DVWA Walkthrough Part 2: Brute Force

68747470733a2f2f7777772e72616e646f6d73746f726d2e636f6d2f696d616765732f746f6f6c732f647677612e706e67

The objective of Part 2 of this walkthrough is to brute force the logon mechanism of the Damn Vulnerable Web App (DVWA) in order to obtain a valid username and password of the administrator account. To accomplish this we will use Burp Suite. Before you start make sure you have completed the setup steps in: Burp Suite Tutorial – Part 1: Setup.

In your web browser navigate to http://<IP address>/vulnerabilities/brute/

Next, make sure that “Intercept is on” is enabled and submit the form. Burp will intercept the traffic and display the HTTP request made to the server by your browser. From the Action drop down select “Send to Intruder”.

Screen Shot 2014-11-02 at 8.49.54 PM

 

Navigate to the Intruder tab. The intruder module is useful for fuzzing specific parameters within a request. The § symbol indicates where Burp will insert it’s payloads into each request.

In this case we want to brute force the username and password arguments. We do not want to brute force the login, PHPSESSID, or security arguments so highlight those and select ‘Clear §’ to remove the placeholders.

Screen Shot 2014-11-02 at 8.50.56 PM

Switch the “Attack type” drop down to Cluster Bomb. This mode will use separate lists to fuzz the username and password arguments and will try all combinations.

Next , select the Payloads tab. For this payload we want to pass in a list of user names. We will use a simple list of usernames in this example.

Screen Shot 2014-11-02 at 8.52.50 PM

Next, select payload 2 from the Payload set drop down. This time we will provide a simple list of passwords to guess.

Screen Shot 2014-11-02 at 8.53.37 PM

Select Intruder > Start attack
Screen Shot 2014-11-02 at 8.53.52 PM

Finally, we can see each request that has been sent to the server, and the combinations of usernames and passwords that we provided.

We can see that the length of the server response in request #1 has changed significantly from the baseline request and other requests. This is interesting and should be investigated. Request #1 has the correct username and password combination. We can validate that we have successfully gained access to the admin account by clicking “Response” > “Render”. Where we are greated with the text “Welcome to the password protected area admin”.

Whenever you are fuzzing with Burp check the Length of the responses as it may be an indication of a weakness.

Screen Shot 2014-11-02 at 8.55.13 PM
Thats it for part 2! You can now see how easy it is to quickly automate HTTP/HTTPS fuzzing using Burp Suite. 

Leave a Reply

Your email address will not be published. Required fields are marked *