Using Burp suite to Brute force HTTP Basic Auth

Using Burp suite to Brute force HTTP Basic Auth

The first question to obviously answer is what is HTTP Authentication?

HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn’t require cookies, session identifier and login pages. Rather, HTTP Basic authentication uses static, standard HTTP headers which means that no handshakes have to be done in anticipation.

Here is what it looks like

http authentication

What is our Aim?

  • To intercept an HTTP authentication request.
  • How to Setup Burp to brute force on the HTTP Auth Request
  • Initiating the Attack
  • Getting the Successful Login

 

To intercept an HTTP authentication request.

First of all we will set the browser to go through our Burp Proxy by simply changing the proxy configuration to the following:

browser proxy setup

Once done we will access a Router Page (192.168.0.1) in my case to see the HTTP Authentication pop up, enter the credentials and check the response .

encoded request

The Authorization parameter is the encoded parameter that contains the username and password that we enter.

How to Setup Burp to brute force on the HTTP Auth Basic Request

So now we will initiate the brute force in the HTTP Auth Basic Parameter. First we send the request to the intruder tab and then use the Sniper Attack type.

selecting the sniper parameter

We select the “Authorization: Basic” parameter in this case its : YWRtaW46YWRtaW4= so we highlight this and Add it in the scope .

The encoding here is a Base 64 Encoding and the Decoded Value here is admin:admin .

decoding the auth Param

This shows us that we need to append a “ : “ in between of the values we pass.

So let’s setup our encoded payload delivery.

The next tab that is the Payload the delivery of our attack this is where we configure the list.

payload tab

Selecting payload set = 1 , payload type = custom iterator

List 1 with the possible Usernames , and List 2 with possible passwords.

custom iterator list 1custom iterator list 2

Then we select the Seperator the “ : “ between the two word lists . make sure you enter the “ : “ in Position 1 and not Position 2 .

seperator

One more thing to remember is that we need to encode the whole string into base64 for authorization purpose so we will do the following .

Click Add from Payload processing then select Encode from the drop down List and then choose Base 64 from the other Drop Down .

payload processing

Disable the encoding checkbox in the same Payloads Tab else you will end up encoding the “ : ” param again .

Initiating the Attack

You can simply start the attack by just clicking on the Intruder (dropdown) à Start attack and wait for the output.

start attack

response revieved

Here we see that we have got a successful attempt, let’s check and decode the Value.

Getting the Successful Login

Now we can either use the Decoded Username and password that is available or just forward the Basic Auth encoded value and gain a successful login .

succesfull login to tplink

More videos on Burp Yet to come 🙂