Hello friends .. Are you a beginner to Cyber Security? Are you passionate about cyber security? If you are interested to learn how to Brute Force web site login page using tools like Burp suite and OWAP ZAP, then you are on the right page and this article is exactly for you. let’s learn together.
What is Brute Force Attack?
Brute Force is a simplest method where an attacker can gain access in to victims login page, or a server by guessing correct username and password by calculating all combination of usernames and passwords. For example, let’s say you have a pad locked with 3 digit combination pin, when you forget the 3 digit pin, you will try to identify the correct combination of numbers till you unlock the padlock.
When password complexity increases, with the aid of sophisticated tools, word list and dictionaries snd so on.. attacker would automate the process of brute force the web sites to gain access. This may take days, weeks but finally attacker would find a way to get into the victims account.. Perhaps, this is the only reason now days many security researchers, big companies and regulatory bodies enforcing the importance of having strong passwords and two factor authentication(2FA) such as code received via email, OTP, or even a finger print for authentication.
What is Word list or Dictionary?
Word list or Dictionary is a collection of potential passwords, commonly used for Brute force attacks. Brute force attack with dictionary or word list sometimes referred as Dictionary attack. It was observed that, attacker commonly publishes the Dictionary file after attack in the internet so that it can be used by other attackers in future.
One of the popular word list built by Kali Linux is called “rockyou”. which are located in the /usr/share/wordlists directory. Beside, you can generate your own word list generating tools. For more info refer the link shown below. https://github.com/topics/wordlist-generator
What is Burp Suite ?
Burp Suite is a Web Application Security testing collection of tools developed by PortSiwgger Web Security. It’s great tool which allows you to intercept the traffic between the client and server communication. It comes with a free, pro and enterprise edition. Although community edition is free, its recommended to use the Pro due to few additional features like Burp scanner.
For demo purpose, we use community edition.
How to Set Up Burp suite?
- Download the Burp Suite installer for your required platform (Windows, MacOS, or Linux) from the PortSwigger.net website.
- Follow the set up instruction by clicking the next button
- When the installation is done click the finish button
- When you start the Burp suite, you will have only option to use temporary project, and click next, use Burp suite defaults as shown in the installation wizard, then click startup.
Configure Burp Suite Proxy Setting
In the top, click on the “proxy tab” then select “options” and make sure the port no is 8080.
Configure the Web browser – Firefox
In the Firefox, go to menu click on the “option”.
In the search , type “Proxy Settings”, select the settings
Select the manual proxy configuration, by default “HTTP proxy” set to IP address 127.0.0.1 and “Port No” 8080.
Delete if anything appears in the “No proxy ” field
Installing Burp’s CA certificate in Firefox
By default, when you browse an HTTPS website via Burp, the Proxy generates a TLS certificate for each host, signed by its own Certificate Authority (CA) certificate. This CA certificate is generated the first time Burp is run, and stored locally. To use Burp Proxy most effectively with HTTPS websites, you will need to install Burp’s CA certificate as a trusted root in your browser.
As a first step, export CA certificate from the Burp Suite
Select Certificate in DER format and click next
Save the certificate in “.cer” format anywhere locally in the machine. Remember the path as we need to import the “burp.cer” in the browser
Now go to Firefox, select option
In the Search option, search for “certificate”
Click to view certificates
In the certificate manager, select authorities, click to import the certificate
Select the certificate from the location where you have saved earlier
When you import the certificate, check the box “Trust this CA to identify web sites”, and click “OK”
Now you have imported the certificate. Now close all dialog box and restart Firefox.Now you should be able to visit the any HTTPS URL without any errors.
What is OWASP Zed Attack Proxy?
OWASP ZAP is a open source web application security tool widely used by beginners, developers and pen testers. ZAP project is considered as one the flagship project which is actively maintained group of security researchers across the world. It proxies HTTP traffic and allows to inspect, modify and resend them to test for security vulnerabilities. ZAP has many other features, like Passive Scanner, Fuzzer spidering web applications and performing automated scans, plus many more
How to Set Up ZAP?
- First download the ZAP from here https://www.zaproxy.org/download/. Choose appropriate version based on your OS.
- Execute the installer.Note that ZAP requires Java 8+ in order to run. you must install Java 8+ separately for Windows, Linux, and Cross-Platform versions
- Once the installation is complete, launch ZAP and read the license terms. Click Agree if you accept the terms, and ZAP will finish installing, then ZAP will automatically start.
Configure ZAP Proxy Setting
When you first start ZAP, you will be asked if you want to persist the ZAP session. By default,ZAP sessions are always recorded to disk in a HSQLDB database with a default name and location. If you do not persist the session, those files are deleted when you exit ZAP.For now, select No, I do not want to persist this session at this moment in time, then click Start. The ZAP sessions will not be persisted for now
Go to “Tools” and Select “Options”
Select local proxies, verify that your address set to localhost or 127.0.0.1 and the port no to 8082.When you configure browser, you need to assign same port number
Configure the Proxy Setting in Web browser- Firefox
Go to “Option” in the Firefox and click
In the Search option, type “proxy”
Select the manual proxy configuration, by default “HTTP proxy” set to IP address 127.0.0.1 and “Port No” 8080. Port No should match with Port Number in the ZAP proxy setting. Here ZAP proxy port number is 8082.
