There's more...
Kali Linux includes a very useful collection of password dictionaries and wordlists in /usr/share/wordlists. Some files you will find there are as follows:
rockyou.tar.gz: The RockYou website was hacked in December 2010, more than 14 million passwords were leaked, and this list includes them. These passwords are archived in this file, so you will need to decompress it before using it:
tar -xzf rockyou.tar.gz
dnsmap.txt: Contains common subdomain names, such as intranet, ftp, or www; it is useful when brute forcing a DNS server.
/dirbuster/*: The dirbuster directory contains names of files commonly found in web servers; these files can be used when using DirBuster or OWASP- ZAP's Forced Browse.
/wfuzz/*: Inside this directory, we can find a large collection of fuzzing strings for web attacks and brute forcing files.
/metasploit/*: This directory contains all default dictionaries used by Metasploit Framework plugins. It contains dictionaries with default passwords for multiple services, hostnames, usernames, filenames, and many others.
Brute forcing basic authentication with
Almost every time we see a seemingly random alphanumeric string ending in one or two equal to (=) symbols, that string is base64 encoded.
We can easily decode it using Burp Suite's Decoder or the base64 command in Kali Linux. The = symbol may be encoded to be URL- friendly, that is, replaced by %3D in some requests and responses.
In the previous recipe, we used Burp Suite's Intruder to attack a login form; in this recipe, we will use THC Hydra to attack a different login mechanism, HTTP basic authentication.
Getting ready
As well as the password list we used in the previous recipe, in order to execute this
dictionary attack, we will need to have a username list. We will assume we already did our reconnaissance and obtained several valid usernames. Create a text file (ours will be
user_list.txt) containing the following:
user john admin alice bob
administrator user
webgoat adam sample
How to do it...
In the directory where both users and password dictionaries are stored in our Kali Linux VM, we do the following:
Open a terminal and run hydra, or use the Applications menu in Kali Linux 1. Applications | 05 - Password Attacks | Online Attacks | Hydra.
Issuing the command without arguments displays the basic help:
2.
Here, we can see some useful information for what we want to do. By using the - L option, we can use a file containing possible usernames. -P allows us to use a password dictionary. We need to end the command with the service we want to attack, followed by :// and the server, and, optionally, the port number and service options.
In the terminal, issue the following command to execute the attack:
3.
hydra -L user_list.txt -P top25_passwords.txt -u -e ns http- get://192.168.56.11/WebGoat
Hydra found two different username/password combinations that successfully logged in to the server.
How it works...
Unlike other authentication methods, such as the form-based one, basic authentication is standard in what it sends to the server, how it sends it, and the response it expects from it.
This allows attackers and penetration testers to save precious analysis time on which parameters contain the username and password, how are they processed and sent, and how to distinguish a successful response from an unsuccessful one. This is one of the many reasons why basic authentication is not considered a secure mechanism.
When calling Hydra, we used some parameters:
-L user_list.txt tells Hydra to take the usernames from the user_list.txt file.
-P top25_passwords.txt tells Hydra to take the prospective passwords from the top25_passwords.txt file.
-u—Hydra will iterate usernames first, instead of passwords. This means that Hydra will try all usernames with a single password first and then move on to
http-get indicates that Hydra will be executed against HTTP basic authentication using GET requests.
The service is followed by :// and the target server (192.168.56.11). After the next /, we put the server's options, in this case the URL where the authentication is requested. The port is not specified and Hydra will try the default one, TCP 80.
There's more...
It is not recommended performing brute force attacks or dictionary attacks with large numbers of passwords on production servers because we risk interrupting the service, blocking valid users, or being blocked by our client's protection mechanisms.
It is recommended, as a penetration tester, performing this kind of attack using a maximum of four login attempts per user to avoid a blockage; for example, we could try -e ns, as we did here, and add -p 123456 to cover three possibilities: no password, the password is the same as the username, and the password is 123456, which is one of the most common passwords in the world.
See also
So far, we have seen two authentication methods in web applications, namely, form-based authentication and basic authentication. These are not the only ones used by developers;
the reader is encouraged to further investigate advantages, weaknesses, and possible implementation failures in methods such as:
Digest authentication: This is significantly more secure than basic
authentication. Instead of sending the username and password encoded in the header, the client calculates the MD5 hash of a value provided by the server, called a nonce, together with their credentials, and sends this hash to the server, which already knows the nonce, username, and password, and can recalculate the hash and compare both values.
NTLM/Windows authentication: Following the same principle as digest, NTLM authentication uses Windows credentials and the NTLM hashing algorithm to process a challenge provided by the server. This scheme requires multiple request-response exchanges, and the server and any intervening proxies must support persistent connections.
Kerberos authentication: This authentication scheme makes use of the Kerberos protocol to authenticate to a server. As with NTLM, it doesn't ask for a username and password, but it uses Windows credentials to log in.
Bearer tokens: A bearer token is a special value, usually a randomly generated long string or a base64-encoded data structure signed using a cryptographic hashing function, which grants access to any client that presents it to the server.