How Bug Hunters Find Account Takeover Vulnerabilities via Brute Force

Brute force attacks have for a long time been used by most of the bug hunters as well as the ethical hackers to discover account takeover opportunities. In this instalment of the blog, we will examine how bug hunters go about discovering such flaws through a captive environment and why this approach is largely useless against most operational modern systems.

What is a Brute Force Attack?

A brute force attack consists in using a programme that tries with multiple username and password combinations to gain unauthorized login on an account. The attack uses the brute force approach whereby the attacking tools use as many credentials as possible till an correct one is found.

Step-by-Step Guide: How to Perform a Brute Force Attack in IHA089 Labs

Step 1: Visiting the Target Website

In this demonstration, it will be using IHA089 Labs that I have developed myself, a laboratory that is safe and controlled that is aimed at teaching ethical hacking techniques. Before testing web sites other than in lab environments you should have legal approval to do so.

Step 2: Accessing the Login Page

After the identification of the target website, go to the next section of the site known as the login page where people input their ID and password to sign into an account. Try to use any other username and password to see how the system behaves during invalid entries. Carefully observe the messages, which are returned, may prove useful in understanding how the site is authenticating and indeed in further testing sessions.

Step 3: Setting Up Burp Suite

Burp Suite is an integrated tool used in Vulnerability Assessment and Penetration Testing commonly associated with web application. Load up Burp Suite and click on the ‘Proxy’ tab where you can intercept traffic. Turn on the INTERCEPT – the option that allows capturing all the requests sent by your browser to the server. This step is important to study the structure of login requests.

setup burpsuite proxy to intercept requests

Step 4: Capturing the Login Request

Intercept is enabled on Burp Suite, revisit the login page of the target site and input random username and password again. If you press the login button then in the burp suite, you will be able to see the actual HTTP request that is being dropped to the server. This intercepted request helps you to get the picture of actually transmitted data along with headers, cookies, the body of request containing credentials etc.

Capture request using burpsuite IHA089 Labs

Step 5: Analyzing the Request Parameters

After identifying request, carefully analyse request parameters. The fields you are going to want to look for are ones labelled as a username and password. These fields keep the credential to be submitted. The identification of these parameters is critical since they will be exploited in the course of the brute force attack.

Step 6: Sending the Request to Intruder

Once you have found the request parameters proceed to send the captured request to Burp Suite ‘s Intruder tool. This tool is more developed to facilitate an attack on the web applications. Turn off intercept mode for a while so that there will not be any more captures that are not needed. The Intruder tool will help you to perform brute force attack by trying all the username and password at once systematically.

Step 7: Configuring the Attack Type

In the Intruder tab locate the attack type, and choose Sniper Attack. This mode enables you to carry out multiple tests for the username and password parameters. Mark both of these parameters in the captured request as payload positions; This means that when these parameter starts to use values from the wordlist, the Burp Suite will insert the values into the corresponding places of the request.

setup payload location on intruder IHA089 Labs

Step 8: Setting the Payload

Intruder has an open tab that is labeled ‘Payload’ tab. Select Simple List as the last entry payload type. I create a wordlist that contains the most frequent used username strings and password types or use one of the ready ones. Now copy the resulting wordlist into the payload section, so later Burp Suite will use these entries for attacking.

Set payload type and payload list in intruder IHA089 Labs

Step 9: Launching the Brute Force Attack

Start the brute force attack by entering the number of hits you want to make in an attack in to the text box outside the Start Attack button and them clicking the Start Attack button. The first attempt that Burp Suite will make is to constantly attempt to test all the username and password pairs as it sends as many requests to the server as possible. Every query made will be compared to the server responses to determine those containing successful logins.

Step 10: Analyzing the Response Codes and Length

During the attack, you will find that there are other codes and lengths for each of the requests made at each state. An HTTP response like 202 Accepted, where the length of the response does not vary can actually mean incorrect credentials. Yet, when a response code, for instance 302 Redirect, is used in combination with a different response length, then the login was successful.

Step 11: Identifying Valid Credentials

Once a successful response code is known – say: 302 Redirect lookup for the request that gave this result. Required fields should be checked for the following values used in the username and password parameters. For instance, if the credentials admin and admin@123 were successful you can try and login manually with the same credentials on the login page of the website to confirm a successful account takeover.

Successfully solving account takeover lab

IHA089 Labs

Why Brute Force Attacks Are Less Effective on Modern Systems

Modern web applications have enhanced their security to an extent that it is relatively impossible for a simple brute force attack to go unchallenged. Here are five reasons why:

Rate Limiting and Lockouts

Most websites’ login forms restrict the number of login attempts from a certain IP address.
Permanent locks are issued on the accounts after the multiple attempts of violation of the rules and regulations.

Multi-Factor Authentication (MFA)

MFA goes beyond the password by asking for a second form of identification in order to proceed.
It is very difficult to guess a password since it is accompanied by a secondary authentication, for instance, by a mobile device.

CAPTCHA Integration

CAPTCHA mechanisms are usually employed once a user fails several attempts at login.
This is to prevent program authorization repeated login entries.

Strong Password Policies

Contemporary measures in password security have imposed a lot of stringencies concerning password creation (Spak).
They should refrain from setting up username-password access with barriers that can be easily cracked.

IP Blocking and Behavior Analysis

Different login patterns originating from the same address can also be noticed by a system.
Some websites employ behavior analytics to identify hackers attempting to login and prevent them from log in before they start.

Although, the use of force may well work on essentially open networks, the advanced security measures implemented in current systems add a layer of complexity to the method. The above demonstration is just a typical scenario exercised in a secure context during penetration tests in IHA089 Labs solely to illustrate how bug hunters look for such vulnerabilities.

Always practice ethical hacking responsibly and ensure that your penetration tests are authorized and within legal boundaries.

Stay safe and hack ethically!

How Bug Hunters Find Account Takeover Vulnerabilities via Brute Force