Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Description

In this lesson, participants receive a demonstration of a brute force attack. Using the mutilliidea application, participants receive step by step instructions in how to brute force attack an administrative account. After the attack runs, the instructor presents the results to participants and explains which accounts she was able to access via the attack.

Video Transcription

00:04
Hello and welcome to the cyber. Very secure coding course. My name is Sonny Wear, and this is the A los top 10 for 2013 82 broken authentication in session management Demo.
00:20
This demo is a brute force attack.
00:24
This is the demo for brute force attacks and weak password policies.
00:32
So you saying Mattila Day are vulnerable Web application? We're going to actually try to brute force an administrator account to get into this application.
00:45
So what we want to do is try to log in. We're going to
00:50
try with just
00:53
a test user. We're going to turn on our interceptor in burbs week
01:00
and go ahead and capture that request.
01:03
Now, we're gonna use burb sweet to actually perform this brute force attack.
01:08
And what we can do is the moment we've captured the request we can right click
01:15
and
01:18
send two intruder, and then you'll notice the intruder tab turns arch.
01:26
So what I'm gonna do is I'm actually going to
01:30
set up positions in this request to replace
01:34
the user name and password
01:38
with some
01:40
preloaded payloads that I've created.
01:44
Now the first thing I need to do is get rid of these pre configured areas where you can replace values. So I'm just gonna click this clear,
01:55
and that gets rid of the question marks.
01:57
But I am interested in actually testing different values for user names. So I'm gonna
02:05
add my variables around that
02:08
as well as around password.
02:13
I'm going to change the attack type to a cluster bomb,
02:19
and I'm going to set up my payloads.
02:23
Now, the first payload is gonna be for position one, which is three user name and pale. 02 will be the password.
02:30
So let's go ahead and set that up. Now, I've created
02:37
a very small number of user names in my own file, and so I'm just loading that up.
02:46
And then I've done the same for the passwords. So I'm gonna load that,
02:53
okay. And then the options.
02:58
I'm not really going to add any additional options. I could add some sort of
03:04
exact match of maybe is a success string if I knew what that waas.
03:12
But, um,
03:14
for now, we'll just leave that as it is.
03:16
So I've got everything set up,
03:20
and, uh, let's go ahead and start the attack. So you start the attack with this intruder menu at the top and select start attack.
03:30
This is letting me know that the free version of burp just contains some limited functionality in this area, which is fine.
03:39
I'm gonna pause the video. Wildest runs through and we'll come back and look at the results.
03:46
Okay? And so it's completed. Burp has finished. Now what I can do is look at the status here, And if it's anything other than 200 I'll know that something different happen.
04:00
So I'm gonna go ahead and click this. Now, what it tells me is that a 302 is actually have found. And so I was successful in finding two accounts, one of which is an admin account. So
04:17
this basically has allowed me to
04:20
brute force the admin account. So what I can do is I, Congar oh, ahead and take these values.
04:30
And if I just glanced at the response,
04:33
um, you can see that even in the response of the cookie has been set as admin, and I'm logged in as the user admin, so that's very good.
04:46
Um So what I'm going to do then is go ahead and close this.
04:50
Go back to proxy.
04:55
Change this to admin.
04:58
Change the password to add admin pass
05:02
forward.
05:05
And if we take a look, we can see that we are now logged in
05:11
as theat ministrations.
05:14
So just a couple of notes in regards to this lesson.
05:17
There was no account lockout.
05:20
The password policy, which, if there is any at all,
05:26
did not require a certain length of the passwords it allowed for dictionary words.
05:33
And also the passwords were not hashed,
05:38
so there was no hashing function used. There was obviously no salt as well. That was added for that. So, ah, lot of problems. A lot of issues with the password handling for authentication within this application.

Up Next

Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By

Instructor Profile Image
Sunny Wear
Instructor