okay, so So the ending is fine. Um, I actually want
08:28
I actually want this
08:31
for my ending, but for the start, I want results for I'll go ahead and put a space there as well.
08:43
Okay, so it's going to grab
08:46
in every single every single time. It sends a possible user name.
08:52
It's going to grab to see if the Web service
08:56
actually returns that message. That says results for
09:03
okay. And so I think we're ready to begin our attack, so we're going to start the attack,
09:16
All right? And so what you see here is a column called Results for That's what we said we wanted to grab for.
09:24
And Sonny is Thebe Baseline, so that one really doesn't count.
09:30
But look at the ones that did match. We've got admin John, Jeremy, Brice and Jim.
09:37
So that means that all of these are valid user names inside of the application. And so this becomes my
09:48
user name Enumeration result.
09:52
Now, it did not match on Soo Happy or Gilmore
09:58
if I were to take a look at the response for any of these
10:03
Ah, I goto the response tab
10:09
and I can actually see additional information. Right? So I can see the signature
10:15
for this particular user
10:16
and in so long
10:18
and so this is the first step that would be done in order to
10:24
determine all the valid accounts for a particular application. The next step would be the brute force attack where you then take all of these valid accounts and then try to guess in a brute force manner. What the passwords are
10:46
now one last note to this from a secure coding perspective.
10:50
As application developers, we don't necessarily think about the fact that we might be putting in too much information in a response. And so this is a case where we had
11:05
in the response a particular clue that let us know that one account was valid, whereas another one was not. And so what we would want to do is make some sort of consistent message whether
11:20
the account is valid or not, so that an attacker couldn't key off of,
11:26
ah, particular words and grew up for those and so So this helped to illustrate how easy it is for this type of attack to be done.

Up Next

Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By

Instructor Profile Image
Sunny Wear
Instructor