Delete if anything appears in the “No proxy ” field
Installing ZAP’s CA certificate in Firefox
As a first step, export CA certificate from the ZAP
Select Dynamic SSL certificate. Click “generate” new certificate and
When you save the certificate in “.cer” format anywhere locally in the machine. Remember the path as we need to import the “owasp_zap_root_ca.cer” in the browser
Go to option in the Firefox
Click the option and search for “certificate”
Click the certificate to import the certificate
In the certificate manager, select authorities, click to import the certificate
Import the certificate from the location.
Open the certificate and enable the “Trust this CA to identify the websites”, then click OK
Now you have imported the certificate. Now close all dialog box and restart Firefox.Now you should be able to visit the any HTTPS URL without any errors
Brute Force Attack Using Burp Suite
Now its time to brute force Web Application using the Burp Suite and OWASP ZAP. Brute force only authorized web application.First of all,never ever run these tools against any live application or machines without permission. However, for testing purpose you can use application like DVWA,bWAP etc.
Today our target machine is DVWA. Damn Vulnerable Web Application- (DVWA) is a vulnerable application meant for security professionals to test their skills and tools in a legal environment.
How to install DVWA – read from here https://github.com/ethicalhack3r/DVWA.
Now open DVWA and log into it using its default username and password. Once you log in, click on Brute Force. And also make sure that security is low or medium.
When you click on brute force, it will ask you the username and password for login.Now suppose you don’t know the password for login into an account. ???
Before login, make sure, in the Burp Suite, “Intercept” tab, “Intercept is on”. To make brute force attack ,enter the random password and click login.
In Burp Suite the request has been intercepted.
Now send the intercepted request to the intruder, by right clicking or clicking the action button
Now go to payload tab,clear the pre-set payload positions by using the “Clear” button on the right of the request editor.Add the “password” parameter values as positions by highlighting them and using the “Add” button.
In drop down menu,select “Attack type” is “Sniper” . If there is single payload , the attack type should be “Sniper”.if there are more than one payload, then the attack type must be “Cluster Bomb”.
Now got to payload tab,select’1′ from the payload set and payload type set to “simple list”. In the payload option, settings enter some possible passwords. You can do this manually or use a custom or pre-set payload list. Click the “Start attack” button.
In the “Intruder attack”, you can sort out the results based on the column header. Here its length and Status. Also you can verify the response. Now you got the password and you can try the password in DVWA application.
In order to confirm the brute force attack has been successful, use the gathered “password” on the DVWA login page.
Username & Password Brute Force Using Burp Suite Cluster Bomb Attack
In the above scenario, we saw how burp suite guess the password for a know user name using sniper attack. Whereas if you don’t know user name and password, burp suite has another option, that’s called Cluster Bomb attack. Using this option, you can brute force the username and password.Let’s see how?
Enter the random username and password in the DVWA login page.
Intercept the request using the Burp suite and send it to “Intruder” by clicking the action button.
Now go to Intruder and payload tab,clear the pre-set payload positions by using the “Clear” button on the right of the request editor.Add the “username” and “password”parameter values as positions by highlighting them and using the “Add” button.
In drop down menu,select “Attack type” is “Cluster bomb”
Now got to payload tab,select’1′ from the payload set and payload type set to “simple list”. In the payload option, enter some possible usernames.Similarly select’2′ from the payload set and payload type set to “simple list”. In the payload option, enter some possible usernames.You can do this manually or use a custom or pre-set payload list. Click the “Start attack” button.
In the “Intruder attack”, you can sort out the results based on the column header. Here its length and Status. Also you can verify the response. Now you got the username and password and you can verify it in DVWA application.
In order to confirm the brute force attack has been successful, use the gathered “username and “password” on the DVWA login page.
Brute force attack using OWASP ZAP
Before doing the brute force attack, make sure proxy setting are correct. Unlike Burp suite, by default ZAP intercept all the traffic.when you successfully connect to the application from browser, you can see ore lines in the sites and history.
To make brute force attack ,enter the random password and click login.
See the intercepted request in the ZAP
Click “New Fuzzer” to add payloads by selecting the URL in “Sites”
Add the “username” parameter values as positions by highlighting them and using the “Add” button.
After position the parameter, you can add payloads by clicking the add button
Here,enter the possible usernames and select strings. if you are using the word list select the respective “type”. in the drop down menu. Click add to got next step.
Similarly select the position of password and set the parameter value for 2nd set of payloads. enter possible passwords and select type “string” from the drop down menu. click add to proceed to next step.
Now you have configured the payloads for username and password. Now its time to click “Start Fuzzer”.
From the “Fuzzer” window, you can sort out the results based on the column header. Here its Size Resp Body, RTT and Reason . Also you can verify comparing the responses. Now you got the username and password and you can verify it in DVWA application.
In order to confirm the brute force attack has been successful, use the gathered “username and “password” on the DVWA login page
Congratulations!Finally you’ve made a step forward towards brute forcing web application using the OWASP ZAP and Burp Suite.For security career, bug bounty programs, one should be well versed with both Burp Suite and OWASP ZAP. I prefer ZAP over Burp suite because when I do brute force with wordlist, Fuzzer in ZAP is ultra fast compared to Cluster Bomb in Burp suite.
Happy Learning!